Friendzoned HTB

IP

10.10.10.123

Initial Nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.123 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the machine

21,22,53,80,139,443,445

Lets run a more in-depth scan of these ports

sudo nmap -sCV -p21,22,53,80,139,443,445 10.10.10.123 -oA nmap_results

results

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
| tls-alpn: 
|_  http/1.1
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
445/tcp open  Зۏ?V      Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2023-12-22T01:06:31
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2023-12-22T03:06:32+02:00
|_clock-skew: mean: -40m01s, deviation: 1h09m16s, median: -2s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

we can see the following

• Most likely a ubuntu server

• both http and https run on the server

• we have both the domain name and host name being friendzone we can add this to our hosts file

• we also have the domain in the TLS certificate friendzone.red

Before we investigate the web servers lets attempt anonymous authentication among the services

SMB

crackmapexec smb 10.10.10.123 -u anonymous -p ''

Lets list the shares we have access to

crackmapexec smb 10.10.10.123 -u anonymous -p '' --shares

thats interesting

we have both read and write permissions within the Development share and read permission among the general share

Lets have a look at the contents for these shares

crackmapexec smb 10.10.10.123 -u anonymous -p '' -M spider_plus

Now when we copy the file conatining the contants and view them we can see the following

cp /tmp/cme_spider_plus/10.10.10.123.json ./ 
cat 10.10.10.123.json

Lets grab this file

smbclient //10.10.10.123/general -U anonymous

when we look at the contents we can see the following

admin: WORKWORKHhallelujah@#

Lets see if these creds work among the services

SSH

ssh admin@10.10.10.123

• No luck

FTP

ftp admin@10.10.10.123

• no luck

SMB

crackmapexec smb 10.10.10.123 -u admin -p "WORKWORKHhallelujah@#"

• No luck

Let's check out the Development share

smbclient //10.10.10.123/Development -U anonymous

• the share is empty but we do have write access to it may circle back if I cant find anything

RPC

Lets see if we can authenticate to RPC

rpcclient -N -U anonymous 10.10.10.123

• no luck

Alright lets check out the webservers

http://friendzonefriendzone

• only thing we find is the domain name friendzoneportal.red Lets add this to our hosts file

pretty static site Lets run feroxbuster and see if we can fid anything

feroxbuster -u http://10.10.10.123 -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt

we do find an interesting directory

http://friendzone/wordpress/

which doesn't give us much

HTTPS

lets check out https://friendzoneportal.red

• static site

feroxbuster

feroxbuster -u https://friendzoneportal.red -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt -k

• Nothing interesting

https://friendzone.red

we can see the following

if we look at the page source we can see the following note

we go to /js/js we can see the following

Looking at the page source we can see the following note left behind

all about times and zone could this be a hint to a possible zone transfer

Lets see if we can perform a zone transfer on the domain friendzone.red

dig axfr @10.10.10.123 friendzone.red

Looks like we have successfully performed a zone transfer

; <<>> DiG 9.19.17-1-Debian <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 24 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Thu Dec 21 21:47:24 EST 2023
;; XFR size: 8 records (messages 1, bytes 289)

lets add these to our hosts file

https://administrator1.friendzone.red/

we are greeted with the following

we can try the creds we found earlier

• which seems to work

when we visit /dashboard.php

Playing around with the request params

• could be a possible lfi