Starting Point has been Pwned!

Hack The Box Starting Point has been Pwned! banner

Starting Point on Hack The Box is a collection of “Very Easy” machines designed to give an introduction to the hacking world. This is the red pill that will have you feeling like Alice tumbling down the rabbit hole. Unfortunately, there are multiple rabbit holes and not all of them lead to Wonderland. Alice may have met the Cheshire Cat, but you will encounter many different types of Cat that will assist you on your journey. As Morpheus once said:

“You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember, all I’m offering is the truth. Nothing more.”

Morpheus

Let’s begin! My name is Zero Cool (kidding! it’s Joe) and I’ve been working in Cyber for around 2 years (at the time of writing). I’ve worked in tech for almost 10 years doing various jobs but have always been drawn to hacking. These machines continuously taught me new techniques. I have write-ups of each box if you want to check them out but here I will mostly be summarising my experience with the machines.

Archetype

This is a machine that requires you to perform SMB enumeration to get credentials for a MSSQL database. The SMB enumeration was straight forward but I’ve never used the Impacket database connection tool before. I wouldn’t have even known about it if it wasn’t for this box. Once authenticated, I needed to use xp_cmdshell to execute a PowerShell command to download a reverse shell PowerShell script. After the reverse shell had connected back to my machine, further enumeration was required to grab the Administrator password from the history. This machine was a lot of a fun and I learnt about some new tools.

Starting Point Oopsie

This machine required me to leverage broken access control restrictions to impersonate another higher privilege user. This one done using the tool Burp Suite. I’m quite familiar with Burp Suite but have never encountered a situation quite like this before. I’ve brute force parameters before to get API’s to dump information that they should but this was fairly unique. Once I was able to impersonate super admin it was possible to upload a reverse shell and have the machine connect back to me. Escalating privileges to root required manipulating a script that wasn’t calling a tool by the full path. This was something I had done before but am not overly confident doing. I enjoyed this box as understanding the vulnerabilities was straight forward. 

Starting Point Vaccine

This was the next target to succumb to my amateur hacking skills. This machine required downloading a password protected ZIP archive from FTP and then using tools to generate and crack the password hash of the ZIP. The ZIP contained a PHP index file which had some hardcoded MD5 encrypted credentials. The MD5 was cracked and then it was possible to login to the website. The next step was to perform an SQL injection attack while passing it my session cookie. The SQL injection was used to get a shell on to the machine which was then upgraded using bash. I then grabbed the postgres password and switched to that user. Postgres had the sudo ability to edit a particular file with vi which I exploited to escape to root. 

Starting Point Shield

This was the next victim on the list and gave me more trouble than I expected. This machine required exploiting WordPress by adding a backdoor to one of the themes PHP files. Once the backdoor was embedded it was possible to command it to download and execute reverse shell. Once on the machine I discovered that I had to use JuicyPotato to execute nc.exe to spawn a privileged reverse shell. I had not used JuicyPotato before and had a bit of trouble choosing which process to attach it to. I’m not entirely certain how it works yet so I need to do more research on it. This box was a lot of fun though and taught me about JuicyPotato. 

Starting Point Pathfinder

This machine was next on my hit list and was my first encounter with a Domain Controller on during the Starting Point series. I’ve pen tested domain controllers before, so I sort of knew what to look out for. There were several ports that I targeted right away but the service I needed to poke was LDAP. Using the tool ldapdomaindump and authenticating as Sandra it was possible to dump user information. Then using another tool from Impacket it was possible to trick the server in to giving me a user hash which I cracked offline. With the hash cracked it was possible to perform a DCSync attack and grab the Administrator hash which gave us full access. This was a great box which I feel simulates possible configuration weaknesses that you might find in the real world.

Starting Point Included

This machine was next to get isolated and hacked by my 1337 haxor skills. Seriously though this was another fun box that leveraged directory traversal or local file inclusion. It was an obvious foothold initially due to the naming convention of the parameter used to call the index file. The machine had TFTP running so it was possible to put a reverse shell on it. By leveraging the local file inclusion attack to determine the path of the TFTP directory it was possible to call the reverse shell. 

Starting Point Markup

This was a fun machine that taught me about XML entity injection. I need to brush up on this subject so I’m going to check out the Portswigger web academy labs on it. The XXE attack allowed me to retrieve a user’s private key which I could then use to SSH to the box. After running winPEAS I found a file that the user had access to that was running as a scheduled task. Furthermore, we could echo content into this file so we dropped a netcat executable on the machine. I then echoed a command into the file so that it would create a reverse shell back to our machine the next time it ran. Great box but ran in to a few issues with it. Check out the post for more details.

Starting Point Guard

This was a relatively simple machine with a neat trick for privilege escalation. This machine used credentials from the previous machine to gain SSH access. Once on the box I needed to use the built-in shell in man pages to escape the restricted shell and cat the user flag. The shell was still restricted as I was unable to use wget or curl to download any files. I used SSH to pipe LinPEAS on to the machine. LinPEAS found that root logins were permitted with passwords and that my use could access the shadow file with the root hash inside it. Cracking the file offline allowed me to SSH to the machine as root and capture the root flag. 

Starting Point Base

This was the last machine in the Starting Point category on Hack The Box and it was a lot of fun to complete. I will admit that the web application on the machine ran horrendously slow which become tiresome at times. Base required me to snoop through listed directories and grab a PHP file containing the source code of the login page. The source code revealed it was configured in a vulnerable way that would allow me to bypass the authentication page. By intercepting and manipulating the login request it was possible to access an upload page. After uploading a reverse shell and gaining access to the box I needed to search through the web files and move laterally to the John user. After that it was a GTFOBin on the find command that elevated me to root and allowed me to capture the final flag. 

Starting point has been Pwned!
Starting point has been Pwned!

Conclusion

This was a fun learning experience that made me think about the solutions. I spent a lot of time researching each of the findings and have a huge list of things I still have to look in to. I would like to revisit each of the machines once I have levelled up my skillset to see if there are any other ways that they could be completed. I’m drawn to Cyber Security and hacking like a moth to a flame so this was a really fun challenge for me. If you have an interest in tech or are already working in tech and want to improve your skillset then I highly recommend giving this a go.

%d bloggers like this: