Friendzone - HackTheBox

I’m struggling with Priv Esc part. I know what to do but it’s not working. Need some nudge.

edit: nvm. got root

I am stuck to get root, any help?

can someone help me with what to do after dns enum?

Can someone give a hint to the LFI? im at Haha and have been trying to use the includes to call on the shared file for RCE, but im getting incredibly stuck and my research is leading me down rabbit holes

Finally got user! I was stuck for half a day because of a typo, and half a day because I assumed things…

@kzelman You’re almost there. You might want to take a step back and consider how you got there. Enumerate thoroughly and you’ll find your destination.

@Th3R4nd0m More enumeration… Until you think it’s enough and then some.

Could someone PM me a hint how to use the LFI? I guess I upload a php file and then call it from the dashboard page… And am using the full path. Not working for me…

…getting “Something went worng”… message…

basically stuck at “haha” like so many other people, lol

I got user and root, thanks @DaChef and @BigBoss

I’ve been stuck at haha for days…not so haha. tried various LFI tricks, i can see the path from my enumeration…i don’t know what the ■■■■ i’m doing wrong. any hints? thanks

This was one the most difficult machine I’ve faced until now. Not because it’s really hard, but because it’s so full of rabbit holes that makes you crazy!!!

Anyway, I’ve got user.txt (after a couple of days) and root.txt, that need a couple of minutes if you know what is going on, but a while if you want to learn something new :slight_smile:

Thanks to everyone that helped me, expecially to @p0wn3y for the first part and @m4xp0wer and @absf1 for the root part.

A couple of hints:

  • initial foothold: enumerate every port you’ve, every information you get can be useful for the next steps, and I mean every!

  • user: when you get the right page (that gives you “information” about what you should do) try to understand well what is going on

  • root: enumerate well, something will come up (follow the g0tmilk guide). As other have said, then follow the snake. Try to understand well how it works and you’ll be fine

PM if you need more help!

@KaiserPhoenix said:

  • user: when you get the right page (that gives you “information” about what you should do) try to understand well what is going on

Absolutely, I’ve spent an hour reading up on what I’m doing and what to do with that, which made understanding and using the vulnerability in that environment super easy. Once I understood what’s going on, it was a walk in the park. (total beginner here btw…)

Rooted! Thank you very much for @askar for this box! If anyone need some help feel free to PM :smiley:

Totally stuck. Did Z*** T******** on famous ports but can’t get anything out of it. Can someone pm me? Thanks :slight_smile:
Edit: Confronting to LFI now :slight_smile:

Could use help with this. There has to be a way to do PrivEsc without having to modify a python library right? Seems like a good way to break the box and force a reset

I am about to lose it over dns enum. could somebody please PM me and tell me how to properly edit hosts?

Edit 1: got it, time to confront LFI

Edit 2: Rooted

Tips -

Initial foothold: enum 53 like ■■■■. Ippsec bank really is the way to go. dont forget different web protocols…

User: to get to RCE you need to enum 443. once you get to the fabled HaHa you need to really understand what the script does. the vulnerable param might surprise you. find your uploads through nmap scripts.

Privesc: to escape w******a you need to look nearby. For root, check what unusual files you have access to and go with your gut. As has been said several times, pspy is awesome.

thanks to @askar for the awesome box, and @KaiserPhoenix for the help with DNS

Stuck on LFI like many others, I know the file location, I’ve uploaded files. Can’t get the ti******* parameter to hit it though.

Any hints would be appreciated.

Hints/Tips for this box:
Enumeration obviously, admin thing (pay attention to listing details), ZTs!, lfi (lots of noise, keep it simple)

I’m new to htb, can someone pm some hints. I’ve enumerated as much as I know how to and gotten back most of what people have mentioned. I think I’m missing haha and c***.txt but not to sure where to go from here

I’m completely stuck on privilege escalation for a day. I thought I knew where to go but I’m just stumped. If anyone could offer a nudge it would be greatly respected.

Thanks @AnonyBit for helping me with root.

For those stuck on LFI: Do more research what LFI is and what it can do. Start from zero and verify one assumption at a time. In other words: Try harder :lol:

I am back again. I was bussy in the OSCP lab for exam prep. I am working on root but my exploit is not working. I ask my colleque for help but he has the same problem. I can go in details because of spoiler. Can someone send me an PM to discus this?