> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/friendzone.md). # FriendZone ## Gaining Access Nmap scan:

Lots of ports open. ### SMB + Web RCE We can enumerate the SMB shares to find that we have write permissions over one of them.

This folder contains nothing, but the fact that we have write access indicates that we should probably be adding something to it. We can also find some credentials in the other share.

Now, DNS is open, so we can expect to have loads of sub-domains. This machine has so many and it's rather painful to exploit. So I'll cut to the chase, we have to visit `administrator1.friendzone.red` that has a login page for us:

We can login using the credentials we found earlier in the SMB share. The page then tells us to visit `dashboard.php`, which is a Smart Photo Script.

The `pagename` parameter is vulnerable to LFI, and since this is a PHP application, we can place a PHP reverse shell file somewhere and execute it using this page. That's where the share that we can write to comes in.

Then we can just simply access it by visiting this: ``` http://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/rev, ``` This works because the `pagename` paramter automatically truncates the `.php` extension. The original page included a timestamp at the bottom that is being dynamically generated.

This points towards to some script being used in the backend, and thus we can replace that with our own malicious PHP script to gain a shell.

## Privilege Escalation ### SQL Credentials As `www-data`, we have limited access over everything. The first place to look is within the `/var/www` file which can contain some credentials.

We can use this to `su friend`.

### Python OS Tampering When we run `pspy64`, we can see that `root` is runnin some scripts in the background:

When we read this script, we can see that it contains some random code that we can't really exploit because we cannot edit it:

We can see that `import os` is used, and any external modules could be exploitable. Conveniently, the machine let's us have write permission to `os.py`.

Then, we just need to append a Python reverse shell to this:

After opening a listener port and waiting, we would catch a root shell.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/friendzone.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.