LFI

This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned. References 0xdf’s writeup Python library hijack privilege escalation Recon NMAP Scan └──╼ [★]$ nmap -sC -sV 10.10.10.123 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 15:01 CDT Nmap scan report for 10.10.10.123 Host is up (0.011s latency). Not shown: 993 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Friend Zone Escape software |_http-server-header: Apache/2.4.29 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time |_http-title: 404 Not Found | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2025-07-03T20:02:08 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: -1s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2025-07-03T23:02:09+03:00 |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds title: FriendZone HTB Walkthrough date: 2025-07-03 categories: [Penetration Testing, CTF Walkthrough, Privilege Escalation, Web Application Security] tags: [HTB, FriendZone, SMB, LFI, privilege escalation, python hijack, reverse shell, DNS, enumeration] This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned. ...

This post documents my process for solving the Toxic box on Hack The Box. This box is all about PHP insecure deserialization, exploiting LFI, and using log poisoning to achieve remote code execution. Synopsis PHP insecure deserialization to LFI that abuses log poisoning for RCE. Learning References: https://ianpeter.medium.com/exploiting-log-poisoning-through-lfi-and-serialization-in-php-e039e7b126ad The official writeup I wasn’t sure what to do at first, so I checked the writeup after struggling for a while. Challenge Analysis & Source Code Review The web page didn’t reveal much, but looking at the source code, you see: ...

Identifying the Local File Inclusion (LFI) Vulnerability While working on the skills assessment for the File Inclusion module, I first checked whether the target website was vulnerable to Local File Inclusion (LFI). The website had a query parameter called page in the URL, as shown below: http://<IP>/index.php?page=<page name> When I attempted to traverse directories using relative paths, like ../../../../etc/passwd, I encountered an error message: “Invalid input detected!”. Directory Enumeration with ffuf To explore available pages on the site, I used the ffuf tool to fuzz the directories: ...