FriendZone Walkthrough
Hey Everyone! We have one of HackTheBox machines which is considered VM like OSCP, so letâs take a look at its info
Nmap Scan
Weof will start our scan with knowing the open ports, services running on them, OS version, etc
nmap -A -T4 -oG friend.gnmap 10.10.10.123
As you can see, Iâve a bunch of interesting open ports, but note that in https/443 you will find that we have subdomain friendzone.red and the end of the scan in script scan results
Message sigining enabled but not required This mean that you can login to the ftp server with any random username and password
From here Iâve put my methodology which Iâll follow through this machine:
HTTP/HTTPS Enumeration
FTP Enumeration
Because we donât have any more options
HTTPS/HTTP/FTP Enumeration
By accessing http://10.10.10.123
Nothing here, just keep note of this mail, it may be internal mail, and this domain friendzoneportal.red
Iâve checked the source code and nothing appears, so letâs try to brute-force the directories by using gobuster
Nothing useful directory here, robots.txt doesnât have information, letâs check https://10.10.10.123
Not found!! Ok, letâs try to add the subdomain which we found before from nmap scan to /etc/hosts and try again
Access it again
Good we have page here, letâs check the directories
we have 2 directories, Iâve checked /admin and it doesnât have any useful info, but the /js have
It seems that base64 encoded, letâs check the source code
Iâve guessed that word zone may be referring to zone transfer an attack. Iâve tried to search for how to attack port 53 âDNSâ
From the first result, Iâve found it performs Zone transfer the attack, so Iâve tried to do the same by using dig
dig axfr zonetransfer @10.10.10.123
Good, we have more subdomains, letâs add them into /etc/hosts
Letâs try to open uploads.friendzone.red
And after trying to upload shell
It works and get back a number that I couldnât know what it used for, it may be upload id ! May be.
After uploading this Iâve tried to access /uploads/shell.php but it fails, letâs see the other subdomains.
Iâve tried to open administrator.friendzone.red but it required creds, so I tried to list all content from FTP server by using smbmap
smbmap -H 10.10.10.123 -u 'radfad' -p 'dfadfaf' -R -A creds.txt
Iâve found username and password for admin account, and Iâm sure that we will fail if we try to user them with ssh so I used them with the admin login portal
and It works
It tells us to access these parameters so letâs try
The last parameter deals with the Database so what if it was vulnerable by LFI or SQLi letâs try LFI
Iâve tried to get ../../../../../etc/passwd but it fails, so Iâve tried to get the source code for dashboard
Itâs in base64 form, letâs decode it
As you can see it take the name of the page and then add .php at the end of.
Iâve to upload shell.php and access the page as shell from the upload page but also it fails, so I tried to upload the shell using the FTP server because Iâve permission to write in a share directory
After that the shell will be in /etc/Development/shell.php directory
Letâs try to access it through the webpage and also open nc
It works, and we have a shell now, letâs try to open user.txt
Okay, letâs search enumerate the box.
After a few minuter Iâve found this file which contain database information in /var/www
Use them to login with ssh
Okay we have more priv. Now but we need to be as root
After using LinPEAS Iâve not found anything interesting, so Iâve used PSPY to see what happens in the box and what happen when friend user login to the server
After executing it,Iâve found that reporter.py executed every 2 minutes
Letâs check it
It contains os.system(command) which I tried to put /bin/bash instead of commnd, but I donât have permissions to edit it, but it imports os library, and I think Iâve permission to edit it, I noticed that from LinPEAS results, letâs check
Thatâs right, we can edit it, so I searched for python reverse shell and found this code
The last line in the code contain the command which open escaping interactive shell and subprocess library used for executing
bashcommands intopythoncode
and after added it to the os.py and open nc to listen over 443 port
It works and weâve the root flag â¤
Last updated