Hack The Box — FriendZone — without Metasploit (TJNull’s list for OSCP)
This is my 12th write-up for FriendZone, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.
nmap -p- 10.129.212.11 --max-retries=3
We can see what ports are open here. Let’s do a detailed nmap on these ports.
nmap -sC -sV -T4 -A -p21,22,53,80,139,443,445 10.129.212.11
Let’s start with FTP and see if we have an anonymous login enabled. Even though nmap didn’t reported an anonymous login. But, I think we should try just to be sure.
Anonymous login seems to be disabled.
Ok, let’s start from web-servers then since ports 80 and 443 are open.
They gave up a domain name. Maybe it’s a hint for virtual routing.
And if we take a look at nmap results we also see a domain name there.
Let’s see what we have on port 443.
Okay so we don’t have anything here. Let’s try to put these domain names in our /etc/hosts and see if there is actually any virtual routing.
Let’s save this and try navigating to these domains on port 80 and 443.
We have the same page on port 80 of friendzone.red.
Let’s try port 443.
And they have virtual routing, because this page didn’t exist when we first visited the https port using the ip address.
Let’s view source this page.
The comment says there’s a directory /js/js and tells us to not go deep. I don’t know whether they are telling us to not waste time on doing a directory busting or it is actually a hint that we ‘SHOULD’ do a directory busting inside /js/js.
But let’s first see what we have in that directory.
It looks like a base64 string. Decoding it tells nothing. I don’t know what that is. Let’s see if we have any comments in the source.
It says “dont stare too much, you will be smashed ! , it’s all about tmes and zones”
Maybe it’s a hint for zonetransfers…?
But first let’s go back a directory and see what we have in friendzone.red/js
Let’s try the other domain first and then we can do a zonetransfer and see if we have anything.
Port 80 of friendzoneportal.red has nothing.
Let’s try port 443.
It says ‘Good’.
Let’s do a view-srouce to see if we have any comments here too.
And it’s nothing here.
Let’s try doing a zonetransfer.
dig AXFR @10.129.212.11 friendzone.red
And we do have some subdomains here.
Let’s try the samething on friendzoneportal.red
dig AXFR @10.129.212.11 friendzoneportal.red
And we also have some subdomains here as well.
Let’s add these subdomains to our /etc/hosts again and see what we have on them.
Let’s check them out one by one.
okay so, it asks for credentials…
Let’s continue with other domains.
Don’t have anything on hr.friendzone.red
So, we have an upload portal on uploads.friendzone.red
Let’s enumerate other domains first before we upload anything,
admin.friendzoneportal.red also have a login page, we don’t have the credentials yet.
Nothing on files.friendzoneportal.red
And we dont have anything on imports.friendzoneportal.red and vpn.friendzoneportal.red
Okay so we had 2 login pages and 1 upload page.
Let’s upload something on the upload page.
So, I am uploading a php reverse shell with my ip and port 8080 inside it.
And it says uploaded successfully with some numbers. I don’t know what these numbers mean but I just keep note of that just in case.
No, let’s run gobuster on all the directories that we found meanwhile, let’s enumerate the SMB.
smbmap -H friendzone.red
Here, we have 2 directories that we have read access and one directory that we have write access as well.
- general (Read only)
- Development (Read write Access)
And it also give’s out the location of Files share in the comment saying it’s /etc/Files.
Let’s see the contents of these two.
We have some credentials in the ‘general’ share.
Let’s grab them. And continue our way in Development share.
And we don’t seem to have anything in Development.
Let’s upload our php-reverse-shell here as well.
I uploaded the shell here as well, just in case.
Let’s see what credentials we got from the ‘general’ share.
Okay, so we have admin credentials.
Let’s try these credentials in the admin portals that we have.
Let’s first use it on administrator1.friendzone.red
It tells us to visit the dashboard.php
Okay so it says that we have a beginner developer and image_name parameter is missed.
Also gives us the default parameters. Let’s try that.
After doing some enumeration I found out that timestamp is affecting the last numbers and image_id is for the image.
The thing to notice is that timestamp has the parameter name ‘pagename’
So, I think that there are some webpages that it’s refering to.
Let’s try changing that to login. Since we had the login page before we successfully logged in and got to the dashboard.
It says wrong!
Let’s change it to dashboard and see if the dashboard is appended again below this page.
And it did.
But putting dashboard.php, it does nothing but by giving dashboard only it appends the dashboard again. It means that the backend script is appending the ‘.php’ for us.
I tried loggin in to the other admin portal but it says that it’s broken. And we don’t have anything interesting on the gobuster either.
So I think that somehow we need to append our uploaded php reverse shells here.
By doing a lot of enumeration and hit and try. I didn’t find anything. It’s very frustrating at the moment.
Wait… The share of File in the SMB actually gave away the location /etc/Files.
What if the location of general and Development share are also /etc/general and /etc/Development too.
Since I have uploaded a shell in Development let’s try doing a directory traversal.
It says connection refused. It means that my php shell got executed but since i was not listening for the connection the connection got refused.
Let’s start a listener.
rlwrap nc -lvnp 8080
Let’s refresh the page again and see if we get a shell.
And we did get a shell.
Okay, first thing first. Let’s see what users we have on the box.
Okay, so we have a user friend and obviously a root.
Let’s try if we can use any commands with sudo.
No tty present.
Let’s upgrade the shell.
python -c 'import pty;pty.spawn("/bin/bash")'
Let’s try again.
It asks for a password. So we don’t have anything here.
Let’s look for SUID files.
find / -perm -u=s -type f 2>/dev/null
I don’t think there’s anything unusual here either.
Let’s see if we can access user ‘friend’ home directory.
And we can… We also have the user flag here that we can read and submit.
.bash_history file is leading to /dev/null which means we have nothing there either.
Let’s run LinEnum script and see if it can give anything. I will assume you already know how to upload scripts to the target. I am uploading it in the /tmp
Let’s run it.
Couldn’t find anything by running LinEnum.
Let’s try Linpeas.
Couldn’t find anything exploitable on linpeas either.
There’s another tool ‘pspy’ for unprivileged Linux process snooping. It can be found here.
Let’s try that.
(Note: My HackTheBox pwnbox was having issues so I turned on my VM and connected the VPN)
By uploading and running that. It showed me a script that’s running.
If you look at the UID, it is 0. Which means that root is executing it. And if you look at the time, it tells us that this script runs after every 2 minutes.
Let’s check that out.
Seems like it’s not doing anything. Just printing a line.
But if we look at the start of the script we can see that it’s importing os.
And if we look at the results of our LinPeas.
This os.py is writeable by everyone.
Now if we overwrite this os.py and put a reverse shell in it, maybe we could get a root shell when root runs reporter.py.
Let’s do that.
I am gonna create a python reverse shell on my attacking machine, upload it and then append that to the os.py.
Let’s upload it and append it to os.py. After that we will be listening for connection back on port 4242.
And we have a root shell!
I gotta be honest. This was a tough one. :)