Hack The Box: Starting Point - Tier 0


The hacking plattform Hack the box provides a collection of very easy boxes to hack together with some guiding questions. It’s aimed for beginners and consists of 3 parts (tier0, tier1 and tier2). This write-up will cover Tier0. The questions are easy, I’ll write the answers down directly unless there’s not more to say .

For all questions you need to log into the HackTheBox VPN first with openvpn (sudo openvpn <your-token>.vpn) and then spawn the machine by clicking on the icon. Of course you need to get the key from the control panel first. This is how it looks like:

key

I was a bit confused when I used it the first time, but the manual page is quite good. Also, you’re adviced not to spawn it on your own machine directly as the downloaded files could be potentially harmful. I use a Kali Linux VM.


Box 1: MEOW

box MEOW

This box is tagged “Linux”, “Network”, “Account Misconfiguration”. It turns out that you can log in via telnet without any password.

Questions:

  • What does the acronym VM stand for? Virtual Machine
  • What tool do we use to interact wih the operating system in order to start our VPN connection? terminal
  • What service do we use to form our VPN connection? openvpn
  • What is the abreviated name for a tunnel interface in the output of your VPN boot-up sequence output? tun
  • What tool do we use to test our connection to the target? ping
  • What is the name of the script we use to scan the target’s ports? nmap

The object of these questions is obviously to guide the poor newcomer on the right track. Now comes the practical part: First we scan the given box IP with nmap:

sudo nmap  -sC -sS <ip> -oA meowTop1000      

The flags are optional. -sC means that nmap is performing the scan with the “default” scripts, where some of them can be partially intrusive. So it’s not recommended to use it against a sensitive target. The -sS flag is the default scan option which scans for TCP connections, but does not finish the full handshake (“stealth” half-open scan).

This is the output:

nmap

With this knowledge, we can log into telnet with telnet <ip> and read the text file containing the flag.

  • What service do we identify on port 23/tcp during our scans? telnet
  • What username ultimately works with the remote management login prompt for the target? root
  • Submit root flag Try yourself!

Box 2: Fawn

box FAWN

This box is tagged “Linux”, “FTP” and “Account Misconfiguration”. As you might expect, we can log in anonymously via FTP here.

Questions:

  • What does the 3-letter acronym FTP stand for? File Transfer Protocol
  • What communication model does FTP use, architecturally speaking? Client-Server Model
  • What is the name of one popular GUI FTP program? FileZilla
  • Which port is the FTP service active on usually? 21 tcp
  • What acronym is used for the secure version of FTP? SFTP (SSH File Transfer Protocol)
  • What is the command we can use to test our connection to the target? ping

Now we run the nmap scan again. Unfortunately, the first scan (with -sC -sS flag) is not enough to return the operation system. Therefore we add the -A flag (aggressive), which is quite intrusive but returns some more information:

nmap

We can see an open FTP service on port 21 that allows anonymous login. This means that we can log in with username “anonymous” and any password. From there, we can browse the directories and download the flag file with get.

nmap

With this knowledge, we can answer the remaining questions:

  • From your scans, what version is FTP running on the target? vsftpd very secure
  • From your scans, what OS type is running on the target? Unix
  • Submit root flag Try yourself!

Box 3: Dancing

box Dancing

This box is tagged “Windows” and “Wrong Permissions”. It turns out that we can access the WorkShare disk on the SMB server without any credentials.

  • What does the 3-letter acronym SMB stand for? Server Message Block
  • What port does SMB use to operate at? 445
  • What network communication model does SMB use, architecturally speaking? Client-Server Model

Now we run nmap again with the same flags as before. This is the output:

nmap

  • What is the tool we use to connect to SMB shares from our Linux distribution? smbclient
  • What is the service name for port 445 that came up in our nmap scan? microsoft-ds
  • What is the “flag” or “switch” we can use with the SMB tool to “list” the contents of the share? -l

Let’s connect:

nmap

The shares we see are the common ones: C$, which is the C Drive on the remote machine, Admin$, which allows to access the Windows installation directory, and IPC$, which is used to facilitate inter-process communications (IPC)1. However, we can access the WorkShares folder without any credentials:

smbclient -L 10.129.157.134/WorkShares --port=445 -l 

From there we can browse the directory and download the final flag with get.

  • What is the name of the share we are able to access in the end? Workshares
  • What is the command we can use within the SMB shell to download the files we find? get
  • Submit root flag Try yourself!

Box 4: Explosion

box explosion

This box is tagged “Windows”, “Network” and “Account Misconfiguration”. It turns out that we can log in via RDP and the Administrator account (no password).

  • What does the 3-letter acronym RDP stand for? Remote Desktop Protocol
  • What is a 3-letter acronym that refers to interaction with the host through a command line interface? SSH
  • What about graphical user interface interactions? GUI
  • What is the name of an old remote access tool that came without encryption by default? telnet
  • What is the concept used to verify the identity of the remote host with SSH connections? public-key cryptography
  • What is the name of the tool that we can use to initiate a desktop projection to our host using the terminal? xfreerdp
  • What is the switch used to specify the target host’s IP address when using xfreerdp? /v:

Now we run nmap again.

nmap

We see a ms-wbt-server on port 3389. We can try to log into it. It fails if we don’t provide any credentials. However we can RDP with the standard account Administrator without being prompted for a password:

xfreerdp /v:10.129.157.158 /u:Administrator   

From there we can simply open the flag textfile on the computer’s desktop.

  • Submit root flag Try yourself!

Box 5: Preignition

This box is tagged “Linux”, “Web”, “PHP” and “Default Credentials”. It presents a website where the admin login window can be simply fuzzed. After that, login is possible with the credentials admin:admin.

Linux, Web, PHP, Default Credentials

  • What is considered to be one of the most essential skills to possess as a Penetration Tester? dir busting
  • What switch do we use for nmap’s scan to specify that we want to perform version detection -sV

Let’s run nmap with the -sV flag:

nmap

  • What service type is identified as running on port 80/tcp in our nmap scan? http
  • What service name and version of service is running on port 80/tcp in our nmap scan? nginx 1.14.2
  • What is a popular directory busting tool we can use to explore hidden web directories and resources? gobuster
  • What switch do we use to specify to gobuster we want to perform dir busting specifically? dir

Instead of gobuster, I used dirb <ip>.

  • What page is found during our dir busting activities? admin.php
  • What is the status code reported by gobuster upon finding a successful page? 200
  • Submit root flag Try yourself!