Friendzone - HackTheBox

This was a fun box, but agreed that it’s CTF-ey.

Thanks to a few of you guys for the hints on user. The initial foothold was different and took me awhile.

Root was pretty easy once I took a look at what’s going on in the system.

My suggestions for initial foothold and user are to keep digging, do some guesswork, play with files both locally and remotely, pay attention to the comments so you don’t get stuck down a rabbit hole, enumerate, and tamper.

My suggestions for root are to understand what the system is doing. What can you leverage and how can you leverage it? A helpful hint that I had for root was mentioned in this thread quite a few times.

Rated the box 7 difficulty on user and 6 on root.

Just wanted to stop in and say I loved this box, thank you!

huhu It’s tough at the beginning, if you have not worked with that yet, but root is simple. Feel free to pm me if you need help

My first box. Looking for direct hint without spoiling. Am I playing with right parameter and uploading with the correct portal…

Can someone please tell me which port should I enumerate first.

I need to talk to someone about this LFI. I’ve found pretty much everything mentioned in this thread but have no idea how to get it executed. Someone who knows what they are doing can you please PM me. Thanks

Hi everyone! Need some hint here… found a lot of dead ends and subdomains but no user nor shell yet… i would appreciate some help!

you’ll laugh at the end of the correct path.

Jeez ! 3 days on that haha page. Got the image path, uploaded my rev shell file, but can’t reach it in any way. Anyone for a little nudge in the right direction ?

Type your comment> @neutronscott said:

you’ll laugh at the end of the correct path.

I’m not so sure about that. I’m really stuck here. Got the LFI working but without the correct path…

I would appriciate any hint for this. From past comments I understand it needs guess work?

EDIT: Fianlly. Thanks to @SmashTheBox

EDIT2: rooted. Nice way for privesc. If someone needs help feel free to ask

I can’t get passed “Admin page is not developed yet !!! check for another one”

Type your comment> @limbernie said:

Seems like missing a port number or two has occurred to some here, myself included. I’m using masscan with a rate of 1000 pps and I missed two key ports on the first attempt. Anyone using masscan and what is the rate you use?

I used masscan at rate 700 pps and it found them all… Hope it helps

User was a pain… if you get stuck in Ha Ha part you could do two things:

• Fuzz like a boss to try some LFI that could you give you a hint.
• Enum SMB trying to find some path that gives you some idea where the files are stored.

Enjoyed root

PM if you need hint.

Rooted finally, got lost in the rabbit holes on the way to user. root was fun though!

For user: enumeration till it hurts. and if you get stuck, enumerate more, go back in your notes if you have to. No brute force needed.
For root: more enumeration, check what’s happening and how you can leverage it to privesc.

PM me if you need a hint, glad to help! Needed a nudge in the right direction for user at this box too…

This box is all about enumeration, if you don’t enumerate enough you’ll get frustrated quickly and remain empty handed. My suggestion is to be very careful to all the rabbit holes, sometimes things that look important are just there to trick you. PM me if anyone needs a hand.

Guys, could you please help me to set my /etc/resolv.conf file in order to reach the domains retrieved enumerating the port 53?
Adding as nameserver the box’s IP (above my DNS entry), I try to ping the domains but I receive a reply from localhost… I see that my resolv.conf is autogenerated by NetworkManager but I’m unable to reach these domains also editing it, adding the new nameserver… Any hint is appreciated! Thanks

Type your comment> @Fazio8 said:

Guys, could you please help me to set my /etc/resolv.conf file in order to reach the domains retrieved enumerating the port 53?
Adding as nameserver the box’s IP (above my DNS entry), I try to ping the domains but I receive a reply from localhost… I see that my resolv.conf is autogenerated by NetworkManager but I’m unable to reach these domains also editing it, adding the new nameserver… Any hint is appreciated! Thanks

I don’t want let you waste your time with these tricks… You need to configure your DNS once you enumerated ALL successfully in / etc/hosts adding also at the end of each line the name of this machine

Type your comment> @Virgula said:

Type your comment> @Fazio8 said:

Guys, could you please help me to set my /etc/resolv.conf file in order to reach the domains retrieved enumerating the port 53?
Adding as nameserver the box’s IP (above my DNS entry), I try to ping the domains but I receive a reply from localhost… I see that my resolv.conf is autogenerated by NetworkManager but I’m unable to reach these domains also editing it, adding the new nameserver… Any hint is appreciated! Thanks

I don’t want let you waste your time with these tricks… You need to configure your DNS once you enumerated ALL successfully in / etc/hosts adding also at the end of each line the name of this machine

Still unable to reach any other webpage… Could you please give me an hint via PM? I’ve added the nameserver on resolv.conf and the the domains retrieved with z*** t****** but I’m unable to go forward…

I am stuck at the da**d. I have tried several things. I am pretty sure that one folder in Brazilian dance does not allow access and our files in uds goes in there… However I am stuck to move forward with inclusion. Any help is appreciated. Please let me know if I can PM anyone for the next part?

Edit: never mind got user.

Got Root … ping for hints…