Tier 0: HackTheBox Starting Point - 5 Machines - Full Walkthrough (for beginners)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at the hack the Box starting point so I'm going to assume anybody who's watching this video probably hasn't done any hack the Box before and it's probably new to hacking our information security as well the hack the Box starting point essentially we have three tiers each has five or six machines on it and for each of those machines we'll boot it up we'll have to do some kind of enumeration or exploitation and then answer a series of questions so this is a bit different to the typical hack the Box style where you have challenges and things available in different categories you can see the list of categories here but typically how people would play hack the box would be to hack the machines so every week a new machine is released sometimes you'll get a short description or in this case there's nothing at all and you essentially have to go and spawn the machine and then try and get user Privileges and then root privileges and that's how you get your points so there's very little guidance normally which I guess is where the starting point comes in this is a bit more similar to the try hack me style of a machine with a series of questions to answer so you're doing a bit of kind of theory and practical and you also have the academy here so you can see for each tiers it recommends some different Academy modules which I haven't done much of but it's basically some kind of practical training to help you get started I also have some links here on my GitHub which is in the description to some different resources in terms of capture the flags and hacking and some good content creators and stuff to check out so if you are new to this stuff and you're looking to find out where you can get some more content or more challenges or material to get working through you can check that out on the GitHub but let's get started with the tier zero machines here anyway as you can see here the first thing that we need to do in order to get through to this meow machine is connect to the virtual private Network and this will allow us to get access to the hack the Box Labs so you can do that through openvpn configuration file which you can download and you can also do it through this phone box which is basically a browser-based VM so I'm going to assume you're either using this or you have Kali Linux or para or something similar installed it doesn't really matter as long as you can install the tools that are needed that's fine and then to connect to the VPN what I have here is some bash aliases set up if I do grep VPN from uh from my bash aliases you'll see that I have a few different ones set up so if I do VPN tab tab you can see here we've got VPN hack the Box VPN release Arena and VPN try hack me so they can very easily just swap between the various options so I'm going to go with VPN hack the Box and all that's doing is it's just running this command that you see up here so you can just run sudo openvpn and pass in your configuration file and with that connected now if we go and check our ifconfig you can see that we've got this 10.10.14.14 scene address on our ton zero adapter and that's our IP address then on the hack the Box Network which will mean that we can communicate with the machines that we're booting up here so note that our first task here is to connect to the VPN and it actually says that I haven't connected to the VPN yet still telling me to connect so I believe I need a specific VPN for the starting point it's not the same as we use for the labs so um I had two VPN hack the boxes here one was hack the box and one was this release Arena whenever a new box comes out each week you have this individual kind of release Arena so you can work on a box on your own typically you would just connect to the your normal public or VIP Network depending which whether you have the premium subscription uh so that's fine all right I need to download a new VPN so I'll do that now and let's save that let's so I don't have an alias for this one let's just connect this normally so I'm going to do sudo openvpn and then we'll pass in documents no not documents downloads and then the starting point VPN okay let's go and check if config again you see we've got a new IP address instead of 14 and 14 we've got 14 61. and if we go back here hopefully it's now going to say that we have connected yes okay there we go two connections two connections okay I'm not sure what that's about but uh that's fine let's spawn the machine as well you can see we've got a walk through available for download here so all of these starting point machines have walkthroughs and typically with the Box you have active machines which walkthroughs aren't allowed for no public walkthroughs are allowed if you need help with the machine you can go on the Forum or you can go on the hack the Box Discord and ask for some nudges but if the machines or the challenges are retired then you can create walkthroughs or you can just download the walkthroughs which you normally provided I think either by the Box Creator or ipsec puts together the PDFs I'm not too sure and then there's normally some other community walkthroughs linked and stuff as well Okay so we've now connected we've got this IP address let's go and answer some of these questions the first question is what does the acronym VM stand for so that would be a virtual machine and you can see that we have a hint option here as well if we get stuck in any of the questions speaking of virtual machines as well I'm running this inside of VMware at the moment VMware Workstation but you can use virtualbox or something else of your choice as well we're asked in the second task what tool do we use to interact with the operating system in order to start our VPN connection so what did we use in order to run this command and you can see the last character here is else this is going to be terminal and task three what service do you use to form our VPN connection and we used openvpn what is the abbreviated name for a tunnel interface and output the VPN boot up sequence output so we saw this as well we can also go to our ifconfig which was ton zero so we're tunneling our traffic through this VPN which is going to encapsulate and encrypt our data and so ton will be our answer here what tool do we use to test our connection to the Target ping which we haven't actually done we should have done that let's get the let's get the IP uh where's the task task five okay so let's do that ping give it the IP and we're just verifying here that we're connected well we know we're connected to the networks we ran if config but we're just verifying here that everything's working and we're able to communicate with the machine it's able to communicate with us and let's answer that question as well what's the name of the script we use to scan the target's ports okay well it's looking for nmap there but I wouldn't have called nmap a script myself let's do nmap and let's run all ports on and let's do service enumeration as well just paste in that IP address as I can see that it's going to ask us some questions about the ports here as well but yeah I guess it's looking for nmap and task seven what service do we identify on Port 23 TCP during our scans so we're going to need to wait for nmaps come back with all the results here we could use the dash V flag if we want to see ports as they're discovered here and that means if you're in a rush or you want to be able to start looking at some Services as you're going that's a good idea to use it I don't typically use it if I've got time because I don't like having the output at the end with all of the verbose kind of logging in that alright so this came back Port 23 is telling me anyway we don't really need the scan to check that or obviously if you're if you're looking at all this stuff for the first time you would need that but if you've done if you've hacked some boxes before or done any kind of penetration testing you'll know some of these common ports what username ultimately works with the Remote Management login prompt for the Target so we've got an idea here from the four characters placeholder but let's go ahead and say telnet and then try and connect to this IP if we weren't too sure what to do in a situation we could do man telnet and get up the manual or sometimes that's a bit Overkill and you can just use something like telnet Dash h or dash dash help yeah okay not with this tool all right so we get to our login prompt and there's a few things this could be it could be tests four characters ends with a T it's more likely to be roots and we get logged in there so let's try and see if we can run commands we can we can cut out this flag and there we go so this is typically what we'd see if we were doing a hack the Box machine we would need to first get user Privileges and we'd get a user.txt and then we need to get root access which is the highest level of privilege and then we've just print out root.txt okay so let's go back I think that's everything then roots was our username and then our flag was hack the box and then the hex characters that we just got from the flag.txt we submit that and then the machines terminated we get our congratulation message and we can move on to the next machine so let me minimize that let's go on to Fawn we're already connected to the VPN let's spawn the machine let's go and clear out our terminal from the last one at this VPN you can close this page down I normally just close down the terminal that the vpn's opening and then if you need to you can just kill the process later on in fact what's happened to my VPN maybe I can't just do that okay sudo openvpn let me do dash dash config oh what am I doing download starting point all right there we go and this is booted up we've got a new IP address let's just start off straight away and do our nmap scan so I'm going to do all ports and this time I'm just going to do the service enumeration as well you could do Dash SC to run default scripts you can do Dash a for aggressive which will do most of the various Flags or a lot of the key ones anyway you can do Dash o for OS detection you can output to say XML with ox or graphable format with OG or all formats with the way you can do a lot of stuff but let's just try and scan the all ports if you didn't specify all ports here it would only scan the top 1000 ports and if you want to do some specific ports you could say here 22 23 if you want to do TCP you could do TCP 22 and 23 and then say UDP I don't know 111 okay so this is telling me the machine is down let's try that again maybe my VPN disconnected again no it's okay that's interesting let's try and ping the machine and see whether we get anything back okay it's communicating all right so that's fine maybe we need to run a more stealthy scan let's try and do Dash SS and you can do other things like go and set Dash T4 and things like that there are various levels you can set if you want to be a bit quieter with nmap we might need to remove the service enumeration as well but we'll see it's taking a little bit longer anyway um let's go ahead and stop going through some of these questions we don't need the port scan for all of this it's asking us what is the three letter acronym for FTP which is obviously file transfer protocol stands for a couple of other things as well but I'll not say them on video and get demonetized let's submit that obviously if you didn't know any of these answers which if you're just starting out you won't know all the answers you just go on Google FTP and we shouldn't need to do much looking around to find out what the what it stands for and next up is what communication models FCP use architecturally speak in again you can get an idea what this is from the size of the words and the dash that we have here so this is going to be a client server model let's have a look to see if our scan has come back it did okay so it successfully came back when we used this Dash SS flag came back with FTP vsftp d 3.0.3 so typically if we were doing a penetration test we were doing a hack the Box machine here we see this port open we see the software version we would probably take a copy of this and then try and have a look see if there are any known exploits which you can use search point to look up and this will basically look up the exploit database which you can just go to the website as well if you prefer to just search for it that way but if you do search employee if yes ftpd3 and it'll come back with some potential exploits some of them will be available on metasploy and some of them will just be scripts that we need to copy and you can copy those scripts we can just take a copy of this and then say s um I do SSX because I have a Alias set up for it but you would if you don't have an alias set up you just do Search Blade Dash M to copy it to a so you can copy the script to your desktop or wherever you are or you can do Dash X and that will just bring it up so we can just have a read through it and see whether it's of interest to us um okay so let's go back to our questions anyway we're now being asked what is the name of one popular GUI FTP program I would say here filezilla as it's the only FTP GUI program that I've used what war is FCP active on usually I'm actually unsure what this one is asking for it's active on Port 21. which is TCP oh TCP okay uh 21 TCP all right I wasn't making a connection with that P there for some reason okay um which acronym is used for secure version okay you could probably guess this even if you didn't know but if you just search secure FTP then we'll see SFTP versus FTP s okay well let's um do SFTP secure file transfer protocol what's the command we can use to test our connection to the Target all right this was on the last one so it's a nice easy one for us ping and we had to do that as well what's the version of FTP running it was vsftpd 3.0.3 again just from our nmob scan and from your scans what operating system type is running on the target we didn't do oh we did it's got Unix here okay um as I mentioned you can use the dash o flag as well for operating system detection let me try that again so we'll submit Unix here and then we're asked what is the root flag okay so I like how it doesn't really give you too much Direction here you still need to piece a couple of parts of the puzzle together um all right while that's running then let's go and try and connect to this server FTP where's the IP address FTP I'll try and connect and one thing that you can do here is try and connect with Anonymous so let me just search here FTP Anonymous login and we'll just go for the first link here basically if Anonymous access is allowed on the FTP server you'll be able to do it quite often I think quite often without a password or just with a password as anonymous um but I believe that can quite often be the email address as well so worth bearing in mind one of the first things I would normally check with FTP is if we have that Anonymous login let's try and enter here Anonymous it asks us for a password let's try and do Anonymous again let me actually just try without a password okay login successful great and now we can just do our usual commands we'll do LS list directories let me see if we do help here we can get a list of different commands that we can actually run and what we want to do is get the flag so let's do get flag.txt there's no auto complete errors you might have noticed from a slow typing but that's basically downloaded the flag file for us and now we can go ahead and copy that we could also try to see if we have right access if we can actually write files to the HTTP to the FTP server sometimes you might see on machines that the FTP server is running and if you have right access and then can access the FTP server through the web browser you might be able to upload a PHP shell or something like that and then actually go to the browser and visit the the PHP file and get the reverse shells that you have access to the Box okay but that's our second box done let's have a look and see what's next up is dancing it's also very easy and we're already connected so we need to spawn the machine I actually forgot to look at the results of that other nmap scan that we did there but oh well we've got our new IP address let's go ahead and start an nmap scan we'll do nmap and then all ports we'll just do our service enumeration I don't want to add too many flags and slow the thing down when realistically what we're going to be asked for is probably not too much okay that says it's down again let's let me get rid of that flag first of all and let's try our nmap scan again it might just be the IP is not fully up and running yet let's do a ping and just verify that we are still connected and it is up and running we send off our ping there and we're not getting any response so at this point we might want to double check our connectivity make sure we're still connected to the lab Network which we are so the chances are that it's just not finished booting up well maybe it's not accepting things oh there we go okay all right so sometimes you just gotta wait for a couple of minutes for it to fully boot up let's try it again without the stealthy flag and just see whether we get some results with this one the first question we're asked is what does the three letter acronym SMB stand for so we can get a quick idea what the what this box is about and that is the server message bus no oh God server message block what am I what am I talking about I never I never have to think about what the what's behind the acronym okay um what port does it usually operate on and that would be Port 445 great again these are just things that you'll get used to but we can you know if we're not sure we can search SMB port we'll get a list of various ports four four five one three nine I wonder and presumably that would have taken either for us then and what network communication model does SMB use architecturally speaking is this the same as the last one client server model it is all right good stuff uh what is the service name for Port 445 that came up during our nmap scan let's have a look four four five Microsoft DS hopefully it's not looking for I wasn't looking for the version was it let's try it submit great what's the tool that we use to connect to SMB shares from our Linux distribution okay well there's a few we could use SMB map or we could use SMB client or probably some others as well but considering it has a t at the end it looks like it's looking for SMB clients okay we submit that what is the flag or switch we can use with the SMB tool to list the contents of shares it's Dash capital L I believe I get confused between the two tools though that's right okay that's what that's all good let's go and actually test out some of these commands that we're running as well or that we're entering as answers so again we might want to do something here like SMB client Dash H if we don't know what the commands are if this isn't enough for us we want more explanations we can do man to get the manual up and that will give us a lot more information on each of those options in this case we're going to do SMB client Dash L which was the flag that we just gave as the answer to that and then we'll paste in this IP address it's asking for password we're going to try it without a password to begin with and we get back some shares so the question was asking us what is the name of the share we're able to access in the end and if we want to try and list that let's try and do you need to provide some backslashes for accessing the shares here I'm assuming it's most likely going to be this work shares one these are kind of default shares that you would often see so I'm going to try and provide that note okay let me take away that L I think you need the not enough characters oh I'm doing backslashes very sorry it's forward slashes see it's been a while since I used this all right so we got access to our SMB and as predicted it's the work shares one we've got two users amy.j and James dot p and we can just do our usual commands here so if you want to check our help we'll get a list of commands that we can run kind of similar ones that we saw in FTP we can put things and we can get things and Etc mcget you get multiple files we can CD around so we can CD into amy.j and have a look around in there we've got some work notes let's get the worknotes still no autocomplete oh W get it all right and now it's not letting me type any commands I think I've broken the interesting all right let me let's take a copy of that again let me submit that as an answer as well work shares what is the command that we can use within the SMB shell to download the files we find get okay great submit that let's try and connect again let me just see if it's okay we seem to have been disconnected the IP is still up but it's not responding to pings again okay I'll wait a couple of minutes and it just suddenly started uh sending the pings back so it seems to be back up and running I must say that it seems to be a lot more unstable than Hack the Box's typical Network unless it's just some problems we're having tonight all right let's go in and try and get that again we'll do get work notes Dot txt and let's print those out and it's saying start the Apache server on the Linux machine secure the FTP server and set winrm on Dancing okay none of those looks like a flag so let's go and take a look at the other directory which is for James P and we have a flag here so we'll get flag.txt we'll cut the flag out we'll remove the flag and let's go and sum it up okay hack the Box root flag all right so that's the third machine done we've got our congratulations and let's take a look at explosion again we need to spawn the machine so we'll wait for that to boots up okay so that's booted up I left it for a minute or two as well just to hopefully allow it to actually boot up all the services and things like that but apparently not it's still waiting for the pings all right let me come back when this starts responding to pings okay I waited another couple of minutes and we're getting some responses now so let's go ahead and start an nmap scan we'll just do the same thing all ports service enumeration and the IEP address and let's go and take a look at the questions I'm not sure why they're taking so long to boot up and why they're freezing or crashing maybe it's the the network I'm connected to as a connected to that vip1 and there are various networks you can try so if you're having some problems maybe try and swap Network anyway we're asked first of all what does RDP stand for and that is the remote desktop protocol submit and what is the three letter acronym that refers to interaction with the hosts through the command line interface presumably it's the command line interface I.E the CLI yep okay what about the graphical user interface again um it's just the acronym so the acronym for command line the face CLI the acronymographical user interface is GUI well gooey as some people say what is the name of an old remote access tool that came without any encryption by default it's six letters and ends with a T So based on that could be netca or telnet let's go with telnet and that's all good we have what is the concept used to verify the identity of a remote host with SSH connections so SSH connections use public private key encryption so you have symmetric encryption like AES and Des which would have the same key to encrypt and decrypt data and then you have asymmetric encryption like RSA for example where you generate a public and a private key and people can use your public key to encrypt data for you but only you who hold the private key can decrypt that data and you can also use your public key to sign data that you that you're publishing or sending out so that people can verify that it's from you so you would sign it with your private key and then they could verify that with the public key so think of things like pgp as an example of that so here it's looking for public key cryptography submit that and what's the name of the tool that we can use to initiate a desktop projection to our host using the terminal and the most common tool for this is our desktop remote desktop oh no it's not uh X3 RDP yeah okay it's our desktop even a thing yeah okay it is let's get confused I thought maybe our desktop was just an alias that had set up for X3 RDP um okay so I mean you could go in your terminal you can see we've got our M map scan back there we can do X3 RDP here get up our help options we've got our desktop here as well we don't okay RDP do I have anything set up there our desktop okay so I have an RDP I don't know this is just an alias that set up here because it's trying to call our desktop and it doesn't have our desktop presumably if you wanted our desktop you could just do sudo app to get installed our desktop yeah all right so we can install that as well um various tools as always to get the job done but let's go back here and see what it's asking for what's the name of the service running on Port 3389 which is typically our Remote Desktop Service and 3389 we have here the mswbt server Microsoft terminal services submit that and what is the switch used to specify the target host's IP address when using X3 RDP good question so I very rarely use X3 RDP the last time that I was really using it was for oscp which was several years ago and I actually just had an alias set up to run it because you didn't typically want to run it full screen you kind of just wanted it to maybe take like 75 of your screen but we can just open up our help menu here X3 RDP wow we've got a lot of help options for this one failed uh okay and it looks like we can use this Dash V is that what it's asking us for what is the switch used to specify the target host's IP address it looks like it's this Dash V colon let's have a look submit that brilliant so we've got all our questions correct now we need to go and get this flag so obviously we need to make use of this RDP protocol so let's just see if we can connect to it without any kind of passwords or anything then we'll grab this IP address let's do X3 RDP and then it wanted cool the one forgotten the command already I think it's forward slash V colon and the IP address looks like it yet all right we'll see we do trust the certificate it's asking us for a domain a password I'm just going to leave all that as default and we get an error okay so that didn't actually allow us to connect to scene password certainly expired does it telling us anything else explosion is the common name version mismatch okay so we could take some of these arrows out of this error code here or this error here and just go and Google it and see what we get see if other people have had similar problems and how they fixed it we've got the GitHub here for free RDP so we could go and look through that that's somebody is having a similar problem normally I'll just go and scroll through these and see if anybody has found an a fix for it what was the fix here maybe open SSL issue workaround was to resolve the target fully qualified domain name and connect with the IP it's not ideal work around okay what I might try and do as soon as we installed our desktop as well let's have a look at the help options for that our desktop we can provide a user domain password Etc by the way in terms of passwords you can use n crack which is a RDP cracking service or I guess it does other services but it's by nmap and can be used to crack RDP credentials uh various other modules here you can see as well and you can also use something like hydrosity the same thing but I'm assuming this doesn't have a password on it let's try and connect with our desktop let me grab the server is it because we did we miss the port number there was it the port required Maybe it should have just gone for the default let's try our desktop do we trust the certificate yes we do and we run into another problem fail to connect create SSP required by server check if server's disabled old TLS versions if yes use Dash V option so we could go around start googling see what this is about as well but both tools have come back with a similar problem so doesn't look like it's a tool maybe it's the box maybe it's something that we're doing let's try and connect with a username let's see what the flag is for our desktop yeah Dash U could have probably guessed that easy enough let's try and connect as the administrator as we don't have any other potential users if we knew what the names of some of the users would be we would have a better chance but we can guess here that something like administrator or something like guest might work as a username taking a little while let's also try that with x free RDP as well so X3 RDP let's take this IP address again it was V slash and then colon IP address and then presumably let's see if we can just do user administrator here as well hostname is not specified okay no I don't really know what the flags are let's have a look let's see if this one's come back with anything it hasn't okay we've got an example here this is an example providing a password okay so we need to use the similar kind of flag here slash U so I'm going to run that again and let's change this to slash U and we need to go and fix our v as well it was Slash V try that still no result with our desktop it's asking us again do we want to trust the certificate yes we do it's asking us for a password blank again and no we run into the same problem error connect passwords certainly expired I also realized there we were using the wrong We spelled the administrator wrong there administrator let's try that again exact same problem okay so what I'm going to do is have a look and see what we would do when we get stuck on something for a little while and see what the official walkthrough is doing because obviously we just in the learning process as I apparently am of how to use RDP but it's a good opportunity to check out the walkthrough as well so this actually looks like it's very well put together we've got some nice diagrams here and explanations about the various tools which is good to go through so I guess even if you make it through all of these questions without going through the walkthrough it's probably worth having a look to see if there's anything in there which has been missed I can see here immediately that they are using a ignore command on the X3 RDP commands so let's run that again and let's just paste in so ignore see if we get a connection this time okay we still don't get a connection failed to connect let me try that again I'm going to run nmap again and just make sure we've still got let's run nmap on Port 3389 I mean I'm pretty much copying and pasting the what we have here Target IP search ignore and then user administrator or have I got the username spelled incorrectly again oh the host is down okay that would make sense then so it looks like the box has gone offline again let's wait for that to come back up I'm gonna do our ping again and we'll just run the Ping until we've got the server back up okay it's back it's okay maybe a minute or two again but we've got a connection I'm not sure why the box keeps resetting or why the services keep resetting it's been happening on on all of the boxes so far uh okay let's try the same command again that's for password empty password we get an internal error okay so that's the same error that we got previously oh I do have the username spelled incorrectly administrator let's try that again empty password no errors and we've got a remote desktop screen finally awesome so let's grab our flag we might not be able to copy and paste this let's see brilliant all right that was slightly harder than the other the other three unless maybe it's just me maybe other people got through that very easily but I think the fact that the services keep resetting makes things makes it a bit confusing because I don't know whether I'm doing something wrong or whether the there's just problems with the Box but okay let's go on to our final machine I'm gonna spawn the machine here just come back I'll leave it a few minutes here to boot all right so I left it a couple of minutes to boot up let's try let's first of all make sure we're connected this time with the Ping before we waste time doing a nmap scan and we are so we'll do nmap all ports and service enumeration by the way when we're doing all ports uh we're doing all TCP ports if you want to do all UDP ports you would need to pass in this Su flag and if you do that it'll only do the UDP ports it won't actually do any TCP typically what I do is I run mask scan which is a lot quicker for scanning all the ports and I'll scan all TCP and UDP ports and then pass the ones that are open into a more detailed nmap scan and the first question that we're asked here is what is considered to be one of the most essential skills to possess as a penetration tester and I'm really not too sure what the answer is supposed to be for this one I mean there's a lot of important skills you need to be good at obviously enumeration your exploitation your pivoting your persistence and things like that but you also need to be good at writing reports and communicating your findings in a way that's easily understandable for people of different technical levels it looks like based on the what we have here three letter word and then a one two three four five six seven letter word it actually looks like the answer is pen testing but that really would be a strange answer considering a question um what else could this be let's go back to our end map scan and see what we identified here as the open port this time it was Port 80 and we've got engines or engine X uh which I suppose is the correct pronunciation I'm going to keep saying engines because I think that's better and it's 1.14.2 so we could go ahead and say we want to do our search boy I've got a Alias set up for that so I can just do it like that you might want to take away some of the version in there as well because sometimes the version won't show like if we search that 1.14.2 it might not show up but it might say that everything below 1.115 sorry 1.15 is vulnerable as you can see with some of these well you can kind of see the version in here so we're not looking for a vulnerability at the moment anyway let me get that nmap scanned back up let's go and open this up as the in our browser see if we can have a look at it nothing here we've just got a welcome page we might want to go and try and do things like robots.txt not found okay you can try some general directories go and try things like index.php admin.php oh we actually found an admin login okay that was purely by accident I've not looked at this challenge at all and there we go we just logged in with admin admin and got our flag so it looks like I've actually just solved the the root part of the challenge before actually going through it okay but I just guessed this was admin.php what we would typically want to do here is do some fuzzing or directory busting which we can use of variety of tools for you can use W fuzz you can use f off which is very fast you can use Derby or do a buster I actually quite like doorbuster just biowasp because it's got a graphical user interface which allows you to go and kind of look through the results in a tree form but typically what I use is gobuster so we can run go Buster here just get an idea of the help of the menu we've got here so we can do directory busting we can do DNS enumeration General fuzz in S3 bucket enumeration mode and then if we want more information we can say go Buster directory and then help or just go Buster directory or no gobuster help directory and that will give you the list of various flags and commands we can use for that specific option I actually have an alias set up here called go busters which will just basically um run a couple of these flags for me so that all I need to provide is the URL and then any extensions that I want but in this case because I'm just kind of demonstrating this let me show what you would need to run on your system so we do go Buster directory mode pass in dash U as the flag and that's where we'll specify our URL and then we specify a word list I'm going to do user share word lists you can see we've got some different ones here I'm going to go into the directory busting one and then use the directory list lowercase 2.3 medium doesn't really matter too much you can pick your word list of choices a pretty standard one and I'm also going to use Dash X as an extension option so I'm going to say I want you to try all of the directories in this word list but I also want you to try all of those with a PHP at the end with a txt at the end and with a HTML at the end obviously that'll vary depending on what type of server you're looking at you can see it very quickly found admin.php there and it's now a bit more clear that we've now that we've looked at the actual challenge it's a bit more clear what they want as the answer here which is going to be dirtbusting so we'll submit that as the first answer it's asking what switch do we use for nmap scan to specify we want to perform version detection that was the dash s capital V flag again I didn't go through this in the video but you can just do nmap and it'll give you a list of all these options if you want it more detailed you can do man and map and that will explain all the options and give you a lot of different examples and stuff okay so that's the first two questions what have we got what service types identified as running on Port 80. let's go back to our nmap scan it was a patchy you know it was engines that's just for the version what service type oh sorry it's http submit that and what is the service name and version that's what I was looking at submit that what is a popular directory busting tool that we can use there's a lot of different ones as we kind of went through there let me actually see does it take different ones let's try dirtbuster it doesn't know so specifically once it probably wants go Buster then submit yeah okay you could have um probably taken a few different options there uh what switch do we use to specify the gobus do we want to do directory Boston and that was the Der what page is found and that is admin.php presumably it's not going to find anything else then see we've actually run into some errors here but yeah it found admin PHP which we also just guessed manually what's the status code reported should be 200 but let's just double check yep status code 200. sometimes you might find that servers will return 200 for every possible file type and in that case you would want to say that you want to filter by the length of the response or some regex that's in a response kind of similar to if you're brute force in a login page the login page might come back with a 200 whether or not you enter in a valid or invalid password so you want to look for successful login or login field or something like that in the response to know that you've found the right password or not okay so 200 submit and we already grabbed the root flag so hdb and submit okay great that was a lot smoother than the fourth machine and we've made it through all of the tier zero machines so in the next video we'll take a look at tier one and let's see do we have the same the six boxes in the next one and it looks like there's some more tasks in them as well so I hope you've enjoyed this video anyway a quick intro into hacking boxes on hack the Box and hopefully you'll stick around for the next video where we go through the tier one and then the tier two challenges and then go and check out some of the boxes and some of the challenges or some of the Battlegrounds and stuff that you have available on hack the box and that's going to wrap it up for this video anyway if you have any questions or comments leave them below thanks

Info

Channel: CryptoCat

Views: 307,307

Rating: undefined out of 5

Keywords: Hack The Box, HackTheBox, HTB, Starting Point, starting-point, tier 0, meow, fawn, dancing, explosion, preignition, pen-testing, pentest, OSCP, penetration test, redteam, offsec, infosec, cybersecurity, training, ethical hacking, enumeration, port scanning, fuzzing, dirbusting, gobuster, nmap, telnet, SSH, SMB, RDP, xfreerdp, rdesktop, openvpn, learn, tutorial, walkthrough, guide, hacking, hack, cyber, CTF, capture the flag, security, vulnerabiliy, exploit, exploitation, beginner, n00b, bash, ippsec, PNPT, hacking tutorial, hacker

Id: jQ194vU4Qkk

Channel Id: undefined

Length: 46min 30sec (2790 seconds)

Published: Tue Dec 21 2021