Friendzone - HackTheBox

At last, rooted, privesc is by far more intuitive and realistic.
User is fine-ish, but some parts are just a bit too CTF for me, there’s some quesswork involved, but is managable. Most imporatantly don’t give up and don’t go too deep if you’re not sure that your approach is not a rabit hole, you’ll spare yourself some time.

If anyone needs help getting user/root feel free to PM me, happy to help.

Box was awesome, learned some new tricks and had a great couple of days figuring out things I overlooked to easy. Well created @askar !

chojinl

Usered without any hints from here. Easy.
Do not confirm that you cannot get root from www-data,
“Look Around” technique helped to get root from www-data.

Anyone about to go over some syntax ?

I can see exactly what has to be done, its obvious but I’m missing a slash or a question mark i believe

Edit - If an upload is too simple it wont register

I have also found two ways to upload files, using two different protocols.

Same boat.

Edit: Nevermind. Got it.

Initial Foothold

This machine is difficult because it leads to rabbit holes, the clues they give in some parts really did not help much, in fact those comments are traps for your brain! Hahaha

User

To start many users have said: Enumerate port 53, it helped me to see a video of a machine that makes the enumeration in the same port (In some parts of the thread they mention the tool)… Once you have it and you are on the Haha page it is not necessary to guess the things, look at the other “service”, list it, the creator put a comment that leads to the RCE and I did not see it, it was thanks to @dispareo that helped me.

Root

In the privesc I lost too much time doing stupid things … I got it thanks to this track, it’s too good:

@humurabbi said:
Rooted Successfully.
Hint for user: The only reason this machine is difficult is due to large number of rabbit holes. So the first you need to identify and dodge them. Look for the comments to identify them
For root: pspy can be helpful
Finally thanks to all the users for providing valuable hints in the forum. Without you, it would not be possible :slight_smile:

Hack the box

When you find the magic file do not think about it much, you have to read the book and scratch it carefully!

Please pm me, i can’t enumerate dns

Quite stuck on the box, I got the source code of (I guess?) the whole 3 websites, but can’t find any RCE. Feel like I miss something, doing my whole enumeration again but nothing is showing up at the moment.

EDIT : rooted.

Thanks a lot to @clmtn for helping me on user part, I was missing the “guessing” part to get RCE.

Took me 5mn to go from www-data to root. I confirm it is possible to do so without user.

Did not like quite much the box as it’s too CTF-like. (guessing part drove me mad)
Still I upvoted it, because I learnt a lot about port 53 ! Thanks to the creator.

Type your comment> @Nofix said:

Quite stuck on the box, I got the source code of (I guess?) the whole 3 websites, but can’t find any RCE. Feel like I miss something, doing my whole enumeration again but nothing is showing up at the moment.

EDIT : rooted.

Thanks a lot to @clmtn for helping me on user part, I was missing the “guessing” part to get RCE.

Took me 5mn to go from www-data to root. I confirm it is possible to do so without user.

Did not like quite much the box as it’s too CTF-like. (guessing part drove me mad)
Still I upvoted it, because I learnt a lot about port 53 ! Thanks to the creator.

Nice one. Just to clarify, you can fuzz the path you need to hit for RCE. :slight_smile:

I found getting user fairly tricky, lots of misdirection and rabbit holes. Hint for getting user:

If you’ve made it to haha, look at the two parameters, and think about what function in PHP includes information from other pages, and how you can feed it information.

Working on root, I feel like I have the right file and am looking at the right ideas, but I just cant figure out how to leverage it. Going crazy feeling so close to finishing!

Can’t seem to find the haha page that has been mentioned here previously, any hints?

OKay so I’ve found the haha image, is their anything worth bruteforcing hidden in the image?

EDIT:
Rooted. Rabbit holes for user was really annoying, spent the most time on user by far, ended up I was looking at the wrong thing for LFI. Once I got www-data, user takes seconds and root shouldn’t take too long either. Thanks to those that hinted :slight_smile:

If anyone needs some hints lmk

And done !

Everything you need is in this thread

User : Enumerate and then enumerate again
There are a few rabbit holes granted but if you keep digging you’ll find what you need

At the point of RCE - make sure your payload isn’t too basic (cant really say more than that without ruining it)

Root : Surprisingly easy compared to user - check the information filled files. You should enumerate these files every time you log into a new box !

Thanks to those for the sanity check with regard to RCE - you know who you are

Got out of the friendzone finally!!

Spoiler Removed

First of all i’m thanking @N30C0UNT and @sesha569 for the hints and helps…
Enumeration part was not that hard…
just “Dig” deeper…Times and “Zones” are important…
Once you got the creds and the way to login then just recall the places that you just crossed…

user was not even hard…

root also easy but should see what are running and executing exactly…

And if anyone needs any help you can ask me any time…

Type your comment> @WillIWas said:

May I ask for some help… I’m kinda stuck. I found the creds.txt file, and tried enumerating port 53. Found something interesting using dig, but can’t use that information. I’m basically looking for that admin THING without any luck. I would appreciate any hints without spoiling the whole thing. Thx :slight_smile:

feel free to PM

Hi guys! Can someone help me, please? I’ve found creds, I’ve enumerated 53 port. But now I’m in stuck on H**A page. I’ve scanned all that ■■■■ things I don’t know how to get progress.

was finally able to read root.txt --this box was a real challenge for me. would love any input from anyone who was able to get a root shell. a friend showed me one method that was pretty wild, wonder what others came up with. cheers!

Anyone stuck at the box feel free to pm me.