FriendZoned

10.10.10.123

Scanning

nmap -p- 10.10.10.123

Lets run a more comprehensive scan

nmap -p 21,22,53,80,139,443,445 -sV 10.10.10.123

Enumeration

Port 80

• Found email info@firenzoneportal.red

• Phone number

• wordpress site

Port 443

found email

• Found email friendzone.red

Altering hosts file

Two domain names were found, lets update our hosts file.

Port 53 Zone Transfer

• DNS is on port tcp, what could that mean. Potential Zone Transfer? Lets Try Dig

• dig axfr @10.10.10.123 friendzone.red          

Different available domains.

kali@kali:~/HTB/FriendZone$ dig axfr @10.10.10.123 friendzone.red > zonetransfer 
kali@kali:~/HTB/FriendZone$ dig axfr @10.10.10.123 friendzoneportal.red >> zonetransfer 
kali@kali:~/HTB/FriendZone$ cat zonetransfer 

; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 76 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Sep 28 08:57:53 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)


; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.123 friendzoneportal.red
; (1 server found)
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 72 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Sep 28 08:58:03 EDT 2020
;; XFR size: 9 records (messages 1, bytes 309)

In vim

replaces new line characters with a space

LoginPages

• https://admin.friendzoneportal.red

• https://uploads.friendzone.red

• https://administrator1.friendzone.red

Port 445

smbmap -H 10.10.10.123

smbmap -H 10.10.10.123 -R --depth 5

Found Credential

• admin:WORKWORKHhallelujah@#

Further Enuermation onf 445

smbclient -L //10.10.10.123

Files are in /etc/Files

Notice how we files in the Files share are stored in /etc/Files. Knowing this ,there is a possibility the files in the Development share are stored in /etc/Development. Keep in mind we have Write access to this share!