I am just getting started with HTB. I am playing around in Sauna right now. Looking over the website…im not sure what my challenge is suppose to be with this machine.
Doing some research I see there is supposedly a text file on a user account with a code or flag you can input for points…and another code on a root account…which im guessing is the admin account.
I would not have known about these with out seeing other people post and I dont want to tutorial walk through these without figure out atleast some of it on my own.
How would I have known that there was a user.txt file that had a code I need to get on this machine or is this the challenge on all the machines?
I have also run the nmap and scanned through and not gotten any decent info from that…so im looking down the ldap scanning path now, but im not sure if im chasing a red haring a this point. I know that is 90% of what pen testing is…but I dont want to get too frustrated just starting out or too overwhelmed trying to learn about all the tools.
Thanks for any clarification or guidance you can give on how to make the most of this application.
On all machines, there is a user.txt and a root.txt. Each of these files contains a short string that represents the so-called “flag”. These flags can then be submitted on the respective machines page at the HackTheBox website and “prove” that you gained access to user’s (or administrator’s) account. From submitting flags, you will earn points (depending on the level of the machine, and which of the 2 flags you submitted).
The general “starting approach” on hacking challenges (and often in real-world penetration tests) is to gather information. You usually scan the machine’s IP address for open ports using nmap (or any other port scanner you like). Nmap has a huge amount of parameters/options to use. The most important, when starting, are those specifying which ports to scan (either using specific port ranges, or scanning the top X of most-used ports) and the type of scan: You can scan just for which ports (either TCP or UDP) open, or you can instruct nmap to perform more thorough scans which will then also reveal which service is running on each port (plus often much more extra info for each service).
Once you know which services are available on that machine, you start gathering more information by e.g. browsing the website, looking into the FTP server, etc.
When you got a good understanding of the target, you start looking for known vulnerabilities (e.g. by searching on Google for “ vulnerabilities”, searching on exploit-db.com, or using scripts like searchsploit). You also start looking for common misconfigurations (default credentials, access without authentication, etc.) and programming errors (especially SQL injections and command injection, authentication bypass, abuse of file uploads, etc.)
Once you gained a foothold onto the machine (e.g. with a webshell or terminal/SSH access), you start enumerating again, looking for juicy information in all kinds of files (e.g. passwords) and misconfigurations of services in an attempt to elevate your privileges to gain administrative rights. Also, don’t forget to grab the flags, which usually reside inside the user’s HOME or Desktop folder.
(Especially in pentests) You also look for systems that you might reach from the conquered machine which you could see beforehand (e.g. because they are in another subnet) and try to pivot via the conquered system into those other networks.
You see, it is a lot about gathering information and making sense of what you see/read.