Friendzone - HackTheBox

Type your comment> @Nofix said:

Quite stuck on the box, I got the source code of (I guess?) the whole 3 websites, but can’t find any RCE. Feel like I miss something, doing my whole enumeration again but nothing is showing up at the moment.

EDIT : rooted.

Thanks a lot to @clmtn for helping me on user part, I was missing the “guessing” part to get RCE.

Took me 5mn to go from www-data to root. I confirm it is possible to do so without user.

Did not like quite much the box as it’s too CTF-like. (guessing part drove me mad)
Still I upvoted it, because I learnt a lot about port 53 ! Thanks to the creator.

Nice one. Just to clarify, you can fuzz the path you need to hit for RCE. :slight_smile:

I found getting user fairly tricky, lots of misdirection and rabbit holes. Hint for getting user:

If you’ve made it to haha, look at the two parameters, and think about what function in PHP includes information from other pages, and how you can feed it information.

Working on root, I feel like I have the right file and am looking at the right ideas, but I just cant figure out how to leverage it. Going crazy feeling so close to finishing!

Can’t seem to find the haha page that has been mentioned here previously, any hints?

OKay so I’ve found the haha image, is their anything worth bruteforcing hidden in the image?

EDIT:
Rooted. Rabbit holes for user was really annoying, spent the most time on user by far, ended up I was looking at the wrong thing for LFI. Once I got www-data, user takes seconds and root shouldn’t take too long either. Thanks to those that hinted :slight_smile:

If anyone needs some hints lmk

And done !

Everything you need is in this thread

User : Enumerate and then enumerate again
There are a few rabbit holes granted but if you keep digging you’ll find what you need

At the point of RCE - make sure your payload isn’t too basic (cant really say more than that without ruining it)

Root : Surprisingly easy compared to user - check the information filled files. You should enumerate these files every time you log into a new box !

Thanks to those for the sanity check with regard to RCE - you know who you are

Got out of the friendzone finally!!

Spoiler Removed

First of all i’m thanking @N30C0UNT and @sesha569 for the hints and helps…
Enumeration part was not that hard…
just “Dig” deeper…Times and “Zones” are important…
Once you got the creds and the way to login then just recall the places that you just crossed…

user was not even hard…

root also easy but should see what are running and executing exactly…

And if anyone needs any help you can ask me any time…

Type your comment> @WillIWas said:

May I ask for some help… I’m kinda stuck. I found the creds.txt file, and tried enumerating port 53. Found something interesting using dig, but can’t use that information. I’m basically looking for that admin THING without any luck. I would appreciate any hints without spoiling the whole thing. Thx :slight_smile:

feel free to PM

Hi guys! Can someone help me, please? I’ve found creds, I’ve enumerated 53 port. But now I’m in stuck on H**A page. I’ve scanned all that ■■■■ things I don’t know how to get progress.

was finally able to read root.txt --this box was a real challenge for me. would love any input from anyone who was able to get a root shell. a friend showed me one method that was pretty wild, wonder what others came up with. cheers!

Anyone stuck at the box feel free to pm me.

Got root … HAppy to help !!!

Anyone had any issue with nmap script ? particularly with if you use -sV with port 443 it hangs

hello, any hints ? I can access the login page which does not work and i don’t find anything else

Type your comment> @Kalki said:

hello, any hints ? I can access the login page which does not work and i don’t find anything else

Keep enumerating :slight_smile: What does the login page say?

Think I got everything I need from enum, brazilian dance, paths, etc … Now working to get those two (three) params and that final access timestamp puzzle pieces together. That much enum is fun, but the box is a wee bit too CTFy for me, though. Fun box, nevertheless !

This was a fun box, but agreed that it’s CTF-ey.

Thanks to a few of you guys for the hints on user. The initial foothold was different and took me awhile.

Root was pretty easy once I took a look at what’s going on in the system.

My suggestions for initial foothold and user are to keep digging, do some guesswork, play with files both locally and remotely, pay attention to the comments so you don’t get stuck down a rabbit hole, enumerate, and tamper.

My suggestions for root are to understand what the system is doing. What can you leverage and how can you leverage it? A helpful hint that I had for root was mentioned in this thread quite a few times.

Rated the box 7 difficulty on user and 6 on root.

Just wanted to stop in and say I loved this box, thank you!

huhu :smiley: It’s tough at the beginning, if you have not worked with that yet, but root is simple. Feel free to pm me if you need help :smirk:

My first box. Looking for direct hint without spoiling. Am I playing with right parameter and uploading with the correct portal…