Jul 13, 2019
Hack The Box — Friendzone
Hey guys, Friendzone Challenge was retired in hackthebox and here’s my writeup. Friendzone is a good challenge for me, here’s the ip 10.10.10.123.
First thing we start with nmap.
nmap -sC -sV -T 10.10.10.123
We got ftp on port 21, ssh on port 22, dns on port 53, http on port 80, https on port 443, and smb on port 139 and 445.
I’ll try visiting the Web, but it looks like an index page.
I added it to /etc/hosts as friendzoneportal.red.
I’ll try to use dig axfr and I saw some subdomains.
So I tried to ENUMERATE the SMB and I used https://github.com/ShawnDEvans/smbmap
I saw the list of shared folder, but I noticed friendzone.red so I added it to the /etc/hosts.
Since I am using MacOSX , it’s challenging to use different commands for enumerating smb, like in kali I used SMBCLIENT, but in MacOSX I used mount_smbfs
Voila! So I got the credentials.
I run dig on friendzone.red and I got https://administrator1.friendzone.red
Using the credentials to Login Page, I successfully logged-in.
As you can see image_id=a.jpg&pagename=timestamp that it is look like vulnerable for LFI.
We can upload to SMB shared development folder by uploading a reverse shell in /etc/Development. Then I visit the link and run a netcat.
and got the user.txt content.
Looking for possible way to gain the root access, I found the mysql_data.conf.
I used this credential for ssh, then I tried to look for gcc for privilege escalation but it seems no gcc installed.
So I decided to run python if it’s possible to get access to root.
Nothing happened. So I tried running
https://github.com/DominicBreuker/pspy
to check for possible processes running as root, then i saw some file
In the end I modify the os.py inside python folder, Sorry I didn’t get a screenshot but I copied the root.txt into /tmp folder by editing the os.py and also tried using netcat. After all those we owned root.
