The IP of Active is I try eternal blue attack when I saw port was open but I guess this was Patched version of SMB, therefore I have to start with enum4linux script.
As we all know it is the best script for SMB enumeration. Here I downloaded Groups. So here I found cpassword attribute value embedded in the Groups. In nmap scanning result we saw port 88 was open for Kerberos, hence there must be some Service Principal Names SPN that are associated with the normal user account.
Finally, it was time to crack the hashes and obtain the password by using rockyou.
We got it, Ticketmaster for the administrator. Without wasting time I load the Metasploit framework and run the following module to spawn full privilege system shell. We found our 2 nd flag the root. Your email address will not be published. Notify me of follow-up comments by email. Notify me of new posts by email.
Level : Easy Task: To find user. Like this: Like Loading I am getting the following error: when command:. Leave a Reply Cancel reply Your email address will not be published.Tally is enumeration galore, full of red herrings, distractions, and rabbit holes. I spent hours digging through files and directories on this one. Tally will test your patience but it felt like a very realistic box so I enjoyed it. An interesting exploit at the end as well. So we have a few interesting services to take a look at, including a SharePoint site.
Lucky for us seclists has a wordlist specifically for SharePoint. Great… so we can see we have a ton of stuff to look through. We can see that there is one document and also a site page listed from the directory.
Excellent, some ftp details. After downloading, we open and are presented with the following information:. Not of much use, but still good information to have. Now that we have our hash we can run against hashcat. Remove tim: from the hash before trying to crack. I run hashcat on my Windows host. We find three entries. The only one of real interest is some share credentials.
Ah yes more folders to dig through. There is quite a bit of stuff here along with a few red herrings. This information gets us nothing and is just a distraction. We also find an interesting zip file. The zip file is password protected.
Again another red herring. Note: you will probably have to renable this a few times, it seems to disable automatically after a certain period of time. To get around this we can use Veil. After generating the exe we can upload via FTP to the Intranet folder. We know we have write permissions there from the instructions on the SharePoint Finance page from earlier.
So maybe we can elevate with this knowledge since service accounts usually have special privileges. Excellent, it looks like we have the privileges we need to perform the attack. Back on our meterpreter session we load the incognito extension.
Toggle navigation absolomb's security blog. Enumeration As always an nmap scan to get us going.If you are uncomfortable with spoilers, please stop reading now. At this point in time, my best bet is to start with the http service. This is how it looks like. During enumeration of You can see that the crypt -hashed, base64 -encoded passwords of ldapuser1 and ldapuser2 are exposed. The passwords are close to unbreakable because of the salt and six iteration rounds.
Obviously, cracking the hash is not the way to go. How do we get the passwords then? LDAPv3 uses various authentication methods and simple authentication is where plaintext username and password are sent over the wire, susceptible to network sniffing. How do we trigger the authentication then?
By going to status. Something must be going on behind the scenes. I copy the file over to my attacking machine for offline cracking using base64 like so. Copy and paste the base64 string over to my attacking machine and base64 decode it back to the file. Use 7z2john to generate a hash and send it to John the Ripper for cracking.
In status. The openssl here has super powers! It can basically do anything. We can now sudo ourselves as root and retrieve root.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. Machines writeups until March are protected with the corresponding root flag.
But since this date, HTB flags are dynamic and different for every user, so is not possible for us to maintain this kind of system. So from now we will accept only password protected challenges and retired machines that machine write-ups don't need password. It is totally forbidden to unprotect remove the password and distribute the pdf files of active machines, if we detect any misuse will be reported immediately to the HTB admins.
Anyway, all the authors of the writeups of active machines in this repository are not responsible for the misuse that can be given to the corresponding documents. Please think that this is done to share techniques not for spoilers. In this way, you will be added to our top contributors list see below and you will also receive an invitation link to an exclusive Telegram group where several hints not spoilers are discussed for the HacktheBox machines.
Please consider protecting the text of your writeup e. Of course, if someone leaks a writeup of an active machine it is not the responsibility of the author. If we detect someone who does it, they will immediately report to the HTB Staff so they can take the appropriate measures. Note: the minimum requirement to enter the "special" Telegram group is also to have a hacker level or higher no script kiddies.
Hack the Box is a superb platform to learn pentesting, there are many challenges and machines of different levels and with each one you manage to pass you learn a new thing. But talking among ourselves we realized that many times there are several ways to get rooting a machine, get a flag That's why we created this repository, as a site to share different unofficial writeups to see different techniques and acquire even more knowledge.
That is our goal and our passion, to share to learn together. Some people have been distrustful because in this repository there are writeups of active machines, even knowing that absolutely each one of them is protected with the corresponding password root flag or challenge. But We did not want to give up this because we think the most interesting thing for a HTB player is to check other users' walkthroughs right after they get it, that is, not wait for weeks or months afterwards.
For this reason, we have asked the HTB admins and they have given us a pleasant surprise: in the future, they are going to add the ability for users to submit writeups directly to HTB which can automatically be unlocked after owning a machine. And also, they merge in all of the writeups from this github page. Simply great! Therefore it is a real pride that they have decided to include the functionality of this repo directly on their platform. When this is done, this Github will be migrated and will be inactive but with a pleasantly fulfilled mission.
Until then, Keep pushing! Skip to content. Permalink Dismiss Join GitHub today GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up. Branch: master. Find file Copy path. Raw Blame History.
Hack the Box – Lightweight Walkthrough
Disclaimer It is totally forbidden to unprotect remove the password and distribute the pdf files of active machines, if we detect any misuse will be reported immediately to the HTB admins. You signed in with another tab or window.Start your free trial. Today, we will be continuing with our exploration of Hack the Box HTB machines as seen in previous articles.
This walkthrough is of an HTB machine named Lightweight. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle simple enumeration plus pentest in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed.
The machine in this article, named Lightweight, is retired.
We can use the ldapsearch utility or Nmap script as well like below to perform enumeration on port We could see we have two users: ldapuser1 and ldapuser2. Moving to port Below is the landing page, which shows that the site is protected against brute-forcing. So we might need to avoid using directory enumeration for now on this box.
The enumeration user page shows that as soon as page is browsed, the IP is added to the machine and now the user can log in with the same info. Now we need to escalate it to some other user to get the flags.
Hack the Box (HTB) machines walkthrough series — Lightweight
It looks like tcpdump has all the privileges we need; maybe that is an indication that we need to sniff on the traffic, or there is already a pcap file on the system which needs to be analyzed. After a few packets, we can see an LDAP bind request from ldapuser2 in the packet with a password.
At this point, we were able to grab the user. Transferring it to our own system by base encoding it, as shown below. We need to brute-force the password for this file, so we will use the utility here. Running the utility, we could see that the file password was identified. Enumerating the status. Using that password, switching to user ldapuser1 was successful. We can use that file to read root. Note that the location of openssl is in the user directory and not from the default location.
We also need a root shell. Below, we can see that the root salted is replaced with our generated one. We also learned how to use in and out parameters with openssl, which is worth noting. Your email address will not be published. Save my name, email, and website in this browser for the next time I comment.
InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed. Share Tweet. Infosec Skills What's this? As we can see, we have ports 22, 80 and open. We tried it, and it worked! Trying to su to ldapuser2 was successful. After enumeration, we found out that we have a backup.
It looks like the file is password-protected, as can be seen below.It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level. Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is When I opened the user.
Therefore, I try to connect with SSH by using At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result. As result, we observe the following traffic, as predicted, where I found the ldapuser2 password in plaintext.
I found some php files here and we looked for a status. This time once again I checked for file capacity where I saw OpenSSL has all privileges to read a file that owned root user and therefore we decided to grab root.
For this the command used is. Het e-mailadres wordt niet gepubliceerd. Stuur mij een e-mail als er vervolgreacties zijn. Stuur mij een e-mail als er nieuwe berichten zijn.
Level : Medium Task : To find user. Nmap done: 1 IP address 1 host up scanned in Nmap listed two ldapuser1, ldapuser2 usernames along with a hash of their password from the result of nmap scan, yet we did not crack them.
As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in low-privileged access, therefore I trigger the following command to inspect LDAP connection traffic if possible.
And then navigate to the browser to activate authentication via status. Geef een reactie Reactie annuleren Het e-mailadres wordt niet gepubliceerd.It contains several challenges that are constantly updated.
Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge. Only write-ups of retired HTB machines are allowed.
Legacy is the second machine published on Hack The Box and is for beginners, requiring only one exploit to obtain root access. We will use the following tools to pawn the box on a Kali Linux box. This is one of the most important parts as it will determine what you can try to exploit afterwards.
It is always better to spend more time on that phase to get as much information as you could. I will use Nmap Network Mapper. Nmap is a free and open source utility for network discovery and security auditing. There are many commands you can use with this tool to scan the network.
If you want to learn more about it, you can have a look at the documentation here.
How To Install and Configure OpenLDAP and PhpLDAPAdmin on AWS Ec2 Ubuntu Server
It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. I use almost the same set of commands to perform a quick scan plus.
The only difference is the addition of the flag -T4. We can see that there is a vulnerability, smb-vuln-mswhere Microsoft Windows system is vulnerable to remote code execution. Let's first understand how patching works in Microsoft and where this naming convention is coming from.
This is an excerpt from rapid7 blog. We use Searchsploit, a command line search tool for Exploit Database, to check if there's a Metasploit exploit available for us to use. You can read more about Meterpreter hereand get to know more commands for this tool here. The search commands provides a way of locating specific files on the target host.
The command is capable of searching through the whole system or specific folders. I then move to the folder where the user. I use ls to list all files under the Desktop folder.
You can see more of my articles here. You can follow me on Twitter or on LinkedIn. If you read this far, tweet to the author to show them you care. Tweet a thanks. Learn to code for free. Get started. Stay safe, friends.