Hack The Box Friendzone

Testing Methadologies

We can start the enumeration with a nmap scan 
 The output shows that we have quiet some ports open 21(FTP),22(SSH),53(DNS),80(HTTP),139(NetBios),445(SMB)

FTP doesn't have  anonymous login enables and the version is latest so its not vulnerable to any exploits
By using smbmap we can list shares and check if we have any read or write access in any of them 
After running smbmap we can see that we have read access on general and read write access on Development

Now We can List all the shares and check if there are any information available

 Well it seems like there is a file called creds.txt which is obvious to be a file with credentials

 Seems like it is some credential for an admin panel but there where no admin panel in port 80 nor port 443,

 This is what when visiting port 80 looks like
But when visiting port 443 its a different story
 We can check for alternate names in the ssl certificate

We have a domain name we can now add it in the hosts file (/etc/hosts)
Now visiting https://friendzone.red  we have a different page

 But there is nothing much to do in it no login forms or anything interesting which leads to poking port 53 and look for any virtual host or a zone transfer

 By doing a zone transfer we have a bit more subdomains the interesting one in the list is administrator because we have a credential file which was used for some admin panel by visiting administrator1 we have a login page.
After logging into the panel we have a blank page with a message to use some parameter to access image files
 By fuzzing the pagename parameter we can find that it is including php files which then get displayed in the page but a .php extension is appended.
 Now getting code execution with LFI on the output of smbmap we have a share called Development which has write access by creating PHP-reverseshell we can use that to get included in the page this executing code on the server

 Now we can include the script with LFI

We have a shell and we can get the user flag from the system
 Now the root by running a program called pspy we can monitor cron processes which are run by root.
 By running the program we can see that a python script is being executed by root we can confirm it by looking at the UID which is 0 which is equal to root by looking at the script we can see that not much is happening as the script is incomplete.
Most of the code is commented but it is importing the os module which gives the impression of python library hijack but the user doesn't have any permission to write data in the directory, But we can check on the module path itself which has read write permission
Generally when we use the os module in a program we use the system function to pass the commands which then executed

import os

So we call the system function in the module itself and pass in our commands, when root executes the python script the os module is loaded and at the same time our system call will also be executed

And that's how we get root on FriendZone.


Popular posts