Write-Up: Hack The Box: Starting Point — Tier 1

Tier 1 of the “Starting Point” series consists of six boxes: Appointment, Sequel, Crocodile, Ignition, Pennyworth and Tactics.

Box 1: Appointment

This box is tagged “Linux”, “SQL”, “SQLi” and “MariaDB”. We can log into the web interface with a very basic SQL injection command.

Questions:

• What does the acronym SQL stand for? Structured Query Language
• What is one of the most common type of SQL vulnerabilities? SQL Injection
• What does PII stand for? Personally Identifiable Information
• What does the OWASP Top 10 list name the classification for this vulnerability? A03:2021-Injection

So let’s run nmap:

• What service and version are running on port 80 of the target? Apache httpd 2.4.38 ((Debian))
• What is the standard port used for the HTTPS protocol? 443
• What is one luck-based method of exploiting login pages? brute-forcing
• What is a folder called in web-application terminology? directory
• What response code is given for “Not Found” errors? 404
• What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains? dir
• What symbol do we use to comment out parts of the code? #

We point the browser to the box IP address and see a login field:

We can log in with admin' or 1=1;#.

• Submit root flag — Try yourself!

Box 2: Sequel

Tihs box is tagged “Linux”, “SQL”, “MariaDB” and “Weak Password”. It turns out we can log in remotely to MariaDB with the root user account, without providing a password.

• What does the acronym SQL stand for? Structured Query Language

• During our scan, which port running mysql do we find? 3306
• What community-developed MySQL version is the target running? MariaDB
• What switch do we need to use in order to specify a login username for the MySQL service? -u

• Which username allows us to log into MariaDB without providing a password? root
• What symbol can we use to specify within the query that we want to display eveything inside a table? *
• What symbol do we need to end each query with? ;

After logging in, we can drop all databases with show databases; and switch to the “htb” database with use htb;. Then we can list all tables with show tables; and their content with select * from <tablename>, which returns us the flag.

• Submit root flag — Try yourself!

Box 3: Crocodile

Tihs box is tagged “Linux”, “PHP” and “FTP”. We can download files containing username and password from the FTP server, and then log in to the website after we found the correct path.

• What nmap scanning switch employs the use of default scripts during a scan? -sC

• What service version is found to be running on port 21? vsftpd 3.0.3
• What FTP code is returned to us for the “Anonymous FTP login allowed” message? 230
• What command can we use to download the files we find on the FTP server? get

So let’s do this. We can log into the ftp server with ftp <ip> and get the files with get <filename>.

• What is one of the higher-privilege sounding usernames in the list we retrieved? admin
• What version of Apache HTTP Server is running on the target host? 2.4.41
• What is the name of a handy web site analysis plug-in we can install in our browser? wappalyzer
• What switch can we use with gobuster to specify we are looking for specific filetypes? -x

Then we can search for php files with help of gobuster and we find login.php:

We can login with the username and password from the downloaded files. Then we can get the flag.

• Submit root flag — Try yourself!

Box 4: Ignition

This box is tagged “Linux”, “Web”, “PHP” and “Web Fuzzing”. It turns out that we can reach the page by adding the domain to our /etc/hosts file, and then fuzz the login URL and log in with somme very common credentials.

First we run nmap.

• Which service version is found to be running on port 80? nginx 1.14.2

Now we try to connect via the browser. However, it is immediately redirected to http://ignition.htb and returns “We can’t connect to the server at ignition.htb”.

From the network tab, we can see that the initial request to the IP address had a status code “302 Found”.

• What is the 3-digit HTTP status code returned when you visit http://{machine IP}/? 302
• What is the virtual host name the webpage expects to be accessed by? ignition.htb
• What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs? /etc/hosts

So let’s add it to our /etc/hosts/ file: echo 10.129.113.13 ignition.htb >> /etc/hosts. Now we can see the page in the browser.

Fuzzying with dirb returns us the link to the admin login page:

Since we have no information about the password, we can try to find some default credentials. For Magento 1, apparently the default login data was “admin:123123”, however it fails. On the Magento documentation page, we can find the requirements for the admin password: seven or more characters long and include both letters and numbers.1

Now we could try to fuzz the password, but unfortunately the network tabs shows that the website is also expecting to receive the “formkey” as payload, which is defined in the JavaScript <script> block. This makes it much more difficult to brute-force the password.

Instead, we follow the hint and try to guess the password. Let’s take the SecList wordlist 2020-200_most_used_passwords.txt and remove all passwords with less than 8 characters, and all that have either no numbers or no letters:

sed -ri '/^.{,7}$/d' passwords.txt            # remove shorter than 8
sed -ri '/[0-9]+/!d' passwords.txt            # remove no numbers
sed -ri '/[a-zA-Z]+/!d' passwords.txt            # remove no letters

This leaves only 36 passwords. Now if we also used the hints (the password ends with “3” and has nine letters), there are really only few and we can simply try them manually.

• What is the full URL to the Magento login page? http://ignition.htb/admin
• What password provides access as admin to Magento? querty123
• Submit root flag — Try by yourself!

Box 5: Pennyworth

This box is tagged “Linux”, “Web”, “Java” and “Weak Password”. We find a webserver that runs Jenkins and enables us to run arbitrary Groovy scripts with Administrator rights.

• What does the acronym CVE stand for? Common Vulnerabilities and Exposures
• What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for? Confidentiality, Integrity, Availability

Now we do the nmap scan:

• What is the version of the service running on port 8080? Jetty 9.4.39.v20210325

The login page doesn’t show the Jenkins version, and also nmap scan with script=broadcast-jenkins-discover doesn’t reveal anything.

However fuzzying shows that there is an error page, and also this resource tells us that we can get the version from the error page.

• What version of Jenkins is running on the target? 2.289.1
• What type of script is accepted as input on the Jenkins Script Console Groovy

Also we learn from this resource that Jenkins is very weak against brute-forcing attacks. So I tried to brute-force the page with hydra and some “Default Credentials” user/pw-lists from Seclists. However, something was wrong because it even showed me “failed login” even if I tested correct login data. I guess I made a mistake with the search string. For the sake of documentation:

# This does not work!!
hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt -u -f 10.129.204.188 -s 8080 http-post-form '/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:S="dashboard"'

So I tried the same thing with Burp Intruder. We fuzz j_username and j_password and since we want to try each combination, the attack type is “Cluster Bomb”. #

I just set 3 usernames and 8 passwords for proof of concept, because I already knew the correct credentials from the Walkthrough-PDF…

And then we start the attack. The correct credentials are clearly recognizable because the response payload has a different size.

The correct credentials are “root:password”. Next, we see the Administrator dashboard that enables us to use Groovy scripts. In this version of Jenkins, Groovy scripts can run arbitrary scripts. So we can exploit this to get a reverse shell to the machine. Following this write-up2, we click on “Manage Jenkins” and then on “Script Console”. After that we can add any code. Unfortunately we don’t know if the system is running Linux or Windows, so let’s just try with Linux first. The script is mentioned in the linked writeup.

And after a few seconds, we get a root shell.

• What would the “String cmd” variable from the Groovy Script snippet be equal to if the Target VM was running Windows? cmd.exe
• What is a different command than “ip a” we could use to display our network interfaces’ information on Linux?
• What switch should we use with netcat for it to use UDP transport mode? -u
• What is the term used to describe making a target host initiate a connection back to the attacker host? reverse shell
• Submit root flag — Try by yourself!

Box 6: Tactics

This machine is tagged “Windows”, “SMB” and “Weak Password”. We can log into the SMB and download files from the Administrator share.

• Which Nmap switch can we use to enumerate machines when our packets are otherwise blocked by the Windows firewall? -Pn

-Pn stands for “no ping” (disabled ICMP echo requests), or, according to the NMAP help page: “Treat all hosts as online – skip host discovery”.

• What does the 3-letter acronym SMB stand for? Server-Message Block
• What port does SMB use to operate at? 445
• What command line argument do you give to smbclient to list available shares? -l

Now we run nmap with -Pn option:

• What character at the end of a share name indicates it’s an administrative share? $

Now let’s check out what we can find about this resource. This website gives a very good overview of tools that can be used for testing websites.3 enum4linux returns tue known usernames: administrator, guest, krbtgt, domain admin, root, bine, none.

Unfortunately, brute-forcing with Hydra gives an error (probably because of the firewall), and the nmap-scripts smb-enum-users and sb-enum-shares.don’t yield any results. Also, I tried to connect via the RDP port as administrator or guest user, but that didn’t work either.

After checking the walkthrough, I realized that the output from enum4linux was misleading. The username is not “administrator”, but “Administrator”. Like in the RPC example, we can enter the share with an empty password.

Now we can log into the share by taking the -L flag away:

Alternatively, we can use the Impacket utility like the question suggests:

$ impacket-smbclient C$/Administrator:@10.129.113.202

We receive a prompt. shares lists the available shares,

With psexec, we can try to get an interactive shell on the system (failed with “uninstallation error”):

$ impacket-psexec "./Administrator:"@10.129.113.202

Either way we find a flag on the Administrator’s desktop.

• Which Administrative share is accessible on the box that allows users to view the whole file system? C$
• What command can we use to download the files we find on the SMB Share? get
• Which tool that is part of the Impacket collection can be used to get an interactive shell on the system? psexec.py
• Submit root flag — Try by yourself!

1. https://docs.magento.com/user-guide/stores/security-admin.html ↩︎
2. https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6 ↩︎
3. https://miloserdov.org/?p=4066 ↩︎