This was a fairly straightforward box that was good fun.
Nmap scan:
![](/content/images/2019/07/image.png)
I checked out ftp first but anonymous access was disabled. Next up was smb:
![](/content/images/2019/07/image-1.png)
While enumerating, I found that the Development share was writable. I also found a creds.txt file in the 'general' share:
![](/content/images/2019/07/image-2.png)
![](/content/images/2019/07/image-4.png)
Those creds didn't work for ftp or samba so let's look at http:
![](/content/images/2019/07/image-5.png)
The email address listed uses the domain 'friendzoneportal.red' so let's check DNS:
![](/content/images/2019/07/image-6.png)
![](/content/images/2019/07/image-7.png)
I added all of those domains to /etc/hosts and start enumerating them in a web browser.
![](/content/images/2019/07/image-8.png)
The creds I found work here but the page is not developed:
![](/content/images/2019/07/image-9.png)
Uploads.friendzone.red gives us this:
![](/content/images/2019/07/image-10.png)
I uploaded a reverse shell named as a jpg but couldn't find a way to access it:
![](/content/images/2019/07/image-11.png)
I finally find a working login form at administrator1.friendzone.red:
![](/content/images/2019/07/image-12.png)
Entering the creds here brings up a page telling me to visit dashboard.php:
![](/content/images/2019/07/image-13.png)
I do so and am greeted with this:
![](/content/images/2019/07/image-14.png)
The 'pagename' smells like it's exploitable. I thought back to the nice hint about file locations while enumerating smb:
![](/content/images/2019/07/image-15.png)
The 'development' share was writable and was most likely in '/etc/development'. I uploaded a PHP reverse shell called rs.php to the 'development' share and after some experimentation, was able to access it at https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/rs. With a netcat listener running, I got a limited shell:
![](/content/images/2019/07/image-16.png)
The user flag is easily found:
![](/content/images/2019/07/image-17.png)
While enumerating the system, I came across creds in plaintext in /var/www/mysql_data.conf:
![](/content/images/2019/07/image-18.png)
These creds let me ssh in as 'friend':
![](/content/images/2019/07/image-19.png)
I uploaded pspy64 and watched for a while before seeing this being run every so often:
![](/content/images/2019/07/image-20.png)
Contents of reporter.py:
![](/content/images/2019/07/image-21.png)
During the enumeration process, I found that /usr/lib/python2.7/os.py was world-writable and owned by root. Since reporter.py is importing os.py, I append the following lines to os.py:
![](/content/images/2019/07/image-22.png)
With a netcat listener, I shortly get a root shell and the root flag:
![](/content/images/2019/07/image-23.png)