We are going to pwn FriendZone from Hack The Box.
Like always begin with our Nmap Scan.
Nmap Scan Results:
PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Friend Zone Escape software 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 404 Not Found | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.12 (93%), Linux 3.13 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -39m33s, deviation: 1h09m15s, median: 25s |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2019-12-22T19:36:53+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-12-22T17:36:54 |_ start_date: N/A TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 596.08 ms 10.10.14.1 2 596.22 ms 10.10.10.123 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 52.63 seconds
Lets Begin with HTTP
This is Simple Page but there is a domain name at the bottom
So I started with
SMB to see if there is any file available
smbmap - SMB enumeration tool
-H HOST IP of host
Found there is an file called
We can use
smbclient to login, we know the location of the file.
smbclient - ftp-like client to access SMB/CIFS resources on servers
I logged in
without password and downloaded the file.
We got some creds
admin : WORKWORKHhallelujah@#
I tried login with them in
ssh but failed!
We know there is Port 53 open which is
domain may be we can do a zone transfer for that domain.
dig - DNS lookup utility
By using this we can find other domains available for the webpage.
Found some new domains , I added those new entries to
I started with
and Logged with the creds we found from smb
admin : WORKWORKHhallelujah@#
Once Logged in, It told me to visit
The dashboard seems to be deal with images with some paramaters.
So I started testing one from the displayed one.
Look at the parameters, may be we can do
I tested with
Its working and
Timestamp is the page and
.php suffix is added automatically.
Getting a reverse shell
development share, we saw from
smbmap has writable permission by the guest so why dont we upload a reverse shell there and try to access from this page.
We know the location of it from
Listening on my machine
Once I get into the box I started checking for any
.conf files available.
Got an user and password
friend : Agpyu12!0.213$
Now I logged in as
Found some writable files from my Enumeration script
Later I uploaded
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.
My guess is correct
So I started checking
Can’t find anything but
import os which is also a writeable file so we edit it.
Since it is python I added python script to get shell
Open my terminal and started listening and we need to wait sometime since it is
I got Root!!