Hack The Box — Friendzone

Al Francis
3 min readJul 13, 2019

--

Hey guys, Friendzone Challenge was retired in hackthebox and here’s my writeup. Friendzone is a good challenge for me, here’s the ip 10.10.10.123.

First thing we start with nmap.

nmap -sC -sV -T 10.10.10.123

nmap

We got ftp on port 21, ssh on port 22, dns on port 53, http on port 80, https on port 443, and smb on port 139 and 445.

I’ll try visiting the Web, but it looks like an index page.

I added it to /etc/hosts as friendzoneportal.red.

I’ll try to use dig axfr and I saw some subdomains.

dig

So I tried to ENUMERATE the SMB and I used https://github.com/ShawnDEvans/smbmap

smbmap

I saw the list of shared folder, but I noticed friendzone.red so I added it to the /etc/hosts.

Since I am using MacOSX , it’s challenging to use different commands for enumerating smb, like in kali I used SMBCLIENT, but in MacOSX I used mount_smbfs

mount_smbfs

Voila! So I got the credentials.

I run dig on friendzone.red and I got https://administrator1.friendzone.red

Using the credentials to Login Page, I successfully logged-in.

As you can see image_id=a.jpg&pagename=timestamp that it is look like vulnerable for LFI.

We can upload to SMB shared development folder by uploading a reverse shell in /etc/Development. Then I visit the link and run a netcat.

netcat

and got the user.txt content.

Looking for possible way to gain the root access, I found the mysql_data.conf.

I used this credential for ssh, then I tried to look for gcc for privilege escalation but it seems no gcc installed.

So I decided to run python if it’s possible to get access to root.

Nothing happened. So I tried running
https://github.com/DominicBreuker/pspy

to check for possible processes running as root, then i saw some file

In the end I modify the os.py inside python folder, Sorry I didn’t get a screenshot but I copied the root.txt into /tmp folder by editing the os.py and also tried using netcat. After all those we owned root.

--

--

Al Francis
Al Francis

Written by Al Francis

Co-Founder of Kalasag and Project Access Granted Society. A Certified Ethical Hacker,EC-Council Certified Incident Handler and Certified Blockchain Developer.

No responses yet