top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

FriendZone — HackTheBox (Writeup)

Linux . Easy

Created by askar


Welcome Reader, Today we'll hack FriendZone from HackTheBox. Let's start with a Nmap Scan.


Nmap Scan


Let’s quickly add friendzone.red to /etc/hosts and enumerate DNS.



Adding these hosts to the list also.


Foothold

FTP Anonymous login is not allowed. Looking at the website.


I don’t like being friend-zoned we have to get out of this lol. Looking at the source page I found these comments.



Going over to the /js/js.



This looks like a rabbit hole let’s move on. Anonymous listing is allowed in SMB. Let’s use SMBMAP.



Let’s take a look at /general/creds.txt. I found some admin credentials in it.



This must be has to do something with administrator1.friendzone.red.


After logging in this is what I get.





Looks like we have to enter the parameters manually. After entering the parameters with default values this is what I get.



Shell

The timestamp parameters stand out to me It’s a PHP file we know that these files are under /etc/files from our smbmap results. I uploaded a php-reverse-shell on Development Share and started a Netcat listener.



Going over to the https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/rshell the reverse shell triggered and I got a shell.



I find the credentials of the user friend.



User Flag


ROOT

Let’s try Linenum. I used a Python server to move the script over to the remote host.



Running the tool with the -t 1 flag shows an interesting Python writable file.



I also ran pspy to check if anything stood out.


pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

I used the same method to transfer the file over to a remote host. I make the file executable and run it.



This repoerter.py file is running every two minutes let take a look at it.



This reporter.py script imports the os.py script. So, if we write anything to os.py, we can hijack its execution. Let’s append our reverse shell at the end of the file.



Save the os.py file and wait for it to run don’t forget to fire up your Netcat listener.



ROOT FLAG


No more being friend-zoned. Thanks for reading.


— Beri Contraster.

3 views0 comments

Recent Posts

See All

Comments


bottom of page