FRIENDZONE Write-Up
FriendZone: I trust you but only as user…💜
Hello folks, hope you guys enjoyed my previous write-up on “HACKBACK”
If you didn’t check it out please do & show some support by a tap on clap and of-course sharing the article as well.
Now let’s get to the Friendzone machine which is hosted on Hackthebox.eu
It has been rated as an Easy machine as it has some open service which was open for all & gives direct access to anyone who connects to it using smb.
Then their is DNS recon part which many will overlooked on it because it is running on default port but on “tcp protocol”.
After some DNS enumeration we got access to vhost which uses credentials found using smb & not only that it has Local File Inclusion vulnerability which is leveraged to get low privilege shell as www-data. Which will lead us to interesting file which also has some credential for another user.
We’ll use those credential to login through ssh & enumerate further.
At last we’ll do some Python Library Hijacking to get root shell.
Let’s start our enumeration with nmap on Friendzone IP Address which is 10.10.10.123 by following command.
A lot of ports to go through, Let us narrow down over focus for services which either has large attack vector or has one shot exploitable vulnerability or misconfigured services to give anonymous access.
To do that we’ll run nmap again with -sC & -sV to provide us more information like service versions & vulnerability details if any.
As the result show multiple interesting ports open let’s enumerate one at a time. As there’s FTP & SMB services running which gives direct access to files on the machine let us check them out first.
As result show the services which ftp runs on is vsftpd 3.0.3 which is neither misconfigured nor exploitable so we can move on to next service which is SMB.
The Samba service found to be misconfigured as it gives access to folder general & Development to anyone who connects to it.To verify the same I used smbmap tool to map all the directories for read write access & smbclient tool to access those directories & download the “creds.txt”.
So we get credentials for admin user in creds.txt under general dir as:
admin:WORKWORKHhallelujah@#
At this moment I had no idea what to do with Development dir & it is interesting directory because it gives read as well as write access to anyone.
But for this time let’s move on…
So focusing on creds found I tried them on SSH,FTP & SMB as well but it was negative.But we haven’t enumerated web services on port 80 & 443 so there’s maybe an admin panel which will lead us to web shell.
I have enumerated the port 80 but found nothing interesting instead I dig down the rabbit hole where I have to decode some base64 data which makes no sense. Then I thought there must be virtual host on port 80 so I used wfuzz but again negative the result were 200 for every request so nothing for this moment.
If you read blog till now you’ll remember there was port 53 using TCP protocol in nmap result which is default port for DNS. If DNS uses TCP protocol that means it is used for zone transfer. So we’ll do zone transfer to list all domains associated with IP 10.10.10.123 using tool named host.
Ahaah! now let us add these sub-domains to “/etc/hosts” files to access them.After browsing to these sub-domains the only interesting is administrator1.friendzone.red on port 443 which has a login panel.Let’s try those credentials found in creds.txt
After login in it tells to go-to https://administrator1.friendzone.red/dashboard.php & browsing to it again tells to use parameters with address as “?image_id=a.jpg&pagename=timestamp”. So the address became as https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp which leads to trolling 👻
Fair Enough warning to figure out that this php page has bug & it hints us to check the parameters. After fuzzing around the parameter, the bug is local file inclusion in parameter “pagename” to verify this let’s check the source code of dashboard.php to achieve this we just have to set parameter as “pagename=php://filter/convert.base64-encode/resource=dashboard” not much efforts sweet😁
Now grab those base64 encoded dashboard.php content and decode it using tool base64 & let’s check what causes this LFI vulnerability.
The vulnerability is caused by a php function which is include($_GET[“pagename”].“.php”).
The include function indeed a dangerous function if input is provided to it without any validation or sanitation. Also there was no specific path specified to where the file will be fetched given as input. As it appends “.php” so we’ll use a php web-shell to pop the low privilege shell on box.
Remember the writable directory Development we can access to using smbclient. Let’s leverage that and upload our web-shell to it & try to access that from browser in order to run our php shell code.
Yeippeee! I poped the shell, just by enumerating directories i found a interesting MySQL configuration file which has credentials for another user called friend.
Another Jackpot, I used these credentials to login through SSH and got the user shell as Friend but the user belongs non sudoer group too bad 😢
Remember FriendZone: I trust you but as user…💜
After hell lot of enumeration I found a file “reporter.py” under “/opt/server_admin/” directory which was Read only but it does nothing & has imported python library “OS.py”.
For this moment I thought it is normal to import libraries in python scripts so nothing much to think about it & I skipped to overthink about it as it was not interesting at this time.
Then I used pretty amazing tool called “pspy” which is use to monitor process running on system, the main advantage of this tool is it can monitor proccess of root user also Awesome right!
So that “reporter.py” was run by root user every 5 min of interval like a corn job but the problem is nothing can be achieved using this file as it has only read access.
After staring at the content of reporter.py the question arises in my mind was “why would someone create a python file, import some library into it & do nothing?” as everything else was commented.
So I checked on the permissions for friend user on os library file & guess what Sherlock homes solves the case 😁 just saying.
The os library file has permissions as rwx(Read, Write &Executable) so friend user can edit the contents of os.py by adding reverse shell code at bottom of file and wait till the root runs the “reporter.py”
The concept of leveraging the library files for privilege escalation is called “Library Hijacking”
Wait for 5 minutes and boom we got shell as root user…
Thanks for reading the write-up I Hope you like it.
If you do show some support by tapping on clap button or sharing the post.
Happy Hacking till next retire machine👻👻👻
