Hackthebox

Jason Sohl
Full Stack developer, security enthusiast, Flutter developer, pretty much whatever you need me to be

I've got a long way to go.

Today I wanted to see where I was at, and I've learned that I've got quite a long way to go - but I don't feel like this is discouraging. I may be even more excited than I was when I decided to start this journey.

I took the better part of the day, bought the VIP access on HTB and started working on all the easy machines. The nice part about the VIP access now is that you can spin up any retired box on demand and work on it as you please - this is a new feature that was added and was a deciding factor for me.

This was mostly a day of getting stuck, finding hints, learning how the various processes work, finding more hints, getting stuck again, learning more, and around and around. It made me build some methodology to how I attack these boxes, what to do first, where to check for vulnerabilities, how not to get stuck down a rabbit hole.

I started getting a little but frustrated, but finally I found a remote code execution vulnerability and I was able to compile a python reverse backdoor I had built into an exe from Kali and upload it to the target - started my listener that I also built and waited for the shell to pop... And when it did, I was hooked.

This will be a checklist of sorts for me (or anyone else) to reference for future boxes.

Obviously we want to start with a scan first:

nmap -sC -sV -oN [host].txt [hostIP]

-sC : Scan default Scripts
-sV : Scan for versions
-oN : Output normal, specify the file to save the output as - this is Nmap's normal output. -oX is XML, -oG is grepable format and -oA is all formats

Make sure to evaluate all of the services that you come across,  you might get FTP and SMB but only have access to one or the other, or different types of access on either. Occasionally you may want to run Nmap with the -p- flag, this is to scan all ports, this should be done in the background as it can take a bit of time. The normal scan does the common ones, but if someone is running a service on a non-standard port, it could be missed with the normal scan.

Run version checks on all services, check them on exploit-db or searchsploit (command line tool for exploit-db) - run a search through msf to see if there are any vulnerabilities for the versions you see.

Gobuster is a great option for enumeration of directoriest: gobuster dir -u [hostname] -t 10 -w [path/to/wordlist] -o [outputfile] to run this on subdomains, just use dns instead of dir. However, I've started using Rustbuster [https://github.com/phra/rustbuster] - this is a conglomeration of enumeration tools from dirbuster, gobuster, wfuzz and a few others, implemented in Rust and it's fast.

SMB shares are a common thing in these boxes (port 139, 445), you can run a few commands here to get some info on these:

smbclient -L //[hostIP] will list the Shares on the machine, smbmap -H [hostIP] -u anonymous will give you more comprehensive information, including READ/WRITE access. This is assuming that anonymous login is enabled on the box.

To connect to a share, you can try anonymously: smbclient //[hostIP]/[Share] or if you have some credentials: smbclient //[hostIP]/[Share] -u [Username]

For FTP access, ncFTP is pretty great, it handles all of the anonymous login stuff for you so you don't have to do the whole USER anonymous PASS whatever thing.

If there's a DNS service (port 53), be sure to use dig to search for more subdomains - you'll need to have the /etc/hosts entry for this for sure. I need to do more research on this, but from what I've read, it looks like you're using the DNS host of the system to look for zone transfer records which will spit out the subdomains available: dig axfr @[HostIP] [hostname] (The [hostname] portion is why you'll need to have your hosts file set up.) I believe there's also a way to add the server as a nameserver on your box so that the subdomains will resolve but I have more to look into on that. Thinking about it now, if this is being used on HTB and you don't have a DNS server on your box with those entries, the subdomain dictionary attack will likely return nothing.

Anyway, this one was long and all over the place. Hope it helps someone out

Jason Sohl
Full Stack developer, security enthusiast, Flutter developer, pretty much whatever you need me to be