# Hack The Box - Friendzone

## Quick Summary

Hey guys today Friendzone retired and here’s my write-up about it. Friendzone was a very nice and easy box. I enjoyed solving it and I really liked it, it had a lot of funny parts as well. It’s a Linux box and its ip is 10.10.10.123, I added it to /etc/hosts as friendzone.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT friendzone.htb

Note : I didn’t do a script scan (-sC) because for some reason it took a lot of time and didn’t finish.
We got ftp on port 21, ssh on port 22, dns on port 53, http on port 80, https on port 443 and smb. Unfortunately anonymous login wasn’t allowed on ftp :

Let’s check smb.

## SMB

I used smbclient to list the shares :

I also used smbmap to know what permissions do I have : smbmap -H friendzone.htb. I found that I had read access to general and read/write access to Development. I also noticed that the comment of the share Files discloses the path of that share : /etc/Files, so we can assume that all shares are in /etc.
In general I found a file called creds.txt :

So we have credentials but we don’t know where to use them, it says creds for the admin THING, so let’s keep enumerating until we find that admin thing.
Development was just empty :

But since we have write access to that share and we know its path : /etc/Development then that share can help us later if we have a an LFI or a similar vulnerability.

## HTTP and DNS

http://friendzone.htb :

A static page, not really interesting, I noticed that email at the bottom : info@friendzoneportal.red so I added friendzoneportal.red to /etc/hosts :

But http://friendzoneportal.red was just the same thing :

I went back and added friendzone.red to the hosts file :

But it was also the same thing. Then I remembered that there’s a dns server so I used dig :

now we have : administrator1.friendzone.red, hr.friendzone.red and uploads.friendzone.red. I edited the hosts file again :

But I still got the same thing, I ran gobuster and got /wordpress which was empty :

And robots.txt which wasn’t a real robots.txt file :D

There was another https port so I tried that.
https://friendzone.red :

https://administrator1.friendzone.red :

So this is the “administrator thing” let’s try the credentials we have :

Great. /dashboard.php :

## LFI in dashboard.php, User Flag

As you can see it’s complaining about missing parameters, by looking at the example : image_id=a.jpg&pagename=timestamp my first guess was that dashboard.php includes the php file provided in the pagename parameter. So if we give it test it will append .php to test then include that file. We can upload files to the smb share Development and we also know the full path : /etc/Development, so if it’s really vulnerable to LFI we can get a reverse shell easily. I wrote a small php script to get a reverse shell :

Then I uploaded it to Development :

And finally I tested my idea :

It worked and now we have a reverse shell as www-data :

We owned user.

## SSH as friend, Privilege Escalation

I looked into /var/www and found a file called mysql_data.conf which had some credentials :

I could get ssh access as friend with them :

I did the regular enumeration and I ran pspy to monitor the processes to see if there’s something that can be exploited :

After some time I saw this :

Root runs /opt/server_admin/reporter.py from time to time.

So if we can write to that script then we can get a shell as root. Unfortunately we can’t :

But I noticed that it’s importing the os library. Usually python libraries are only writable by root, but I checked os.py and friend had permissions to write to it :

So I just put those two lines at the bottom of os.py :

And after a minute I got a shell :

And we owned root !
That’s it , Feedback is appreciated !