Friendzone - HackTheBox

Very confused on this one… I’ve enumerated 53 with z*** t******* and found some things, but all of them just point to localhost, so when I try virtual host routing it just redirects the queries to my machine, which is useless. I know you can upload files, but I don’t know what this HaHa page people are talking about is. I’m not sure how else to enumerate 53…

Rooted. User was a pain in the ■■■■. Root is pretty easy.

Ah, that was a tough one! Lol! User was tricky… I managed to find all of the pieces of the puzzle, but piecing them together to make everything work was the tricky bit. The bits I stumbled on were enumerating s**. I overlooked something key first time around and then getting my shell code perfected. I would have got reverse shells earlier, but my code wasn’t quite right. This box would have been easy if it hadn’t been for all of the rabbit holes.

I’m pleased that I don’t have to see Nelson laughing at me anymore!!! :wink:

Ok, this one was both fun and infuriating at the same time, very CTF like, but in a good way. A lot of fiddling trying to find stuff, but things were hidden but in places where they made sense, so even if it’s CTF it feels more real life.

Initial foothold, make sure you enumerate all ports you found open, there are many ports and you’ll need more than one, then go watch ippsec’s video on bank.

So you got to the Haha screen? you probably already know what to do, but there are many rabbit holes along the way and some guesswork involved. One thing I learned with this machine, although not needed, is that there is a way to retrieve the php files using LFI, this might help you discover what all those pages are actually doing.

You have a shell? congrats, but you’ll need to privesc in order to privesc again, there’s a nice checkpoint here. If you’re f***** check what makes your user more privileged than the previous one, then read, read read. If you find something that seems interesting, that’s your vector, even if it’s not really doing anything, there might be a way to make it do more.

Type your comment

Spoiler Removed

Pm me for getting root and user.

Really not liking all the rabbit holes on this box, finding it very CTF based. Still struggling to grab user.

Type your comment> @panic said:

Very confused on this one… I’ve enumerated 53 with z*** t******* and found some things, but all of them just point to localhost, so when I try virtual host routing it just redirects the queries to my machine, which is useless. I know you can upload files, but I don’t know what this HaHa page people are talking about is. I’m not sure how else to enumerate 53…

you are on the right path for enumerating 53. I had the same issue, but think about it: if you do z*** t******* and get local host…what is it actually pointing to? also think about the output of nmap :slight_smile:

Type your comment> @Nibodhika said:

you’ll need to privesc in order to privesc again
It’s possible to privesc from 1st shell to root directly…
@Nibodhika (or other privescing 2 times) can you MP me to understand your approach plz

Just cant figure out.
After I do the Brazillian Dance, cant find where to find it bah.

@humurabbi said:

For root: pspy can be helpful

+1billion

It was a nice box, although a bit of CFT-like to get the user part.

For privesc to get root I used “lse”: GitHub - diego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels and I found the flaw very quickly (using -l1 verbosity)

For privesc the target is clear if you do your basic enumeration. You do not need a tool.
You do not need to follow any snakes, just follow your privesc routine and snakes will follow you. Read those informative files you have access to. Check permissions on things.

Wondering if anyone can PM me regarding root. I did lots of enumeration but the problem with being new to this is that sometimes it might be staring at my face and I won’t see it.
So by accident (i think some people left some files in the /home directory) I started suspecting it has to do with “E***4”. but still lost as how to proceed . . .

I did and learn a lot … still fight for user access !!!
I did enumerations, get cred, have names, … but still :frowning:
Any help is more than welcome…

Got root. Thanks a lot @BigDaddy for help.
Lessons learned. don’t echo to the files. It may not work. Try nano or vim or vi.
PM for hints.

Box was fun.
Thx @askar

:wink: :+1:

Type your comment> @humurabbi said:

Rooted Successfully.
Hint for user: The only reason this machine is difficult is due to large number of rabbit holes. So the first you need to identify and dodge them. Look for the comments to identify them
For root: pspy can be helpful

Hack the box

Most helpful comment! Thank you!

wow user…

enumerate everything (obviously).

Now there is definitely a rabbit hole troll type part to user which I spent a lot of time on.

Focos on a certain page where you can use something else you found. Then focus on connecting how the place you found the useful thing is connected.