- Learn More:
Hack The Box: How to Get Invite Code
This guide provides insights into obtaining an invite code for Hack The Box, a popular platform for cybersecurity enthusiasts to practice their skills through challenges and virtual labs.
Table of Contents
Before we start with our very first vulnerable machine, make sure you are connected to the target's network and know your way around a terminal.
Settings Up
Step 1: Connect To HTB
If you want to get connected with the HTB network, then click on “connect to HTB”. Now from here choose your "machine type". If you are at the beginner level then choose "starting point" or if you are at the intermediate level then you can choose a machine.
Step 2: Choose Starting Point
When visiting the Starting Point lab's page, you might have been prompted to pick between a Pwnbox connection or a
VPN configuration file
that you can download and run on your Virtual Machine.
Now you might have been prompted to pick between a Pwnbox connection or a VPN configuration file that you can download and run on your Local Machine.
Now you might have been prompted to pick between a Pwnbox connection or a VPN configuration file that you can download and run on your Local Machine.
Method 1:
Running Pwnbox is straightforward, and you do not require any additional steps to connect to the target machine. If you boot up a new instance of Pwnbox under the Starting Point option, you will be automatically placed in the same network as the target.
Method 2:
If you choose to download the VPN (.ovpn) configuration file, then we have to download the OpenVPN application.
Step 3: Download OpenVPN
Click this link to download OpenVPN: https://openvpn.net/download-open-vpn/ and install it.
Step 4: Upload the “.ovpn”
Browse the .ovpn file that you have downloaded in Step 2 > Method 2, and click connect to get connected with HTB.
Introduction
When we first start a penetration test or any security evaluation on a target, a primary step is known as Enumeration. This step consists of documenting the current state of the target to learn as much as possible about it. Since you are now on the same Virtual Private Network (VPN) as the target, you can directly access it as any user would.
How do you find these services? You cannot manually search for them because it would take a long time. Every server uses ports in order to serve data to other clients.
The first steps in the Enumeration phase involve scanning these open ports to see the purpose of the target on the network and what potential vulnerabilities might appear from the services running on it. In order to quickly scan for ports, we can use a tool called Nmap.
The first steps in the Enumeration phase involve scanning these open ports to see the purpose of the target on the network and what potential vulnerabilities might appear from the services running on it. In order to quickly scan for ports, we can use a tool called Nmap.
- learn more:
Nmap - Network Mapper
This guide introduces Nmap (Network Mapper), a powerful open-source network scanning tool used for discovering hosts and services on a computer network, thus creating a "map" of the network.
Enumeration
After our VPN connection is successfully established, we can ping the target's IP address to see if our packets reach their destination. You can take the IP address of your current target from the Starting Point lab's page and paste it into "Command Prompt".
After successful replies from the target, we can determine that our connection is formed and stable.
From here, we can proceed with for next step which is scanning all of the target's open ports to determine which services running on it. In order to start the scanning process, we are going to use the following command with the help of the Nmap script.
Nmap stands for Network Mapper, and it will send requests to the target's ports in hopes of receiving a reply, thus determining if the said port is open or not. Some ports are used by default by certain services. Others might be non-standard, which is why we will be using the service detection flag -sV to determine the name and description of the identified services.
From here, we can proceed with for next step which is scanning all of the target's open ports to determine which services running on it. In order to start the scanning process, we are going to use the following command with the help of the Nmap script.
Nmap stands for Network Mapper, and it will send requests to the target's ports in hopes of receiving a reply, thus determining if the said port is open or not. Some ports are used by default by certain services. Others might be non-standard, which is why we will be using the service detection flag -sV to determine the name and description of the identified services.
Following the completion of the scan, we have identified that port 23/TCP is in an open state, running the telnet service.
What Telnet is?
Telnet is an old service used for remote management of other hosts on the network.
To install telnet on WSL:
┌──(mrdev㉿mrdev)-[~]
└─$apt-get install telnet
Since the target is running the "Telnet" service, it can receive Telnet connection requests from other hosts in the network (such as ourselves) by using this command.
┌──(mrdev㉿mrdev)-[~]
└─$ telnet 10.129.157.37
Usually, connection requests through telnet are configured with username and password combinations for increased security. We can see this is the case for our target, as we are met with a Hack the Box banner and a request from the target to authenticate ourselves before being allowed to proceed with remote management of the target host.
We will need to find some credentials that work to continue since there are no other ports open on the target that we could explore.
Foothold
Sometimes, due to configuration mistakes, some important accounts can be left with blank passwords for the sake of accessibility. This is a significant issue with some network devices or hosts, leaving them open to simple brute-forcing attacks, where the attacker can try logging in sequentially, using a list of usernames with no password input. Some typical important accounts have self-explanatory names, such as:- Admin
- Administrator
- Root
Let’s attempt logging in with these credentials in hopes that one of them exists and has a blank password.
The first two were not so lucky for us. When things look down, it is essential to keep going, be persistent. We can't succeed unless we attempt all possibilities. Let us try the last one.
Success! We have logged into the target system. We can now go ahead and take a look around the directory we landed in using the ls command. There is a possibility we might find what we are looking for.
The flag.txt file is our target in this case. Most of Hack The Box's targets will have one of these files, which will contain a hash value called a flag.
The naming convention for these targeted files varies from lab to lab. For example, weekly and retired machines will have two flags, namely “user.txt and root.txt”.You can read the file to have the hash value displayed in the terminal using the cat command:
root@meow:~# ls
flag.txt snap
root@meow:~# cat flag.txt
*******************************19
Copying the flag and pasting it into the Starting Point lab's page will grant you ownership of this machine, completing your very first task.
Task Solution/ Answer:
TASK 1: What does the acronym VM stand for?
Ans. Virtual Machine
TASK 2: What tool do we use to interact with the operating system in order to start our VPN connection?
Ans. Terminal
TASK 3: What service do we use to form our VPN connection?
Ans. OpenVPN
TASK 4: What is the abbreviated name for a tunnel interface in the output of your VPN boot-up sequence output?
Ans. tun
TASK 5: What tool do we use to test our connection to the target?
Ans. Ping
TASK 6: What is the name of the script we use to scan the target's ports?
Ans. nmap
TASK 7: What service do we identify on port 23/tcp during our scans?
Ans. telnet
TASK 8: What username ultimately works with the remote management login prompt for the target?
Ans. root
