HW08: Intro to HackTheBox due Mon 23 Oct 23:59
Overview
https://hackthebox.com is a website that provides cloud-based virtual machines that can be accessed from within your own VirtualBox environment. They provide machines configured to have exploitable vulnerabilities that cover a wide range of difficulty levels.In this assignment you will create an account at hackthebox.comand complete some intro exercises in that environment. As you do so you will document your progress in a CherryTree document that will include screenshots.
Installing CherryTree and Greenshot
CherryTree (https://www.giuspen.com/cherrytree/) is a hierarchical note-taking tool that we will use to document a number of assignment moving forward. It comes pre-installed in Kali, but you may find it simpler to run on your local computer rather than in the virtual enviroment.Greenshot (https://getgreenshot.org/) is a screenshot program that has some nice features. You can use any screenshot software you want for this. In this assignment you will be occasionally taking screen shots and pasting them into your CherryTree document. NOTE: For Linux users Flameshot is a good alternative.
Using CherryTree for this Assignment
Create a new CherryTree document namedhackthebox.ctb. In
it create the following top-level node: Tier 0. Underneath it create
nodes for each of the introductory machines: Meow, Fawn, Dancing, etc.
As you proceed through this assignment you will document your work.
Creating an Account and First Exercise
Visit https://hackthebox.com and click the Join Now button. Use your HSU email address to sign up for an account and then log in to the site. Visit the recommended Tier 0 machines and start with the machine called Meow.
Remember, you will need to interact with HackTheBox from your Kali machine.
To work with the Tier 0 machines you will need to download a .ovpn file
from the site and then execute this command:
sudo openvpn name_of_downloaded_ovpn_file
Then continue walking through the steps provided by HackTheBox. For each step document what you did (including the openvpn command above) in the CherryTree editor.
IMPORTANT: Although they provide a complete walk-through with instructions and answers, you should try to complete all tutorials without using them. If you don't remember a fact (like a port number) then google it rather than using the walk-through instructions.
Complete the Several Tier 0 Tutorials
In your CherryTree document you should have some subnodes named for each of the beginning exercises. For each set of exercises, document your steps in the CherryTree document.As you go through these exercises, remember, they are helping you to develop some basic skills that will help in actual pentesting. That is to say, if you find that port 23 is open then it won't help much if you manage to connect to the service, but don't know what to do once connected. These exercises help you learn some basic commands.
You should independently complete all steps for these machines:
- Meow (completed above)
- Fawn – To finish this one you'll need to issue some simple ftp commands.
- Dancing – To finish this one you'll need some smbclient commands. Take a look at the CherryTree and Greenshot lecture starting at about 15:15 for some examples of using smbclient. NOTE: When using the command, if you are prompted for a password, enter your Kali login password.
- Redeemer – This one requires some use of an in memory, key-value database. I haven't used redis in a long time so I had to look up some commands.
Turn In Your Work
To provide verification that you have completed each of the steps above, create a screenshot that shows the four machines for which you obtained the required flag. The screenshot should include your username at the top of the screen.Paste the screenshot at the bottom of the Redeemer subnode and then turn in the document by uploading it into Canvas.