FriendZone Walkthrough

Hey Everyone! We have one of HackTheBox machines which is considered VM like OSCP, so let’s take a look at its info

Nmap Scan

Weof will start our scan with knowing the open ports, services running on them, OS version, etc

nmap -A -T4 -oG friend.gnmap 10.10.10.123

As you can see, I’ve a bunch of interesting open ports, but note that in https/443 you will find that we have subdomain friendzone.red and the end of the scan in script scan results

Message sigining enabled but not required This mean that you can login to the ftp server with any random username and password

From here I’ve put my methodology which I’ll follow through this machine:

1. HTTP/HTTPS Enumeration

2. FTP Enumeration

Because we don’t have any more options

HTTPS/HTTP/FTP Enumeration

By accessing http://10.10.10.123

Nothing here, just keep note of this mail, it may be internal mail, and this domain friendzoneportal.red

I’ve checked the source code and nothing appears, so let’s try to brute-force the directories by using gobuster

Nothing useful directory here, robots.txt doesn’t have information, let’s check https://10.10.10.123

Not found!! Ok, let’s try to add the subdomain which we found before from nmap scan to /etc/hosts and try again

Access it again

Good we have page here, let’s check the directories

we have 2 directories, I’ve checked /admin and it doesn’t have any useful info, but the /js have

It seems that base64 encoded, let’s check the source code

I’ve guessed that word zone may be referring to zone transfer an attack. I’ve tried to search for how to attack port 53 “DNS”

From the first result, I’ve found it performs Zone transfer the attack, so I’ve tried to do the same by using dig

dig axfr zonetransfer @10.10.10.123

Good, we have more subdomains, let’s add them into /etc/hosts

Let’s try to open uploads.friendzone.red

And after trying to upload shell

It works and get back a number that I couldn’t know what it used for, it may be upload id ! May be.

After uploading this I’ve tried to access /uploads/shell.php but it fails, let’s see the other subdomains.

I’ve tried to open administrator.friendzone.red but it required creds, so I tried to list all content from FTP server by using smbmap

smbmap -H 10.10.10.123 -u 'radfad' -p 'dfadfaf' -R -A creds.txt

I’ve found username and password for admin account, and I’m sure that we will fail if we try to user them with ssh so I used them with the admin login portal

and It works

It tells us to access these parameters so let’s try

The last parameter deals with the Database so what if it was vulnerable by LFI or SQLi let’s try LFI

I’ve tried to get ../../../../../etc/passwd but it fails, so I’ve tried to get the source code for dashboard

It’s in base64 form, let’s decode it

As you can see it take the name of the page and then add .php at the end of.

I’ve to upload shell.php and access the page as shell from the upload page but also it fails, so I tried to upload the shell using the FTP server because I’ve permission to write in a share directory

After that the shell will be in /etc/Development/shell.php directory

Let’s try to access it through the webpage and also open nc

It works, and we have a shell now, let’s try to open user.txt

Okay, let’s search enumerate the box.

After a few minuter I’ve found this file which contain database information in /var/www

Use them to login with ssh

Okay we have more priv. Now but we need to be as root

After using LinPEAS I’ve not found anything interesting, so I’ve used PSPY to see what happens in the box and what happen when friend user login to the server

After executing it,I’ve found that reporter.py executed every 2 minutes

Let’s check it

It contains os.system(command) which I tried to put /bin/bash instead of commnd, but I don’t have permissions to edit it, but it imports os library, and I think I’ve permission to edit it, I noticed that from LinPEAS results, let’s check

That’s right, we can edit it, so I searched for python reverse shell and found this code

The last line in the code contain the command which open escaping interactive shell and subprocess library used for executing bash commands into python code

and after added it to the os.py and open nc to listen over 443 port

It works and we’ve the root flag ❤