Heya Guys,
Sorry but complete noob here…
Just joined HTB and was going to start at Starting Point, problem is i don’t know if Im connected correctly.
OpenVPN seems to have loaded up ok with the following:

marko@maptop:~/Downloads$ sudo openvpn B00rish-startingpoint.ovpn
Tue Mar 2 12:19:52 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019
Tue Mar 2 12:19:52 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Tue Mar 2 12:19:52 2021 Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Tue Mar 2 12:19:52 2021 Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Tue Mar 2 12:19:52 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]5.44.235.95:1337
Tue Mar 2 12:19:52 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Mar 2 12:19:52 2021 UDP link local: (not bound)
Tue Mar 2 12:19:52 2021 UDP link remote: [AF_INET]5.44.235.95:1337
Tue Mar 2 12:19:52 2021 TLS: Initial packet from [AF_INET]5.44.235.95:1337, sid=346bf8bb 1bc8698f
Tue Mar 2 12:19:52 2021 VERIFY OK: depth=1, C=UK, ST=City, L=London, O=HackTheBox, CN=HackTheBox CA, name=htb, emailAddress=info@hackthebox.eu
Tue Mar 2 12:19:52 2021 VERIFY KU OK
Tue Mar 2 12:19:52 2021 Validating certificate extended key usage
Tue Mar 2 12:19:52 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Mar 2 12:19:52 2021 VERIFY EKU OK
Tue Mar 2 12:19:52 2021 VERIFY OK: depth=0, C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb, emailAddress=info@hackthebox.eu
Tue Mar 2 12:19:52 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Mar 2 12:19:52 2021 [htb] Peer Connection Initiated with [AF_INET]5.44.235.95:1337
Tue Mar 2 12:19:54 2021 SENT CONTROL [htb]: ‘PUSH_REQUEST’ (status=1)
Tue Mar 2 12:19:54 2021 PUSH: Received control message: ‘PUSH_REPLY,route 10.10.10.0 255.255.255.0,route-ipv6 dead:beef::/64,tun-ipv6,route-gateway 10.10.14.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 dead:beef:2::1031/64 dead:beef:2::1,ifconfig 10.10.14.51 255.255.254.0,peer-id 40,cipher AES-256-GCM’
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: route options modified
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: route-related options modified
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: peer-id set
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: adjusting link_mtu to 1625
Tue Mar 2 12:19:54 2021 OPTIONS IMPORT: data channel crypto options modified
Tue Mar 2 12:19:54 2021 Data Channel: using negotiated cipher ‘AES-256-GCM’
Tue Mar 2 12:19:54 2021 Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Tue Mar 2 12:19:54 2021 Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Tue Mar 2 12:19:54 2021 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp1s0 HWADDR=00:e9:3a:ca:7d:c1
Tue Mar 2 12:19:54 2021 GDG6: remote_host_ipv6=n/a
Tue Mar 2 12:19:54 2021 ROUTE6: default_gateway=UNDEF
Tue Mar 2 12:19:54 2021 TUN/TAP device tun0 opened
Tue Mar 2 12:19:54 2021 TUN/TAP TX queue length set to 100
Tue Mar 2 12:19:54 2021 /sbin/ip link set dev tun0 up mtu 1500
Tue Mar 2 12:19:54 2021 /sbin/ip addr add dev tun0 10.10.14.51/23 broadcast 10.10.15.255
Tue Mar 2 12:19:54 2021 /sbin/ip -6 addr add dead:beef:2::1031/64 dev tun0
Tue Mar 2 12:19:54 2021 /sbin/ip route add 10.10.10.0/24 via 10.10.14.1
Tue Mar 2 12:19:54 2021 add_route_ipv6(dead:beef::/64 → dead:beef:2::1 metric -1) dev tun0
Tue Mar 2 12:19:54 2021 /sbin/ip -6 route add dead:beef::/64 dev tun0
Tue Mar 2 12:19:54 2021 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Tue Mar 2 12:19:54 2021 Initialization Sequence Completed

Once in, I can ping the target fine:

marko@maptop:~$ ping 10.10.10.27
PING 10.10.10.27 (10.10.10.27) 56(84) bytes of data.
64 bytes from 10.10.10.27: icmp_seq=1 ttl=127 time=277 ms
64 bytes from 10.10.10.27: icmp_seq=2 ttl=127 time=26.1 ms
64 bytes from 10.10.10.27: icmp_seq=3 ttl=127 time=24.5 ms
64 bytes from 10.10.10.27: icmp_seq=4 ttl=127 time=87.7 ms
64 bytes from 10.10.10.27: icmp_seq=5 ttl=127 time=110 ms

But, when i run the suggested nmap command i don’t get any output:

marko@maptop:~$ ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[1] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)
marko@maptop:~$

So im thinking im not even connected? And also getting paranoid I’m nmapping someone i shouldn’t be lol, how can i verify that that is actually the box?

a quick whois shows this:

marko@maptop:~$ whois 10.10.10.27

ARIN WHOIS data and services are subject to the Terms of Use

available at: Whois Terms of Use - American Registry for Internet Numbers

If you see inaccuracies in the results, please report at

Reporting a Whois Inaccuracy - American Registry for Internet Numbers

Copyright 1997-2021, American Registry for Internet Numbers, Ltd.

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED
NetHandle: NET-10-0-0-0-1
Parent: ()
NetType: IANA Special Use
OriginAS:
Organization: Internet Assigned Numbers Authority (IANA)
RegDate:
Updated: 2013-08-30
Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment:
Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to Common questions regarding abuse issues
Comment:
Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
Comment: RFC 1918 - Address Allocation for Private Internets
Ref: https://rdap.arin.net/registry/ip/10.0.0.0

OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 12025 Waterfront Drive
Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90292
Country: US
RegDate:
Updated: 2012-08-31
Ref: https://rdap.arin.net/registry/entity/IANA

OrgTechHandle: IANA-IP-ARIN
OrgTechName: ICANN
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
OrgTechRef: https://rdap.arin.net/registry/entity/IANA-IP-ARIN

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: ICANN
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgAbuseRef: https://rdap.arin.net/registry/entity/IANA-IP-ARIN

Is that normal output for a HTB box?

thanks in advance,
Marko

1. 0-9 ↩︎

First - welcome to HTB, I hope you enjoy it here.

Your lookups are good and it is really great to see someone post a lot of information when they ask for help, it makes it a million times easier.

So, some key points:

• You cant really do a look up for 10.x.x.x IP addresses. They are part of a range of addresses defined as “private internets” in RFC1918. That means network administrators can do what they want with them and the traffic shouldnt be passed by internet infrastructure.

• In Linux, if you make a variable assignment, such as variable="this" there is no output. If you want to see the output you need to call it with something like echo $variable.

Going back to your nmap string:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

This is creating the variable ports and assigning it the value of the final response to nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//

You wont see any output because it is a variable assignment. You could check it with echo $ports but I think the walkthrough you are following calls it with nmap on the next line.

Now, I see this suggested in a lot of places - largely with the idea it “speeds” up your port discovery in that you can do a quick sweep of every port, then only check the ones which are open.

However, for me, this is a bad approach because if anything breaks it, or if you get any unusual output, this is hidden from you. I’ve never noticed it being faster than a more traditional approach because nmap doesn’t run checks on closed ports anyway.

You might find it easier to run:
nmap -Pn -sC -sV -p- --min-rate=1000 -T4 -vvvvvvvv --reason 10.10.10.27

This will give you a much clearer picture of what is happening and, importantly, why NMAP decides a port is open or closed. (If you are doing it on a non-CTF, I’d drop the -Pn though).

Aw dude you’re a legend!!! thank you very much, your nmap command worked perfectly !
seriously made my day lol, thanks again bro

Glad to help.

Heya mate,

Hopefully you can help with my next issue

When i see the open ports, Im supposed to be doing an SMB check to check for permissions,

marko@maptop:~$ smbclient -N -L \\10.10.10.27\

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
backups         Disk      
C$              Disk      Default share
IPC$            IPC       Remote IPC

SMB1 disabled – no workgroup available

The ‘SMB1 disabled…’ doesn’t appear on the HTB screen shot on the walkthrough.

So, i tried a apt install smbclient, which is already installed:

marko@maptop:~$ apt install smbclient
[sudo] password for marko:
Reading package lists… Done
Building dependency tree
Reading state information… Done
smbclient is already the newest version (2:4.11.6+dfsg-0ubuntu1.6).
The following packages were automatically installed and are no longer required:
hwloc ieee-data libhwloc-plugins libhwloc15 libxnvctrl0
Use ‘sudo apt autoremove’ to remove them.
0 to upgrade, 0 to newly install, 0 to remove and 3 not to upgrade.

No uck there, which unfortunately means i can’t proceed to the next step, which is accessing the /backups folder on the target, as i get the same error.

I done a bit of hunting around, and there’s a lot of ‘solutions’ available by editing a .conf file and creating smb shares etc… a little over my head at this stage…

Real question is, I’m using an up to date OS, which im assuming most people use to use HTB… which surprises me such an error occurs before you’ve even left the ‘noob training ground’… am i missing something? Unfortunately the walk through doesn’t include troubleshooting on the fly such as ‘if you receive error x, then try x’ for example.

If the solution is creating shares etc then please let me know and ill work through them, tis a learning curve after all!

appreciate your patience,
Marko

Hey Marko -

You listed the shares on the host, which is a good start. If you want to see if you can access the backups share, try running smbclient -N \\10.10.10.27\backups. Can you share the output of the command?

You can also run smbmap -H 10.10.10.27 (I don’t believe you need to pass the -u and -p args for null session) to see what the permissions are. This will assist you in seeing if you can even access it

CrackMapExec is also really useful for SMB enumeration, but we can stick to smbclient & smbmap first

@B00rish said:

So, i tried a apt install smbclient, which is already installed:

I might not be able to help here.

Real question is, I’m using an up to date OS,

This might be the problem. The write ups were probably written a year or two ago. Tools get updated and changed over time.

which im assuming most people use to use HTB… which surprises me such an error occurs before you’ve even left the ‘noob training ground’… am i missing something?

I don’t actually know. At a guess I’d suspect something has updated the SMB options in SMB client to try and stop people using insecure versions of the protocol. If the starting point box was built some time ago, it might be relying on things which are largely patched now.

Remember all hacking/exploitation is based on undocumented features and unstable conditions. There are few guarantees.

Unfortunately the walk through doesn’t include troubleshooting on the fly such as ‘if you receive error x, then try x’ for example.

Almost certainly because it was written before the problem existed.

If the solution is creating shares etc then please let me know and ill work through them, tis a learning curve after all!

I don’t know. You could try some other SMB exploits from Impacket etc, but I really am guessing here.

Hi ty for the response,

I got this:

marko@maptop:~$ smbclient -N \10.10.10.27\backups

\10.10.10.27backups: Not enough '' characters in service
Usage: smbclient [-?EgqBVNkPeC] [-?|–help] [–usage] [-R|–name-resolve=NAME-RESOLVE-ORDER] [-M|–message=HOST] [-I|–ip-address=IP]
[-E|–stderr] [-L|–list=HOST] [-m|–max-protocol=LEVEL] [-T|–tar=<c|x>IXFqgbNan] [-D|–directory=DIR] [-c|–command=STRING]
[-b|–send-buffer=BYTES] [-t|–timeout=SECONDS] [-p|–port=PORT] [-g|–grepable] [-q|–quiet] [-B|–browse]
[-d|–debuglevel=DEBUGLEVEL] [-s|–configfile=CONFIGFILE] [-l|–log-basename=LOGFILEBASE] [-V|–version] [–option=name=value]
[-O|–socket-options=SOCKETOPTIONS] [-n|–netbiosname=NETBIOSNAME] [-W|–workgroup=WORKGROUP] [-i|–scope=SCOPE]
[-U|–user=USERNAME] [-N|–no-pass] [-k|–kerberos] [-A|–authentication-file=FILE] [-S|–signing=on|off|required]
[-P|–machine-pass] [-e|–encrypt] [-C|–use-ccache] [–pw-nt-hash] service

-ty,
Marko

sorry edit:

marko@maptop:~$ smbmap -H 10.10.10.27\backups

Command ‘smbmap’ not found, but can be installed with:

sudo apt install smbmap

this one on your second suggestion, seems i need to install it?

thanks

You are missing an extra backslash in your command. Try smbclient -N \\\\10.10.10.27\\backups. That should work. Sometimes it works with only two backlashes before the hostname/IP or it wants four.

For smbmap, depending on your OS, yes, you might need to install it before using it. You can also find it on ShawnDEvan’s Github