top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

FriendZone — HackTheBox (Writeup)

Linux . Easy

Created by askar

Welcome Reader, Today we'll hack FriendZone from HackTheBox. Let's start with a Nmap Scan.

Nmap Scan

Let’s quickly add to /etc/hosts and enumerate DNS.

Adding these hosts to the list also.


FTP Anonymous login is not allowed. Looking at the website.

I don’t like being friend-zoned we have to get out of this lol. Looking at the source page I found these comments.

Going over to the /js/js.

This looks like a rabbit hole let’s move on. Anonymous listing is allowed in SMB. Let’s use SMBMAP.

Let’s take a look at /general/creds.txt. I found some admin credentials in it.

This must be has to do something with

After logging in this is what I get.

Looks like we have to enter the parameters manually. After entering the parameters with default values this is what I get.


The timestamp parameters stand out to me It’s a PHP file we know that these files are under /etc/files from our smbmap results. I uploaded a php-reverse-shell on Development Share and started a Netcat listener.

Going over to the the reverse shell triggered and I got a shell.

I find the credentials of the user friend.

User Flag


Let’s try Linenum. I used a Python server to move the script over to the remote host.

Running the tool with the -t 1 flag shows an interesting Python writable file.

I also ran pspy to check if anything stood out.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

I used the same method to transfer the file over to a remote host. I make the file executable and run it.

This file is running every two minutes let take a look at it.

This script imports the script. So, if we write anything to, we can hijack its execution. Let’s append our reverse shell at the end of the file.

Save the file and wait for it to run don’t forget to fire up your Netcat listener.


No more being friend-zoned. Thanks for reading.

— Beri Contraster.

3 views0 comments

Recent Posts

See All


bottom of page