Root through a Samba share & LFI (HTB FriendZone Walkthrough)
In this article, I will be explaining how I got root in FriendZone machine from Hack The Box. This is a special machine to me as it’s the first one I did in my workshop series back in school. So, let’s jump right in !
Scanning & Enumeration
In Hack The Box machines there is no reconnaissance. In most cases, we start directly by Scanning and Enumeration, because the machines we are trying to own are in a private network. But, if we were in a real pen-test, the first thing we should do is reconnaissance (Passive & Active).
So let’s start with the Nmap scan. I usually do a staged nmap scan, what I mean by that is I run nmap for the 1000 deafault ports.
Now, for those ports I add the -A argument to enable OS and version detection, script scanning, and traceroute.
Before we discuss the results I’d like to continue explaining my methodology and the reasoning behind it. So, now that I did that scan I do a scan for all ports (-p- argument). I do it in the background while I go through the results. and I also try to bypass firewalls witth a FIN scan, because a naked FIN packet is being set, this packet flies past the rules blocking SYN packets. (You’ll find more about sneaking through firewalls here). Also, I run a udp scan and leave it in the background after I finish up TCP because it takes a while.
The idea behind my staged nmap scans it to minimize the time, and stay organized.
Jumping back to the results of my nmap scan we see 7 ports are open. ftp on port 21 running the version vsftpd 3.0.3 which is not vulnerable. OpenSSH 7.6p1 that it says it’s an ubuntu box, also not vulnerable. Port 53 on tcp, that’s weird as the port 53 usually runs on udp, when it runs on tcp that usually hints that there is a zone transfer so we should look into that later on. Port 80 running apache. Ports 139,445 netbios running samba smbd. Port 443 ssl/http that leaks the name of the domain which is “friendzone.red” that will be handy during the enumeration of port 53.
I’ll start by enumerating port 80 as it has a big attack surface. So I check what the page looks like.
My next step is to do directory bruteforce while I look into the source code, and see if there is some kind of virtual host routing. I use gobuster, or dirsearch but unfortunately they did not give any handy results. neither the source code. I’d like to see if there is some virtual host routing but I’ll wait untill I enumerate the port 53. looking back at the interface I find that it’s weird hinting at the address friendzoneportal.red and we found on the certificate that it’s friendzone.red. I noted that and I carried on.
The next port I’d like to enumerate is port 53, I directly went and looked for zone transfer using dig (axfr for zone transfer)
And tadaaaa! I found some interesting subdomains, so I think that domain (friendzoneportal.red) was just a rabbit hole it’s still noted though, if this path doesnt lead to anything I’ll go back and check. So I see a quite interesting subdomains, the most popping one is administrator1.friendzone.red (my state of mind at this point is to look at them one by one (spoiler alert !the others are just rabbit holes). I added these subdomains into my /etc/hosts file as in HTB there is no dns so we work with virtual host routing.
When I visited the administrator page it said 404 not found so I simply switched into https (remember that 443 port ?)
Usually when I find a login form like this, I try manually to search for sql injection if I don’t succeed I run sqlmap in the background and directory bruteforce while I look into other ports. And this is what I did…
So, let’s jump into the enumeration of samba shares, I run a tool called enum4linux for that purpose.(enum4linux 10.10.10.123)
We see that the server allows sessions without providing any username or password.
Also, there are some shares that we should look into, but luckly enum4linux does that for us. But before note that Files share are in /etc/Files so most likely Development is in /etc/Development
The mapping of the shares provided by enum4linux states that we can map shares in general and Development (I like to express my state of mind during the process, so you understand how or where to look. Here, I am thinking that the samba and the http are on the same server so if we could upload something into the samba share and call it via tthe webpage we might get access to the shell)
looking into the the general share we find some credentials that belongs to the admin.
The Development share loos empty.
Let’s try the creds we found on the admin panel on the administrator1 subdomain, it works and it tells us to visit dashboard.php
In thtat stage I made sure I look into the source code(I always do), nothing there so I did what the pages tells me to do and check the image defautlt.
So looking at the results I see down in the bottom timestamp’s value and the parameter pagename=timestamp so there is a very high possibility that we have an lfi in here but if we went and try to do the classic ../../../../../etc/passwd, that won’t work because it appends the .php extension to it my next move here is to try and upload something into the development share and call it through the web page. To verify I have an lfi I just tried administrator1.friendzone.red/timestamp.php and it displayed the timestamp
For this I downloaded the pentestmonkey’s reverseshell file.
I modified the script, and made my ip address of tun0 since I am using a vpn, and chose port 4444, now I should set up a listener on port 4444
Here it depends if my client during a pentest gave me permission to try and get a user shell I would carry on, but if not I will just set uup a tcmp listener and try to ping back my machine or I’ll just do a simple php script to print smt for poc.
Now let’s upload our php-reverse-shell to the Development share
So, our file now is in /etc/Development(as described in share enumeration section)
let’s try and call it through the lfi and see if we gain access.
Gaining Access
Looking back to our ncat listener we got a shell.
Now let’s upgrade this shell. First I look if we have python or python3 on the server, luckily we do so I run python -c ‘import pty;pty.spawn(“/bin/bash”);’ Then I put the shell on the background using CTRL+Z then I run “stty raw -echo” then “fg”, after that I run TERM=xterm so I can clear my work space.
Now I have a fully functional shell with autocomplet, arrows and clear !!
I went and took the user flag from /home/friend/user.txt
Privilege Escalation
In the privilege escalation phase, I usually start enumerating stuffs manually then I run some scripts that help me enumerate like LinEnum and pspy.
But before I go that road I looked around and found a quite interesting file owned by root which is called reporter.py
This file import the os module (my state of mind at this point is if this file is ran as a cron or a process and we actually have write permissions on the os module we can gain root) so I went and ran pspy (unpriviliged linux process snooping)
We do find cron running that reporter.py script
Os.py is writable by friend user and it’s group, that I ve found its credentials during enumeration.
I just used ssh to connect to the server and set up a listener on my machine and appended this line into os.py and waited that reporter.py gets executed.
And looking back at my listener I got root !
Suggestions and take aways
I would suggest that the samba share shouldn’t be exposed to the public, and to not put creds like that in plain text, also to get rid of the include function of php that leads to the lfi. I would suggest to change the permissions on the mysql_data.conf. and the os.py.
This box contained a ton of rabbits holes but if you stick into a solid methodology you’d be able to pwn it easily.
