📗
OSCP Prep
  • OSCP Preperation
  • Hack the Box Linux
    • Bashed
    • Nibbles
    • Sense
    • Conceal
    • La Casa de Papel
    • Lightweight
    • Jerry
      • Scanning and Enumeration
    • Jarvis
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lesson's Learned
    • TartarSauce
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Poison
      • Turning LFI into RFI
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Node(Comeback to)
      • Scanning and Enumeration
      • Exploitation
    • SolidState
      • Scanning and Enumeration
      • Exploitation and POSTY
      • Lessons Learned
    • Nineveh
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons learned
    • Cronos
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • SwagShop
      • Scanning and Enumeration
      • Exploitation
      • Lessons Learned
    • Networked
      • Exploitation
    • FriendZoned
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons learned
    • Sunday
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Valentine
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Irked
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Kotarak
    • Nibbles
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
  • Hack the Box Windows
    • Bounty
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
    • Blue
      • Scanning and Enumeration
      • Lessons Learned
    • Granny
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Grandpa
      • Scanning and Enumeration
      • Exploitation
      • Lessons Learned
    • Arctic
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Optimum
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Devel
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
    • Legacy (comeback to )
      • Scanning and Enumeration
      • Exploitation
  • Slick Tricks
    • Banned by Bruteforce? Try this!
    • Hydra for Web Logins
    • Grepping
    • Redirecting all Script Traffic to Burp
    • Word Count
    • Reverse Shell Tricks
    • Transfering files
  • Nmap Help
  • Linux Guide
    • Linux Shortcuts
  • Privelege Escalation
    • Linux Privilege Escalation
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Port 80
  • Port 443
  • Altering hosts file
  • Port 53 Zone Transfer
  • LoginPages
  • Port 445

Was this helpful?

  1. Hack the Box Linux

FriendZoned

10.10.10.123

PreviousExploitationNextScanning and Enumeration

Last updated 4 years ago

Was this helpful?

Scanning

nmap -p- 10.10.10.123
nmap -p 21,22,53,80,139,443,445 -sV 10.10.10.123

Enumeration

Port 80

  • Found email info@firenzoneportal.red

  • Phone number

  • wordpress site

Port 443

  • Found email friendzone.red

Altering hosts file

Two domain names were found, lets update our hosts file.

Port 53 Zone Transfer

  • DNS is on port tcp, what could that mean. Potential Zone Transfer? Lets Try Dig

  • dig axfr @10.10.10.123 friendzone.red          
kali@kali:~/HTB/FriendZone$ dig axfr @10.10.10.123 friendzone.red > zonetransfer 
kali@kali:~/HTB/FriendZone$ dig axfr @10.10.10.123 friendzoneportal.red >> zonetransfer 
kali@kali:~/HTB/FriendZone$ cat zonetransfer 

; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.123 friendzone.red
; (1 server found)
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 76 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Sep 28 08:57:53 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)


; <<>> DiG 9.16.4-Debian <<>> axfr @10.10.10.123 friendzoneportal.red
; (1 server found)
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 72 msec
;; SERVER: 10.10.10.123#53(10.10.10.123)
;; WHEN: Mon Sep 28 08:58:03 EDT 2020
;; XFR size: 9 records (messages 1, bytes 309)

In vim

LoginPages

Port 445

smbmap -H 10.10.10.123
smbmap -H 10.10.10.123 -R --depth 5

Found Credential

  • admin:WORKWORKHhallelujah@#

Further Enuermation onf 445

smbclient -L //10.10.10.123

Notice how we files in the Files share are stored in /etc/Files. Knowing this ,there is a possibility the files in the Development share are stored in /etc/Development. Keep in mind we have Write access to this share!

https://admin.friendzoneportal.red
https://uploads.friendzone.red
https://administrator1.friendzone.red
Lets run a more comprehensive scan
found email
Different available domains.
replaces new line characters with a space
Files are in /etc/Files