HackTheBox - FriendZone


00:45 - Begin of Recon
04:10 - Running SMBMap to identify and crawl file shares
05:00 - Downloading creds.txt from an smb share and checking FTP/SMB
06:50 - Checking the webpage and grabbing potential DNS Names for the box
10:40 - Using dig to perform a DNS Zone Transfer to obtain additional host names
12:00 - Adding all hostnames to /etc/hosts
12:55 - Running Aquatone to take screenshots of all the pages for quick examination
15:15 - Testing Uploads.Friendzone.red
16:30 - Testing admin.friendzone.red
17:00 - Testing administrator1.friendzone.red, logging in with creds found from SMB
18:35 - Found an LFI in the Dashboard.PHP script (PageName Variable)
20:15 - Using PHP Wrappers with the LFI To obtain PHP Script Source
23:00 - Revisiting recon to find ways to upload files, end up using SMBClient
25:10 - Gaining code execution through the LFI Exploit and SMB File Share
27:30 - Reverse Shell Returned
28:50 - Exploring /var/www/html to see if any troll directories had useful files in them, find creds to Friend user
31:20 - Running PSPY to identify cron jobs we don't have permission to see
33:15 - Running LinEnum.sh to enumerate the box and discover the Python OS Library is writeable
38:20 - Fixing our reverse shell by setting ROWS and COLUMNS of our terminal so we can use Vi
40:45 - Placing a reverse shell in the Python OS library

HackTheBox - FriendZone HackTheBox - FriendZone Reviewed by Anonymous on July 13, 2019 Rating: 5