FriendZone Walkthrough
Hey Everyone! We have one of HackTheBox machines which is considered VM like OSCP, so let’s take a look at its info
Nmap Scan
Weof will start our scan with knowing the open ports, services running on them, OS version, etc
nmap -A -T4 -oG friend.gnmap 10.10.10.123
As you can see, I’ve a bunch of interesting open ports, but note that in https/443 you will find that we have subdomain friendzone.red and the end of the scan in script scan results
Message sigining enabled but not required This mean that you can login to the ftp server with any random username and password
From here I’ve put my methodology which I’ll follow through this machine:
HTTP/HTTPS Enumeration
FTP Enumeration
Because we don’t have any more options
HTTPS/HTTP/FTP Enumeration
By accessing http://10.10.10.123
Nothing here, just keep note of this mail, it may be internal mail, and this domain friendzoneportal.red
I’ve checked the source code and nothing appears, so let’s try to brute-force the directories by using gobuster
Nothing useful directory here, robots.txt doesn’t have information, let’s check https://10.10.10.123
Not found!! Ok, let’s try to add the subdomain which we found before from nmap scan to /etc/hosts and try again
Access it again
Good we have page here, let’s check the directories
we have 2 directories, I’ve checked /admin and it doesn’t have any useful info, but the /js have
It seems that base64 encoded, let’s check the source code
I’ve guessed that word zone may be referring to zone transfer an attack. I’ve tried to search for how to attack port 53 “DNS”
From the first result, I’ve found it performs Zone transfer the attack, so I’ve tried to do the same by using dig
dig axfr zonetransfer @10.10.10.123
Good, we have more subdomains, let’s add them into /etc/hosts
Let’s try to open uploads.friendzone.red
And after trying to upload shell
It works and get back a number that I couldn’t know what it used for, it may be upload id ! May be.
After uploading this I’ve tried to access /uploads/shell.php but it fails, let’s see the other subdomains.
I’ve tried to open administrator.friendzone.red but it required creds, so I tried to list all content from FTP server by using smbmap
smbmap -H 10.10.10.123 -u 'radfad' -p 'dfadfaf' -R -A creds.txt
I’ve found username and password for admin account, and I’m sure that we will fail if we try to user them with ssh so I used them with the admin login portal
and It works
It tells us to access these parameters so let’s try
The last parameter deals with the Database so what if it was vulnerable by LFI or SQLi let’s try LFI
I’ve tried to get ../../../../../etc/passwd but it fails, so I’ve tried to get the source code for dashboard
It’s in base64 form, let’s decode it
As you can see it take the name of the page and then add .php at the end of.
I’ve to upload shell.php and access the page as shell from the upload page but also it fails, so I tried to upload the shell using the FTP server because I’ve permission to write in a share directory
After that the shell will be in /etc/Development/shell.php directory
Let’s try to access it through the webpage and also open nc
It works, and we have a shell now, let’s try to open user.txt
Okay, let’s search enumerate the box.
After a few minuter I’ve found this file which contain database information in /var/www
Use them to login with ssh
Okay we have more priv. Now but we need to be as root
After using LinPEAS I’ve not found anything interesting, so I’ve used PSPY to see what happens in the box and what happen when friend user login to the server
After executing it,I’ve found that reporter.py executed every 2 minutes
Let’s check it
It contains os.system(command) which I tried to put /bin/bash instead of commnd, but I don’t have permissions to edit it, but it imports os library, and I think I’ve permission to edit it, I noticed that from LinPEAS results, let’s check
That’s right, we can edit it, so I searched for python reverse shell and found this code
The last line in the code contain the command which open escaping interactive shell and subprocess library used for executing
bashcommands intopythoncode
and after added it to the os.py and open nc to listen over 443 port
It works and we’ve the root flag ❤
Last updated