FriendZoned

10.10.10.123

Scanning

nmap -p- 10.10.10.123

nmap -p 21,22,53,80,139,443,445 -sV 10.10.10.123

Enumeration

Port 80

Found email info@firenzoneportal.red
Phone number
wordpress site

Port 443

Found email friendzone.red

Altering hosts file

Two domain names were found, lets update our hosts file.

Port 53 Zone Transfer

DNS is on port tcp, what could that mean. Potential Zone Transfer? Lets Try Dig

dig axfr @10.10.10.123 friendzone.red

kali@kali:~/HTB/FriendZone$ dig axfr @10.10.10.123 friendzone.red > zonetransfer 
kali@kali:~/HTB/FriendZone$ dig axfr @10.10.10.123 friendzoneportal.red >> zonetransfer 
kali@kali:~/HTB/FriendZone$ cat zonetransfer 

; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 76 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Sep 28 08:57:53 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)


; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.123 friendzoneportal.red
; (1 server found)
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 72 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Sep 28 08:58:03 EDT 2020
;; XFR size: 9 records (messages 1, bytes 309)

In vim

LoginPages

https://admin.friendzoneportal.red

https://uploads.friendzone.red

https://administrator1.friendzone.red

Port 445

smbmap -H 10.10.10.123

smbmap -H 10.10.10.123 -R --depth 5

Found Credential

admin:WORKWORKHhallelujah@#

Further Enuermation onf 445

smbclient -L //10.10.10.123

Notice how we files in the Files share are stored in /etc/Files. Knowing this ,there is a possibility the files in the Development share are stored in /etc/Development. Keep in mind we have Write access to this share!

PreviousExploitation NextScanning and Enumeration

Last updated 4 years ago

Was this helpful?