Hack the Box - Starting Point

Christiaan -

Introduction

Recently, Hack the Box released a new lab called Starting Point that I thought I wanted to do a quick review on. One of the main issues for individuals when it comes to these CTF-like platforms is sometimes the barrier to entry. With a little guidance, smart people can get an interest in the field of offensive security, rather than go and use their intellect in other fields.

I am not dissing the "Try Harder" mentality, but some guidance on what is VPN or what is SQL goes a long way.

Hack the Box's Starting Point, I think, is a good stab at that. It lays some ground work for someone to get started with CTF or Offensive Security in general. Each of the machines, or challenges, have a few questions which guides the individual to completing the machine or challenge.

Now, if the question is unknown, there is a Walkthrough available. I see this more as a module handbook or tutorial than a Walkthrough. A Walkthrough sometimes just give the solution to machines or challenges, however, the Walkthrough of these challenges are methodical, and has some substance on a topic or concept that the individual will require in their CTF or Offensive Security journey. A Walkthrough should not always be seen as a spoiler, especially if it is delivered like they are in the Starting Point lab.

For example, reading the walkthrough as a module,  it is possible to deduce the answers to the questions.

What I took from working through this Starting Point was that the team at Hack The Box clearly wants to lay some foundation for individuals starting out on their journey. This is my summary of the steps I followed to work through the Starting Point lab.

Hack the Box and DNS

Sometimes, especially with web apps, within the Hack the Box labs, DNS may be required for the service to fully function. For example, a web page may redirect to a hostname, or some links on a web page, although the same host, could point to a domain name rather than the IP address used to initially access the web page.

These hostnames will more often than not be the current machine being worked on, .htb, for example, ignition.htb.

curl -v 10.129.1.27
*   Trying 10.129.1.27:80...
* Connected to 10.129.1.27 (10.129.1.27) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.129.1.27
> User-Agent: curl/7.74.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Mon, 08 Nov 2021 18:54:50 GMT

< Location: <http://ignition.htb/> # <--- Redirecting to a hostname

# ... SNIP ...

< X-Frame-Options: SAMEORIGIN
<
* Connection #0 to host 10.129.1.27 left intact

So a way to work around this is to add an entry to the hosts file. This file will be queried whenever a name resolution is required; it will also occur before querying a DNS server.

# echo "{target_IP} ignition.htb" | sudo tee -a /etc/hosts
echo "10.129.1.27 ignition.htb" | sudo tee -a /etc/hosts

This file will now contain the IP address and hostname record

cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.1.27 ignition.htb

Now it would be possible to access the host on its hostname

curl -v ignition.htb
*   Trying 10.129.1.27:80...
* Connected to ignition.htb (10.129.1.27) port 80 (#0)
> GET / HTTP/1.1
> Host: ignition.htb
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK # <--- Resolved and reponse incoming.
< Server: nginx/1.14.2
< Date: Mon, 08 Nov 2021 19:04:52 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding

Enumeration

Services

First, what services are running? I generally run a quick nmap of all ports, then I would run a service(-sV) as well as the default scrips(-sC) on the identified ports.

# Get ports
sudo nmap -p- --min-rate=1000 -T4 {target_IP}

# Probe services and versions, and run default scripts
sudo nmap -sC -sV -p {ports(comma seperated} {target_IP}

Web Directories (dirbusting 🤮)

Gobuster is currently the tool of choice when it comes to Web Directory discovery. It is also useful for other enumeration activities such as DNS or S3 bucket enumeration to name a few.

The challenge comes in with which wordlist to use, this can be a bit of an art, one I am no good at. But, in general /usr/share/wordlists/dirb/common.txt (on Kali) is a good one to start with.

gobuster dir --wordlist {wordlist} --url {target)

# Pass -x to search for file extensions as well, for example, php.
gobuster dir --wordlist {wordlist} --url {target) -x php

Foothold

Brute-forcing

Some usernames to work with and remember:

  • _blank passwords is a thing,
  • anonymous user for FTP services
  • Same password as username, admin:admin
  • Always try password as the password
admin
administrator
root
guest
user

Some Passwords to work with

password
password1
qwerty123
admin
admin1
root

Some username and password combinations

admin:password
admin:admin
root:root
root:password
admin:admin1
admin:password1
root:password1
guest:guest
user:user
administator:password
administator:administrator

FTP - Port 21

To connect to the remote FTP server, specify the target's IP address (or hostname), when prompted for our login credentials,  try anonymous as the username.

ftp {targer_IP}

In the case where the credentials are unknown brute forcing can be attempted using hydra

hydra -L {user_list} -P {password_list} ftp://{target_IP}

SMB - Port 445

Generally it would start with listing shares. Even without credentials, some shares may be readable with Guest or Anonymous authentication.

# Guest / Anonymous access
smbclient -L {target_IP}

# Pass -U to specify username
smbclient -L {target_IP} -U {username}

# Always try the default Administrator Account
smbclient -L {target_IP} -U Administrator

Some default (not necessarily accessible) shares may include,

  • ADMIN$ - Administrative shares created by the Windows NT family of operating systems that allow system administrators remote access to disk volume.
  • C$ - Administrative share for the C:\ disk volume.
  • IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
  • Other - Any other share that the authenticated use may have access to.

Access a share using smbclient

# Access specified share
smbclient \\\\{target_IP}\\{Share}

# Pass -U to specify username
smbclient \\\\{target_IP}\\{Share} -U {username}

MySQL - Port 3306

Interacting with MySQL database remotely may sometimes be possible, either without password, or if credentials have been obtained another way. Try root with no password.

mysql -h {target_IP} -u {user}

-- Prints out the databases we can access.
SHOW databases;

-- Set to use the database named {database_name}.
USE {database_name};

-- Prints out the available tables inside the current database.
SHOW tables;

-- Prints out all the data from the table {table_name}.
SELECT * FROM {table_name};

Injection

SQL Injection - Login Pages

Sometime in these CTF-like challenges, a PHP application will perform login action using a mySQL query such as the following to validate the provided username and password with what is stored in the database.

SELECT * FROM users WHERE username='$username' AND password='$password';

This is commonly used as en example and passing the admin'# as the username and the password as 123, the sql query will be constructed as follow:

SELECT * FROM users WHERE username='admin'#' AND password='123';

This means that if the user admin exists within the database, the column will be retrieved.

Note the #, this causes everything after it to be seen as a comment, and it should be clear why this is an issue. Only the username is being compare in the where clause and the password is just part of the comment. There are many articles explaining this in more details for those interested. This is a good one to start with https://portswigger.net/web-security/sql-injection.

NOTE: Some databases make use of -- as comments, so more research may be required.

Remote Access

SSH - Port 22

If credentials were obtained, it may be possible to remotely access a server using ssh:

ssh {username}@{target_IP}

It is possible to attempt an brute-force attack using hydra:

hydra -l {username} -P {password_list} {target_IP} ssh

# Substitute -l for -L to specify user_list
hydra -L {username_list} -P {password_list} {target_IP} ssh

RDP - Port 3389

xfreerdp is a good option, and should be available on Kali.

Try simple users ['administrator', 'admin', 'root']without passwords

xfreerdp /cert:ignore /u:Administrator /v:{target_IP}

Conclusion

This summary should be a good starting point, pun intended?, to work from, I like what the Hack the Box team does. Their platform is inspiring.

If you enjoyed the post, please consider to subscribe so that you receive future content in your inbox :)

Psssst, worried about sharing your email address and would rather want to hide it? Consider using a service I created to help with that: mailphantom.io

Also, if you have any questions, comments, or suggestions please feel free to Contact Me.