HTB Starting Point- Tier 0 Walkthroughs
This blog covers the following:
· Starting Point (Tier 0)
· Completing tasks that fall under each machine from tier 0:
- Meow
- Fawn
- Dancing
- Explosion
- Preignition
Tier 0 Machines:
Meow
1. What does the acronym VM stand for?
- Virtual Machine
2. What tool do we use to interact with the operating system in order to start our VPN connection?
- Terminal
3. What service we use to form our VPN connection?
- openvpn
4. What is the abbreviated for the tunnel interface in the output of your VPN boot-up sequence output?
- ssh
5. What tool do we use to test our connection the target?
- ping
6. What’s the name of the script we use to scan the target’s ports?
- nmap
7. What service do we identify on port 23/tcp during our scan?
- telnet
8. What username ultimately works with the remote management login prompt for the target?
- Root
9. Submit the root flag:
- HTB{b40abdfe23665f766f9c61ecba8a4c19}
Findings & Screenshots:
I started off with a nmap scan and the scan gives us a result of telnet port 23/tcp being open:
Signing in on telnet using “root”, and we find that we don’t need to use a password. Listing the files we find the flag and reading out the file we have the flag we can submit to the task:
Fawn
1. What does the 3-letter acronym FTP stand for?
- File Transfer Protocol
2. What communication model does FTP use, architecturally speaking?
- client-server protocal
3. What is the name of the one popular GUI FTP program?
- FileZilla
4. Which port is the FTP services active on usually?
- 22 tcp
5. What acronym is used for the secure version of FTP?
- SFTP
6. What is the command we can use to test our connection to the target?
- ping
7. From your scans, what version is FTP running on the target?
8. From your scans, what OS type is running on the target?
- Unix
9. Submit the flag:
- HTB{035db21c881520061c53e0536e44f815}
Findings & Screenshots
In my scan we find FTP port 21/tcp open:
When connecting to the target we can login as an anonymous user and have either no password or just a random password, we get logged in successfully:
Once connected, we list out files in the currnet directory and we find the flag and we use the command “get” to download the file to our machine:
Reading out the flag we have the answer to the last task for Fawn:
Dancing
1. What does the 3-letter acronym SMB stand for?
- Server Message Block
2. What port does SMB operate at?
- 445 tcp
3. What network communications model does SMB use, architecturally speaking?
- Client-server model
4. Whats the service name on port 445 that came up in our nmap scan?
- Microsoft-ds
5. What is the tool we use to connect to SMB shares from our Linux distrobution?
- smbclient
6. What is the ‘flag’ or ‘switch’ we can use with the SMB tool to ‘list’ the contents of the share?
- -L
7. What is the name of the share we are able to access in the end?
- Workshares
8. What command can we use in the SMB shell to download the files we find?
- get
9. Submit root flag:
- HTB{5f61c10dffbc77a704d76016a22f1664}
Findings & Screenshots
After scanning the target we find it has 3 open ports.
- Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
- Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
(article link)
- Port 135: Remote procedure call (article link)
After some research on SMB, I came across an article about connecting to a SMB share with anonymous login. So I tested it and it gave me a result of what is available on the target:
Seeing what I can actually connect to, I noted I could not connect to “ADMIN$”, “C$” and “IPC$”. But I successfully connect to “WorkShares”:
After connecting successfully to the WorkShares, I listed out the files in the current directory and discovered two direcories:
After some digging, in the “James.P” directory I came across the flag and downloaded the file using the “get”:
Reading out the file I get the answer for the last task:
Explosion:
1. What does the 3-Letter acronym RDP stand for?
- Remote Desktop Protocol
2. What is a 3-letter acronym that refers to the interaction with the host through a command line interface?
- CLI
3. What about a graphical user interface interactions?
- GUI
4. What is the name of an old remote access tool that came without encryption by default?
- telnet
5. What is the concept used to verify the identity of the remote host with SSH connections?
- public
6. What is the name of the tool that we can use to initiate a desktop projection to our host using the terminal?
- xfreerdp
7. What is the name of the service running on port 3389 TCP?
-
8. What us the switch used to specify the target host’s IP address when using xfreerdp?
- /v:
9. Submit root flag:
- HTB{951fa96d7830c451b536be5a6be008a0}
Findings & Screenshots
Started with a basic nmap scan and found a few ports open:
Running a more advanced nmap scan on the ports found:
On port 3389/tcp, is Windows terminal server: By default, the server listens on TCP port 3389 and UDP port 3389. Microsoft currently refers to their official RDP client software as Remote Desktop Connection, formerly “Terminal Services Client”. The protocol is an extension of the ITU-T T.128 application sharing protocol.
Reading further on “rdp-ntml-info”, I found a useful article that explained how the rdp service can be abused to gain a rdp session:
Testing common users on a windows machine:
I tested common passwords as well, “password”, “P@ssw0rd”, “123456789” and I tested blank password log in which worked:
I was connected to the windows server via RDP and found the flag:
Preignition:
1. What is considered to be one of the most essential skills to possess as a Penetration Tester?
- dir busting
2. What switch do we use for nmap’s scan to specify that we want to perform version detection
- -sV
3. What service type is identified as running on port 80/tcp in our nmap scan?
- http
4. What service name and version of service is running on port 80/tcp in our nmap scan?
- nginx 1.14.2
5. What is a popular directory busting tool we can use to explore hidden web directories and resources?
- gobuster
6. What switch do we use to specify to gobuster we want to perform dir busting specifically?
- dir
7. What page is found during our dir busting activities?
- admin.php
8. What is the status code reported by gobuster upon finding a successful page?
- 200
9. Submit root flag
- HTB{6483bee07c1c1d57f14e5b0717503c73}
Findings & Screenshots
I started off with a basic nmap scan and got one open port:
Port 80/tcp is one of the most common used port numbers in the Transmission Control Protocol (TCP) suite. Any Web/HTTP client, such as a Web browser, uses port 80 to send and receive requested Web pages from a HTTP server.
Running a more advanced scan against the open port gives us the version and server http title:
Visting the website hosted on the target we presented with the default welcome page:
I ran a directory brute force tool (gobuster) to search for files and other directories on the target, the scan finished and found a admin login path:
Navigating to that “admin.php” we presented with a admin console login:
Testing the basic user and passwords such as admin:admin and admin:password. I saw that I couldn’t log in:
I got stuck here for a while due to running a bruteforce attack against the login form.
After some time, I got the password as “1q2w3e” and using the user “admin”, I logged in and got the flag:
