HackTheBox: Starting Point Tier 0
2024-05-20
A collection of boxes to hack as an introduction to Hack The Box and cybersecurity
These are the very first machines to hack on HackTheBox. They are an introduction to cybersecurity and HackTheBox. There are likely to be spoilers ahead, but not a full walkthrough on how I hacked the machine.
Meow
- Tags: Telnet, Network, Protocols, Reconnaissance, Weak Credentials, Misconfiguration
- Difficulty: Very Easy
- Date: 20/03/2023
This machine had an insecure telnet service running on port 23. The root user can log in without a password.
Fawn
- Tags: FTP, Network, Protocols, Reconnaissance, Anonymous/Guest Access
- Difficulty: Very Easy
- Date: 20/03/2023
This machine is running an FTP service on port 21. The service has anonymous log in enabled, allowing anonymous/anonymous to be supplied, granting access to the machine.
Dancing
- Tags: Network, Protocols, SMB, Reconnaissance, Anonymous/Guest Access
- Difficulty: Very Easy
- Date: 29/03/2023
This machine has an SMB service running on port 445. We can list the shares using:
smbclient -L [IP address]
A prompt for a password appears, but passwordless entry is enabled so we can skip past that. From there we can access WorkShares without a password using:
smbclient \\\\[IP address]\\WorkShares
Again the prompt for a password appears, but we can skip past it. From there we can use commands to find a file and use get to pull it onto our own machine. Then we can find the flag.
Redeemer
- Tags: Redis, Vulnerability Assessment, Databases, Reconnaissance, Anonymous/Guest Access
- Difficulty: Very Easy
- Date: 29/03/2023
The Redeemer box has a TCP service running on port 6379. This is a Redis service, which is an “in-memory database”, and uses Redis-CLI for user interactions. We can open a session using the following command:
redis-cli -h [IP address]
In the interactive session, we can use the info command to list more information and statistics about the Redis server. We can see how many keys are in the database using the following command:
info keyspace
Note that Redis has 16 databases by default. We can list all the keys in a database using:
keys *
From there we can see one of the keys is “flag”, and we can use the get command to get the corresponding flag from the database.
Explosion
- Tags: Network, Programming, RDP, Reconnaissance, Weak Credentials
- Difficulty: Very Easy
- Date: 29/03/2023
The explosion box has a ms-wbt-server service running on port 3389. This can be accessed using xfreerdp. We can log into the administrator account without a password due to a misconfiguration. This can be done using the following command:
xfreerdp /u:administrator /p: /v:[IP address]
From there, we can get the flag off the desktop.
Preignition
- Tags: Web, Custom Applications, Apache, Reconnaissance, Web Site Structure Recovery, Default Credentials
- Difficulty: Very Easy
- Date: 29/03/2023
The Reignition box has a HTTP service running on port 80. We can use Gobuster to look for directories. There is one called admin.php. We can access this webpage and login using the credentials admin/admin, which gives us the flag.
Mongod
- Tags: MongoDB, Web, Databases, Reconnaissance, Misconfiguration, Anonymous/Guest Access
- Difficulty: Very Easy
- Date: 29/03/2023
There is a MongoDB service running on port 27017. We can use the mongosh command to access it. This can be done like so:
mongosh --host [ip address]
We can then see all the databases on the instance using:
show dbs
We can select a database using:
use [database]
from there we can use:
show collections
and then get documents from a collection using
db.[collection].find().pretty()
Synced
- Tags: Rsync, Network, Protocols, Reconnaissance, Anonymous/Guest Access
- Difficulty: Very Easy
- Date: 12/04/2023
Rsync is a remote file syncing protocol that defaults to port 873. It has an anonymous log in feature in which no credentials need to be passed. The following command can be used to list all the files in the synced directory:
rsync --list-only rsync://[IP address]:/
The rsync:// header is needed so that it can understand the service it is connecting to. From there, a specific file can be retrieved using:
class="code">rsync -a rsync://[IP address]:/path/to/file