DNS

This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned. References 0xdf’s writeup Python library hijack privilege escalation Recon NMAP Scan └──╼ [★]$ nmap -sC -sV 10.10.10.123 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 15:01 CDT Nmap scan report for 10.10.10.123 Host is up (0.011s latency). Not shown: 993 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Friend Zone Escape software |_http-server-header: Apache/2.4.29 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time |_http-title: 404 Not Found | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2025-07-03T20:02:08 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: -1s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2025-07-03T23:02:09+03:00 |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds title: FriendZone HTB Walkthrough date: 2025-07-03 categories: [Penetration Testing, CTF Walkthrough, Privilege Escalation, Web Application Security] tags: [HTB, FriendZone, SMB, LFI, privilege escalation, python hijack, reverse shell, DNS, enumeration] This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned. ...

What happens if a web browser (client) sends a reqeust to a server? Reference What is DNS (Domain Name System)? DNS resolves names domain names to IP addresses Steps that DNS takes: We try to access yahoo.com in our browser The browser (or your OS) checks its own cache memory for IP Address if not found, it sends the query to the resolver server The resolver server is basically your ISP (Internet service provider) Once it receives the query, it checks its own cache memory to find the IP address to yahoo.com if not found, it sends the query to the root server Root server is the top, or the root, of the DNS hierarchy 13 sets of these root servers strategically placed around the world operated by 12 different organizations each set has their own unique IP address when the root server receives the query for the IP address for yahoo.com, it is not going to know what the IP address is. But, it knows where to send the resolver to find the IP address. The root server will direct the resolver to the TLD (Top Level Domain server) server for the .com domain Top Level Domain Server stores the address information for top level domains such as .com, .net, .org etc. TLD server is not going to know what the IP address for yahoo.com. So it will direct the resolver to the next and final level which are the Authoritative Name servers The resolver asks the authoritative name server for the IP address for yahoo.com Authoritative Name Servers are responsible for knowing everything about the domain including the IP address when it receives for the query from the resolver, the name server responds with the IP address for yahoo.com Finally, the resolver tells your computer the IP address for yahoo.com and your computer now can retrieve the web page for yahoo.com once the resolver receives the IP address for yahoo.com, it will store the IP address in its cache memory to prevent going through all these steps again After the steps above… ...