FriendZone Walkthrough
Hey Everyone! We have one of HackTheBox machines which is considered VM like OSCP, so let’s take a look at its info


Nmap Scan
Weof will start our scan with knowing the open ports, services running on them, OS version, etc
nmap -A -T4 -oG friend.gnmap 10.10.10.123

As you can see, I’ve a bunch of interesting open ports, but note that in https/443
you will find that we have subdomain friendzone.red
and the end of the scan in script scan results

Message sigining enabled but not required
This mean that you can login to the ftp
server with any random username and password
From here I’ve put my methodology which I’ll follow through this machine:
HTTP/HTTPS Enumeration
FTP Enumeration
Because we don’t have any more options
HTTPS/HTTP/FTP Enumeration
By accessing http://10.10.10.123

Nothing here, just keep note of this mail, it may be internal mail, and this domain friendzoneportal.red
I’ve checked the source code and nothing appears, so let’s try to brute-force the directories by using gobuster

Nothing useful directory here, robots.txt
doesn’t have information, let’s check https://10.10.10.123

Not found!! Ok, let’s try to add the subdomain which we found before from nmap
scan to /etc/hosts
and try again

Access it again

Good we have page here, let’s check the directories

we have 2 directories, I’ve checked /admin
and it doesn’t have any useful info, but the /js
have

It seems that base64 encoded
, let’s check the source code

I’ve guessed that word zone
may be referring to zone transfer
an attack. I’ve tried to search for how to attack port 53 “DNS”

From the first result, I’ve found it performs Zone transfer
the attack, so I’ve tried to do the same by using dig
dig axfr zonetransfer @10.10.10.123

Good, we have more subdomains, let’s add them into /etc/hosts

Let’s try to open uploads.friendzone.red

And after trying to upload shell

It works and get back a number that I couldn’t know what it used for, it may be upload id ! May be.
After uploading this I’ve tried to access /uploads/shell.php
but it fails, let’s see the other subdomains.
I’ve tried to open administrator.friendzone.red
but it required creds, so I tried to list all content from FTP
server by using smbmap
smbmap -H 10.10.10.123 -u 'radfad' -p 'dfadfaf' -R -A creds.txt

I’ve found username and password for admin account, and I’m sure that we will fail if we try to user them with ssh
so I used them with the admin login portal

and It works


It tells us to access these parameters so let’s try

The last parameter deals with the Database so what if it was vulnerable by LFI or SQLi
let’s try LFI
I’ve tried to get ../../../../../etc/passwd
but it fails, so I’ve tried to get the source code for dashboard

It’s in base64 form, let’s decode it

As you can see it take the name of the page and then add .php
at the end of.
I’ve to upload shell.php
and access the page as shell
from the upload page but also it fails, so I tried to upload the shell using the FTP
server because I’ve permission to write
in a share directory

After that the shell will be in /etc/Development/shell.php
directory
Let’s try to access it through the webpage and also open nc


It works, and we have a shell now, let’s try to open user.txt

Okay, let’s search enumerate the box.
After a few minuter I’ve found this file which contain database information in /var/www

Use them to login with ssh

Okay we have more priv. Now but we need to be as root
After using LinPEAS
I’ve not found anything interesting, so I’ve used PSPY
to see what happens in the box and what happen when friend
user login to the server
After executing it,I’ve found that reporter.py
executed every 2 minutes

Let’s check it

It contains os.system(command)
which I tried to put /bin/bash
instead of commnd
, but I don’t have permissions to edit it, but it imports os
library, and I think I’ve permission to edit it, I noticed that from LinPEAS
results, let’s check

That’s right, we can edit it, so I searched for python reverse shell
and found this code

The last line in the code contain the command which open escaping interactive shell and subprocess library used for executing
bash
commands intopython
code
and after added it to the os.py
and open nc
to listen over 443
port

It works and we’ve the root
flag ❤
Last updated