Starting Point

https://app.hackthebox.com/

STARTING POINT

VPN

STARTING POINT:

sudo openvpn /home/kali/Desktop/HTB/starting_point_ExodusSec.ovpn

MACHINES:

sudo openvpn /home/kali/Downloads/lab_ExodusSec.ovpn

KILL:

sudo killall openvpn

-------------------------------------------------------------------------------------

TIER: 0

Meow - LINUX - VERY EASY

TAGS: Telnet, Network, Protocols, Reconnaissance, Weak Credentials, Misconfiguration

  1. Enumeration:

┌──(kali㉿kali)-[~]
└─$ ping 10.129.31.247

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.31.247

TELNET:

Following the completion of the scan, we have identified port 23/tcp in an open state, running the telnet service. Following a quick Google search of this protocol, we find out that telnet is an old service used for remote management of other hosts on the network. Since the target is running this service, it can receive telnet connection requests from other hosts in the network (such as ourselves). Usually, connection requests through telnet are configured with username/password combinations for increased security. We can see this is the case for our target, as we are met with a Hack The Box banner and a request from the target to authenticate ourselves before being allowed to proceed with remote management of the target host.

┌──(kali㉿kali)-[~]
└─$ telnet 10.129.31.247

  1. Foothold:

Sometimes, due to configuration mistakes, some important accounts can be left with blank passwords for the sake of accessibility. This is a significant issue with some network devices or hosts, leaving them open to simple brute-forcing attacks, where the attacker can try logging in sequentially, using a list of usernames with no password input. Some typical important accounts have self-explanatory names, such as:

admin
administrator
root

A direct way to attempt logging in with these credentials in hopes that one of them exists and has a blank password is to input them manually in the terminal when the hosts request them. If the list were longer, we could use a script to automate this process, feeding it a wordlist for usernames and one for passwords. Typically, the wordlists used for this task consist of typical people names, abbreviations, or data from previous database leaks. For now, we can resort to manually trying these three main usernames above.

Success! We have logged into the target system. We can now go ahead and take a look around the directory we landed in using the ls command. There is a possibility we might find what we are looking for.

ls 
cat flag.txt 

-------------------------------------------------------------------------------------

Fawn - LINUX - VERY EASY

TAGS: FTP, Network, Protocols, Reconnaissance, Anonymous/Guest Access

  1. Enumeration:

┌──(kali㉿kali)-[~]
└─$ ping 10.129.112.33

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.112.33

Scanning using our previously used command, we can see the FTP service open and running on port 21. However, what if we would like to know the actual version of the service running on this port? Could scanning it with different switches present us with the needed information?

  1. Foothold:

It is time we interacted with the target. In order to access the FTP service, we will use the ftp command on our own host. It's good practice to have a quick check that your ftp is up to date and installed properly. Running the command below will display the same output as pictured if your ftp service is installed. Otherwise, it will continue with the installation. The -y switch at the end of the command is used to accept the installation without interrupting the process to ask you if you'd like to proceed.

┌──(kali㉿kali)-[~]
└─$ ftp -y   

After it has done installing, you can run the ftp -h command to see what the service is capable of. From the excerpt above, we can see that we can connect to the target host using the command below. This will initiate a request to authenticate on the FTP service running on the target, which will return a prompt back to our host:

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.112.33

The prompt will ask us for the username we want to log in with. Here is where the magic happens. A typical misconfiguration for running FTP services allows an anonymous account to access the service like any other authenticated user. The anonymous username can be input when the prompt appears, followed by any password whatsoever since the service will disregard the password for this specific account.

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.219.30
Name (10.129.219.30:kali): anonymous
Password: any password whatsoever 

Hitting Enter after filling in the password, we can see that we are logged in successfully. Our terminal changes in order to show us that we can now issue ftp commands.

Typing in the help command allows us to view which commands are available. You will be able to see this pattern with every script and service that you have access to. Typing either the -h , --help , or help commands will always issue a list of all the commands available to you as a user, with descriptions occasionally included. If you would like to learn about a specific command in more depth, you can use a different command: man {commandName} . However, for now, let us get back to our target.

$ ls 
$ dir 

Now, we can proceed to download the flag.txt to our host (Virtual Machine). In order to do so, we can use the get command, followed by the name of the file we want to download. In our case, it would look like this:

ftp> get flag.txt

This will trigger the download of the file to the same directory you were in when you issued the ftp {machineIP} command. If we exit the FTP service, we will see the same file on our host now.

ftp> bye

┌──(kali㉿kali)-[~]
└─$ cat flag.txt 

-------------------------------------------------------------------------------------

Dancing - WINDOWS - VERY EASY

TAGS: Network, Protocols, SMB, Reconnaissance, Anonymous/Guest Access

  1. Enumeration:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.62.190

445/tcp open  microsoft-ds?

As previously mentioned, we observe that port 445 TCP for SMB is up and running, which means that we have an active share that we could potentially explore. Think of this share as a folder that can be accessed over the internet. In order to do so, we will need the appropriate services and scripts installed. In order to successfully enumerate share content on the remote system, we can use a script called smbclient.

smbclient

Our next step is to start enumerating the contents of the share found on our target in both cases. Smbclient will attempt to connect to the remote host and check if there is any authentication required. If there is, it will ask you for a password for your local username. We should take note of this. If we do not specify a specific username to smbclient when attempting to connect to the remote host, it will just use your local machine's username. That is the one you are currently logged into your Virtual Machine with. This is because SMB authentication always requires a username, so by not giving it one explicitly to try to login with, it will just have to pass your current local username to avoid throwing an error with the protocol.

Nevertheless, let us use our local username since we do not know about any remote usernames present on the target host that we could potentially log in with. Next up, after that, we will be prompted for a password. This password is related to the username you input before. Hypothetically, if we were a legitimate remote user trying to log in to their resource, we would know our username and password and log in normally to access our share. In this case, we do not have such credentials, so what we will be trying to perform is any of the following:

  • Guest authentication

  • Anonymous authentication

Any of these will result in us logging in without knowing a proper username/password combination and seeing the files stored on the share. Let us proceed to try that. We leave the password field blank, simply hitting Enter to tell the script to move along.

┌──(kali㉿kali)-[~]
└─$ smbclient -L 10.129.62.190  

[-L|--list=HOST] : Selecting the targeted host for the connection request.

Running the command above, we see that four separate shares are displayed. Let us go through each of them and see what they mean.

- ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.
- C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.
- IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
- WorkShares - Custom share.
  1. Foothold:

We will try to connect to each of the shares except for the IPC$ one, which is not valuable for us since it is not browsable as any regular directory would be and does not contain any files that we could use at this stage of our learning experience. We will use the same tactic as before, attempting to log in without the proper credentials to find improperly configured permissions on any of these shares. We'll just give a blank password for each username to see if it works. First, let us try the ADMIN$ one.

┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.129.62.190\\WorkShares

Success! The WorkShares SMB share was poorly configured, allowing us to log in without the appropriate credentials. We can see our terminal prompt changed to smb: > , letting us know that our shell is now interacting with the service. We can use the help command to see what we can do within this shell.

smb: \> help

From the output, we can notice that most of the commands we are used to in Linux are present. We will be using the following to navigate the share:

ls : listing contents of the directories within the share
cd : changing current directories within the share
get : downloading the contents of the directories within the share
exit : exiting the smb shell

Typing in the ls command will show us two directories, one for Amy.J and one for James.P . We visit the first one and are met with a file called worknotes.txt , which we can download using the get command

smb: \> cd Amy.J
smb: \Amy.J\> get worknotes.txt

This file is now saved inside the location where we ran our smbclient command from. Let us continue looking for other valuable files in James.P 's directory. Navigating to it, we can find the sought flag.txt file as well. After retrieving this file, we can use the exit command to quit the shell and check the files we just retrieved.

smb: \Amy.J\> exit

┌──(kali㉿kali)-[~]
└─$ cat worknotes.txt

-------------------------------------------------------------------------------------

Redeemer - LINUX - VERY EASY

TAGS: Redis, Vulnerability Assessment, Databases, Reconnaissance, Anonymous/Guest Access

  1. Enumerating

In order to verify the connectivity & availability of the target, we can run the ping command with the IP address of the target machine. After two successful replies, we can interrupt the ping command, as we are satisfied with the connection quality. We do not always need to run commands for a long time. Sometimes, getting a snippet of the result or an overview instead of a detailed report is more time-efficient than the alternative.

┌──(kali㉿kali)-[~]
└─$ ping 10.129.136.187  

Immediately after, we can follow up with a preliminary scan of the target. Using nmap with the appropriate service version detection switch, we scan the IP address for any open ports and services.

┌──(kali㉿kali)-[~]
└─$ nmap -p- -sV 10.129.136.187

-sV : Probe open ports to determine service/version info

We can infer from the scan result that only one port is open on the target machine, i.e. port 6379 which is running a Redis server.

Redis Server: Redis (REmote DIctionary Server) is an open-source advanced NoSQL key-value data store used as a database, cache, and message broker. The data is stored in a dictionary format having key-value pairs. It is typically used for short term storage of data that needs fast retrieval. Redis does backup data to hard drives to provide consistency.

Server :Redis runs as server-side software so its core functionality is in its server component. The server listens for connections from clients, programmatically or through the command-line interface.

CLI: The command-line interface (CLI) is a powerful tool that gives you complete access to Redis’s data and its functionalities if you are developing a software or tool that needs to interact with it.

Database: The database is stored in the server's RAM to enable fast data access. Redis also writes the contents of the database to disk at varying intervals to persist it as a backup, in case of failure

Installing redis-cli: Now, to be able to interact remotely with the Redis server, we need to download the redis-cli utility. It can be downloaded using the following command:

sudo apt install redis-tools

Enumerating Redis Server: After successfully installing the redis-cli utility, let us view its help page by typing in the redis-cli -- help command in our terminal to receive a list of all possible switches for the tool and their description

┌──(kali㉿kali)-[~]
└─$ redis-cli --help

Let us connect to the redis server using the following command:

┌──(kali㉿kali)-[~]
└─$ redis-cli -h 10.129.136.187

One of the basic Redis enumeration commands is info which returns information and statistics about the Redis server. Since the output of this command is pretty long, I have snipped out the less-relevant information :

# Keyspace
db0:keys=4,expires=0,avg_ttl=0

The keyspace section provides statistics on the main dictionary of each database. The statistics include the number of keys, and the number of keys with an expiration. In our case, under the Keyspace section, we can see that only one database exists with index 0 . Let us select this Redis logical database by using the select command followed by the index number of the database that needs to be selected:

10.129.136.187:6379> select 0

Furthermore, we can list all the keys present in the database using the command:

10.129.136.187:6379> keys *

Finally, we can view the values stored for a corresponding key using the get command followed by the keynote :

get flag

-------------------------------------------------------------------------------------

Explosion - WINDOWS - VERY EASY

TAGS: Network, Programming, RDP, Reconnaissance, Weak Credentials

RDP (Remote Desktop Protocol) operates on ports 3389 TCP and 3389 UDP

CLI - Remote Access Tools Command Line Interface-based Remote Access Tools have been around forever. A rudimentary example of this is Telnet , which was explored briefly in the Meow machine. In its most basic configuration, Telnet is considered insecure due to lacking the ability to encrypt the data being sent through it securely. This implies that an attacker with access to a network TAP (Traffic Access Point) could easily intercept the packets being sent through a Telnet connection and read the contents, be they login credentials, sensitive files, or anything else. Telnet, which runs on port 23 TCP by default, has mainly been replaced by its more secure counterpart, SSH , running on port 22 TCP by default.

SSH, which stands for Secure Shell Protocol, adds the required layers of authentication and encryption to the communication model, making it a much more viable approach to perform remote access and remote file transfers. It is used both for patch delivery, file transfers, log transfer, and remote management in today's environment.

However, both Telnet and SSH only offer the end-user access to the remote terminal part of the host being reached. This means that no display projection comes with these tools. In order to be able to see the remote host's display, one can resort to CLI-based tools such as xfreerdp . Tools such as this one are called Remote Desktop Tools , despite being part of the Remote Access family. The reasoning behind this is because the whole desktop can be remotely controlled by the user initiating the connection, like one would if they were physically in the room with the remote host, using its keyboard, mouse, and display to interact with it, including the ability to view graphical content, controlling the mouse pointer and keyboard input, easily interacting with the web browser, and more.

GUI - Remote Access Tools Graphical User Interface-based Remote Access Tools are newer to the family than the CLI-based ones. Albeit old themselves, the technology kept evolving, making user interaction with both the software and the remote host easier and more intuitive for the average user. This type of tool only allows for Remote Desktop connections, there being no need for a GUI-based tool that offers terminal connection only, as seen with Telnet and SSH. Two of the most prevalent Remote Desktop tools are Teamviewer and Windows' Remote Desktop Connection, formerly known as Terminal Services Client.

Enumeration:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.110.172 

It is always a good idea to research the ports found in order to understand the big picture. SpeedGuide is a good resource for those just starting out with their networking basics and interested in understanding more common ports at a glance. Below are some examples:

Port 135 TCP : https://www.speedguide.net/port.php?port=135
Port 139 TCP : https://www.speedguide.net/port.php?port=139
Port 445 TCP : https://www.speedguide.net/port.php?port=445
Port 3389 TCP : https://www.speedguide.net/port.php?port=3389
Port 5357 TCP : https://www.speedguide.net/port.php?port=5357

Looking at the SpeedGuide entry for port 3389 TCP, we deem it of interest. It is typically used for Windows Remote Desktop and Remote Assistance connections (over RDP - Remote Desktop Protocol). We can quickly check for any misconfigurations in access control by attempting to connect to this readily available port without any valid credentials, thus confirming whether the service allows guest or anonymous connections or not.

Foothold: xfreerdp

┌──(kali㉿kali)-[~]
└─$ sudo apt-get install freerdp2-x11

┌──(kali㉿kali)-[~]
└─$ xfreerdp  

We can first try to form an RDP session with the target by not providing any additional information for any switches other than the target IP address. This will make the script use your own username as the login username for the RDP session, thus testing guest login capabilities.

/v:{target_IP} : Specifies the target IP of the host we would like to connect to.

As we can see from the output below, our own username is not accepted for the RDP session login mechanism. We can try a myriad of other default accounts, such as user , admin , Administrator , and so on. In reality, this would be a time-consuming process. However, for the sake of RDP exploration, let us attempt logging in with the Administrator user, as seen from the commands below. We will also be specifying to the script that we would like to bypass all requirements for a security certificate so that our own script does not request them. The target, in this case, already does not expect any.

┌──(kali㉿kali)-[~]
└─$ xfreerdp /v:10.129.110.172 /cert:ignore /u:Administrator 

/cert:ignore : Specifies to the scrips that all security certificate usage should be ignored.
/u:Administrator : Specifies the login username to be "Administrator".
/v:{target_IP} : Specifies the target IP of the host we would like to connect to.

-------------------------------------------------------------------------------------

Preignition - LINUX - VERY EASY

TAGS: Web, Custom Applications, Apache, Reconnaissance, Web Site Structure Discovery, Default Credentials

Enumeration:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.129.39.78  

From the scan result, a single entry is shown and catches our attention. It is an http service running on port 80, signaling that this target might be hosting some explorable web content. To look at the contents ourselves, we can open a web browser of our choice and navigate to the target's IP address in the URL barat the top of the window. This will automatically address the target's port 80 for the client-server communication and load the web page's contents.

http://10.129.39.78  

At the top of the page, we observe the mention of the nginx service. After researching basic information about nginx and its purpose, we conclude that our target is a web server.

What we are looking at on our browser screen is the default post-installation page for the nginx service, meaning that there is the possibility that this web application might not be adequately configured yet, or that default credentials are used to facilitate faster configuration up to the point of live deployment. This, however, also means that there are no buttons or links on the web page to assist us with navigation between web directories or other content.

When browsing a regular web page, we use these elements to move around on the website. However, these elements are only links to other directories containing other web pages, which get loaded in our browser as if we manually navigated to them using the URL search bar at the top of the browser screen. Knowing this, could we attempt to find any "hidden" content hosted on this webserver?

fuff

gobuster

First, you need to make sure you have Go installed on your Linux distribution, which is the programming language used to write the gobuster tool.

┌──(kali㉿kali)-[~]
└─$ go install github.com/OJ/gobuster/v3@latest

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 10.129.39.78

In the wordlist we used, the entry admin.php was present, and from our results below, we can see that there is indeed a page with the same name present on the target. What gobuster did here was make several connection attempts to the target using the HTTP GET method (requesting web pages from the webserver) with different URL variations

http://10.129.39.78/admin.php

Foothold:

Navigating to the newly found link manually through our web browser can be done by inputting the following address in our URL search bar. Once we proceed with this, we are met with an administrative panel for the website. It asks us for a username and password to get past the security check, which could prove problematic in normal circumstances.

Usually, in situations such as this one, we would need to fire up some brute-forcing tools to attempt logging in with multiple credentials sets for an extended period of time until we hit a valid log-in since we do not have any underlying context about usernames and passwords that might have been registered on this web site as valid administrative accounts. But first, we can try our luck with some default credentials since this is a fresh nginx installation. We are betting that it might have been left unconfigured at the time of our assessment. Let us try logging in with the following credentials:

admin admin

-------------------------------------------------------------------------------------

Mongod - LINUX - VERY EASY

TAGS: MongoDB, Web, Databases, Reconnaissance, Misconfiguration, Anonymous/Guest Access

Enumeration:

┌──(kali㉿kali)-[~]
└─$ nmap -p- --min-rate=1000 -sV 10.129.228.30
-p- : This flag scans for all TCP ports ranging from 0-65535
-sV : Attempts to determine the version of the service running on a port
--min-rate : This is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher

The scan shows that the following two ports are open - port 22 running the SSH service & port 27017 running the MongoDB server

MongoDB

MongoDB is a document-oriented NoSQL database. Instead of using tables and rows like in traditional relational databases, MongoDB makes use of collections and documents. Each database contains collections which in turn further contain documents. Each document consists of key-value pairs which are the basic unit of data in a MongoDB database. A single collection can contain multiple documents and they are schema-less meaning that the size and content of each document can be different from each another.

In order to connect to the remote MongoDB server running on the target box, we will need to install the mongodb utility, which can be done on Debian-based Linux distributions (like Parrot, Kali and Ubuntu) by downloading the following tar archive file.

┌──(kali㉿kali)-[~]
└─$ curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.7.tgz

We must then extract the contents of the tar archive file using the tar utility.

┌──(kali㉿kali)-[~]
└─$ tar xvf mongodb-linux-x86_64-3.4.7.tgz

Navigate to the location where the mongo binary is present.

┌──(kali㉿kali)-[~]
└─$ cd mongodb-linux-x86_64-3.4.7/bin

Let's now try to connect to the MongoDB server running on the remote host as an anonymous user.

┌──(kali㉿kali)-[~/mongodb-linux-x86_64-3.4.7/bin]
└─$ ./mongo mongodb://10.129.228.30:27017

We have successfully connected to the remote MongoDB instance as an anonymous user. We can list the databases present on the MongoDB server using the following command.

> show dbs;

After listing out the databases, we can select any one of them using the use command for further enumeration. Let's enumerate the seemingly most interesting database, i.e. sensitive_information.

> use sensitive_information;

Let's list down the collections stored in the sensitive_information database using the following command.

> show collections;

We can see that there exists a single collection named flag . We can dump the contents of the documents present in the flag collection by using the db.collection.find() command. Let's replace the collection name flag in the command and also use pretty() in order to receive the output in a beautified format.

> db.flag.find().pretty();

-------------------------------------------------------------------------------------

Synced - LINUX - VERY EASY

TAGS: Rsync, Network, Protocols, Reconnaissance, Anonymous/Guest Access

Enumeration:

┌──(kali㉿kali)-[~]
└─$ nmap -p- --min-rate=1000 -sV 10.129.228.37

-p- : This flag scans for all TCP ports ranging from 0-65535
-sV : Attempts to determine the version of the service running on a port
--min-rate : This is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher

The scan shows that only port 873 is open. Moreover, Nmap informs us that the service running on this port is rsync

rsync

Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its deltatransfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.

Since rsync is already pre-installed on almost all Linux distributions, we can start interacting with the remote machine. The generic syntax used by rsync is the following:

rsync [OPTION] … [USER@]HOST::SRC [DEST]

where SRC is the file or directory (or a list of multiple files and directories) to copy from, DEST is the file or directory to copy to, and square brackets indicate optional parameters.

The [OPTION] portion of the syntax, refers to the available options in rsync . The list with all valid options is available over at the official manual page of rsync under the section Options Summary .

The [USER@] optional parameter is used when we want to access the the remote machine in an authenticated way. In this case, we don't have any valid credentials at our disposal so we will omit this portion and try an anonymous authentication.

As our first attempt we will try to simply list all the available directories to an anonymous user. Reading through the manual page we can spot the option --list-only , which according to the definition is used to "list the files instead of copying them". At this point, we have crafted our first command that we will use to interact with the remote machine.

┌──(kali㉿kali)-[~]
└─$ rsync --list-only 10.129.228.37::

Looking at the output, we can see that we can access a directory called public with the description Anonymous Share . It is a common practice to call shared directories just shares . Let's go a step further and list the files inside the public share.

┌──(kali㉿kali)-[~]
└─$ rsync --list-only 10.129.228.37::public

We notice a file called flag.txt inside the public share. Our last step is to copy/sync this file to our local machine. To do that, we simply follow the general syntax by specifying the SRC as public/flag.txt and the DEST as flag.txt to transfer the file to our local machine.

┌──(kali㉿kali)-[~]
└─$ rsync 10.129.228.37::public/flag.txt flag.txt

Executing this command returns no output. But, on our local directory we have a new file called flag.txt . Let's read its contents.

Last updated