DEV Community: Adhishri Kothiyal

Hack The Box - Synced (rsync)

Adhishri Kothiyal — Sun, 07 Sep 2025 20:00:13 +0000

I will cover solution steps of the "Synced" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'. This is the last machine of the Tier-0 of StartingPoint. This is a VIP machine so you'd need an upgrade from your free plan.

Rsync on Port 873: A Gateway for Efficient File Synchronization

The best known file transfer service is the File Transfer Protocol (FTP), which was covered thoroughly in the Fawn machine. The main concern with FTP is that it is a very old and slow protocol. FTP is a protocol used for copying entire files over the network from a remote server. In many cases there is a need to transfer only some changes made to a few files and not to transfer every file every single time. For these scenarios, the rsync protocol is generally preferred.

Rysnc is a versatile file synchronization tool. It is an open source tool and provides fast incremental file transfer. The official definition of rsync according to the Linux manual page is:

Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its deltatransfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.

The core strength of rsync lies in its “delta-transfer” algorithm. Instead of blindly copying entire files, rsync intelligently identifies and transmits only the differences between the source and destination files, resulting in significantly faster and more network-efficient transfers.

The main stages of an rsync transfer are the following:

rsync establishes a connection to the remote host and spawns another rsync receiver process.
The sender and receiver processes compare what files have changed.
What has changed gets updated on the remote host.

The way rsync works makes it an excellent choice when there is a need to synchronize files between a computer and a storage drive and across networked computers. Because of the flexibility and speed it offers, it has become a standard Linux utility, included in all popular Linux distribution by default. More information about rsync can be found at the Wikipedia page.

Connecting and Interacting with the Rsync Service

Interaction with an rsync service is primarily achieved through the rsync command-line utility (pre-installed in linux distributions), a standard feature in most Unix-like operating systems. The fundamental syntax for connecting to a remote rsync daemon is:

rsync [OPTIONS] [USER@]HOST::[MODULE] [DESTINATION]
rsync [USER@]HOST::   (for listing available modules)

This command will attempt to connect to the rsync daemon on HOST/IP/USER@ and list the publicly accessible modules.

Anatomy of the Connection String:

[OPTIONS]: This refers to the available options in rsync . The list with all valid options is available over at the official manual page of rsync under the section Options Summary . You can also view it by using the — help command: rsync - -help.

[USER@]HOST: This specifies the remote server's hostname or IP address. You can optionally provide a username if the rsync module requires authentication. The [USER@] optional parameter is used when we want to access the the remote machine in an authenticated way. In this machine (synced), we don’t have any valid credentials at our disposal so we will omit this portion and try an anonymous authentication.

::: The double colon is crucial. It signifies a connection to an rsync daemon on the specified host, as opposed to using a remote shell like SSH.

[MODULE]: Rsync daemons are configured with "modules," which are essentially aliases for files/directories on the server that are made available for synchronization. You can think of them as shares. If you omit the module, some servers might list the available modules.

[DESTINATION]: This is the local path where you want to download the files to. If you want to save in the current directory then just mention the name with which you would like to save the file in the local machine.

Authentication

Rsync modules can be configured with varying levels of security:

Anonymous: Some modules may be publicly accessible without any authentication.
Password-protected: Many modules require a username and password. You may be prompted for a password, or you can store it in a file and use the --password-file option.

It often happens that rsync is misconfigured to permit anonymous login, which can be exploited by an attacker to get access to sensitive information stored on the remote machine.

TASK 1: What is the default port for rsync? 873

TASK 2: How many TCP ports are open on the remote host? 1

TASK 3: What is the protocol version used by rsync on the remote machine? 31

TASK 4: What is the most common command name on Linux to interact with rsync? rsync

TASK 5: What credentials do you have to pass to rsync in order to use anonymous authentication?

anonymous:anonymous,
anonymous,
None,
rsync:rsync

TASK 6: What is the option to only list shares and files on rsync? (No need to include the leading — characters) list-only

Submit Flag:

We will begin by scanning the remote host for any open ports and running services with a Nmap scan. We will be using the following flags for the scan:

nmap -p- --min-rate=1000 -sV {target_IP}

-p- : This flag scans for all TCP ports ranging from 0-65535
-sV : Attempts to determine the version of the service running on a port
--min-rate : This is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher

The scan shows that only port 873 is open. Moreover, Nmap informs us that the service running on this port is rsync.

Now we will try to connect and simply list all the available directories to an anonymous user. Reading through the manual page we can spot the option — list-only , which according to the definition is used to “list the files instead of copying them”. To interact with the machine we execute the following command:

rsync --list-only {target_IP}::
or 
rsync {target_IP}::

Looking at the output, we can see that we can access a directory called public with the description Anonymous Share . It is a common practice to call shared directories just shares . Let’s go a step further and list the files inside the public share. The trailing slash on the module name is important; it signifies that you want to see the contents of the directory.

rsync --list-only {target_IP}::public/
or 
rsync {target_IP}::public/

We notice a file called flag.txt inside the public share. Our last step would be to download/copy/sync the entire content of the flag.txt file to our local machine. To do that, we simply follow the general syntax by specifying the SRC as public/flag.txt and the DEST as flag.txt to transfer the file to our local machine.

rsync {target_IP}::[SRC] [DESTI]
rsync {target_IP}::public/flag.txt flag.txt

Executing this command returns no output. But, on our local directory we have a new file called flag.txt . Let’s read its contents : cat flag.txt

Congratulations! You have successfully captured the flag file from the remote machine using the rsync protocol.

And this marks an end to Tier -0 of Starting Point machines in Hack The Box Labs. Go Start Pwning Machines now… :) Happy Hacking!🪅

Credits: The Internet 🛜

Dear Gentle Reader feel free to reach out for queries and feedback.🥷

Hack The Box — Mongod (MongoDB)

Adhishri Kothiyal — Sat, 06 Sep 2025 18:31:27 +0000

I will cover solution steps of the “Mongod” machine, which is part of the ‘Starting Point’ labs and has a difficulty rating of ‘Very Easy’. This is a VIP machine so you’d need an upgrade from your free plan.

What is MongoDB?

There are different types of databases and one among them is MongoDB.

MongoDB is a document-oriented NoSQL database. Instead of using tables and rows like in traditional relational databases, MongoDB makes use of collections and documents.

It is crucial to be aware of how the data is stored in different types of databases and how we can connect to these remote database servers and retrieve the desired data. In a document-oriented NoSQL database, the data is organized into a hierarchy of the following levels:

databases
collections
documents

How MongoDB stores data?

Each database contains collections which in turn further contain documents.

Database → Think of it like a big filing cabinet.

Collections → Inside the cabinet, you have *folders *(collections).

Documents → Inside each folder, you have *files *(documents).

Data → Inside each file, you have the actual information (like text, numbers, or dates).

The format looks like JSON (a simple way to store data with key-value pairs, like "name": "Adhishri"). Normally, to access a database, you should have a username and password. But sometimes the MongoDB server is set up wrongly (misconfigured) and allows anyone to log in without credentials. This is called anonymous login. It’s like leaving the filing cabinet unlocked in a public place — anyone can open it and read all the files.

To connect to the server we use a tool called mongosh (Mongo Shell). It’s like a remote terminal for MongoDB. With it, we can:

Connect to the MongoDB server
List all databases
Go inside collections
Look at the documents

To install MongoDB Shell Utility follow the below mentioned commands:

(This method installed the latest MongoDB client while later I found out that the server was using older version so I again installed another client with older version. Skip this installation if you don't want to download latest version.)

sudo dpkg -i mongodb-mongosh_2.5.7_amd64.deb  (to install)
sudo apt-get install -f                       (to install any missing dependencies)
which mongosh                                 (to see where was mongosh installed)

To connect to the mongosh server I executed below command:

mongosh mongodb://<$IP>:27017

I encountered an error that states that “the machine is using an older server version of mongodb (wire version 6 = MongoDB 3.6) while the mongosh client that we installed is too new and expects at least wire version 8 (MongoDB 4.2).”

I decided to use an older Mongosh shell. To install the older version of mongosh shell that matches the server version I used the following command:

curl -O https://downloads.mongodb.com/compass/mongosh-2.3.2-linux-x64.tgz
tar xvf mongosh-2.3.2-linux-x64.tgz
cd mongosh-2.3.2-linux-x64
cd bin

Then to connect:

./mongosh mongodb://10.129.118.68:27017

Now we have successfully connected to remote MongoDB instance as an anonymous user. Using the following command, we can list the databases present on the MongoDB server.

show dbs;
use sensitive_information;
show collections;

show dbs : to list databases

use : This command switches the current context to the specified database. If the database does not exist, MongoDB will create it implicitly upon the first data insertion into a collection within that database.

db : To check current database. This command returns the name of the database currently in use within the shell.

We can dump the contents of any documents present in the collection by using the db.collectionName.find() command.

db.collectionName.find()

TASK 1: How many TCP ports are open on the machine? 2

nmap -p- --min-rate=1000 -sV <$IP>

-p- : This flag scans for all TCP ports ranging from 0–65535
-sV : Attempts to determine the version of the service running on a port
- - min-rate : This is used to specify the minimum number of packets that Nmap should send per second; it speeds up the scan as the number goes higher

TASK 2: Which service is running on port 27017 of the remote host? MongoDB 3.6.8

TASK 3: What type of database is MongoDB? (Choose: SQL or NoSQL) NoSQL

TASK 4: What command is used to launch the interactive MongoDB shell from the terminal? mongosh

TASK 5: What is the command used for listing all the databases present on the MongoDB server? (No need to include a trailing ;) show dbs

TASK 6: What is the command used for listing out the collections in a database? (No need to include a trailing ;) show collections

TASK 7: What command is used to dump the content of all the documents within the collection named flag? db.flag.find()

Submit Flag:

First I performed a basic nmap scan to check the open ports
I saw 2 TCP ports are open out of which one was a mongodb server running at 27017
Then I tried to connect to the mongodb server r running on the target box using mongosh (MongoDB shell utility)
Then I saw a database with the name sensetive_information which had a collection
To list the content of the collection named flag:

db.flag.find()

And the flag would be displayed. Congratulations, you’ve captured the flag!

On submitting it you will receive message as “Mongod has been Pwned”.

Credits: The Internet 🛜

Dear Gentle Reader feel free to reach out for queries and feedback.🥷

Hack The Box -Preignition Write-up (dir busting)

Adhishri Kothiyal — Tue, 02 Sep 2025 16:44:11 +0000

I will cover solution steps of the "Preignition" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'. This is a VIP machine so you'd need an upgrade from your free plan.

Introduction

Web servers are central to most infrastructures, often public-facing and accessible from the Internet. They typically host applications like WordPress, which provides both a public-facing site and a private admin panel (/wp-admin) for managing content, themes, and scripts. While these panels are login-protected, outdated components or misconfigurations can introduce critical vulnerabilities. For pentesters, understanding how these administrative mechanisms work is key, as exploiting them can provide attackers with an initial foothold and a path to pivot deeper into a network.

Thus, Web enumeration, specifically directory busting (dir busting), is one of the most essential skills any Penetration Tester must possess. While manually navigating websites and clicking all the available links may reveal some data, most of the links and pages may not be published to the public and, hence, are less secure. Suppose we did not know the wp-admin page is the administrative section of the WordPress site we exemplified above. How else would we have found it out if not for web enumeration and directory busting?

Check Hack the Box - Meow on how to connect to the VPN and spawn the machine.

TASK 1: Directory Brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.

TASK 2: What switch do we use for nmap's scan to specify that we want to perform version detection. -sV

TASK 3: What does Nmap report is the service identified as running on port 80/tcp? http

TASK 4: What server name and version of service is running on port 80/tcp? nginx 1.14.2

TASK 5: What switch do we use to specify to Gobuster we want to perform dir busting specifically? dir

TASK 6: When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages? -x php

TASK 7: What page is found during our dir busting activities? admin.php

TASK 8: What is the HTTP status code reported by Gobuster for the discovered page? 200

Submit Flag:

We start with a preliminary scan of the target using nmap:

sudo nmap -Pn <$IP> -sV -A
or
sudo nmap <$IP> -sV

sudo nmap -Pn <$IP> -sV -A

From the scan we can see port 80 open. Obvious next step is to open a web browser of our choice and navigate to the target's IP address in the URL bar at the top of the window. This will automatically address the target's port 80 for the client-server communication and load the web page's contents. <$IP>:80

I just see a mention of nginx and realize that the target is a web server. What we are looking at on our browser screen is the default post-installation page for the nginx service, meaning that there is the possibility that this web application might not be adequately configured yet, or that default credentials are used to facilitate faster configuration up to the point of live deployment. This, however, also means that there are no buttons or links on the web page to assist us with navigation between web directories or other content. When browsing a website, links simply point to other directories or pages. Beyond these visible links, web servers may host hidden content. Instead of manually guessing URLs, a technique called directory busting (dir busting) is used to discover such content. Tools like Gobuster, written in Go, automate this process by scanning for hidden directories and files.

To install gobuster:

sudo apt install golang-go
sudo apt install gobuster

We can use the common.txt wordlist which can be downloaded from here.

For those who want a more comprehensive grasp of Gobuster's directory hunting mode, invoking the help function for the directory mode is a valuable resource. Simply use the command:

sudo gobuster dir -h

We will be using -w and -u flags.

sudo gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u <$IP>

I was unable to get results from gobuster so I decided to use ffuf:

sudo ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://<$IP>/FUZZ.php

The output of our performed dir busting attempt revealed the directory /admin.php. Alongside this discovery came its associated HTTP status code 200. This status code, denoting "OK", is the standard response for a successful HTTP request. I opened the browser and accessed http://target_IP/admin.php. This URL takes us to an admin console login (see below):

Then I tried a bunch of possible combinations:

{admin:admin}
{admin:password}
{administrator:password}
{admin:password1}
{administrator:password1}

And {admin:admin} worked. Once logged in, the root flag is displayed. Congratulations, you've captured the root flag!

On submitting it you will receive message as "Preignition has been Pwned".

Credits: The Internet 🛜

> Dear Gentle Reader feel free to reach out for queries and feedback.🥷

Hack The Box - Explosion (RDP)

Adhishri Kothiyal — Mon, 01 Sep 2025 18:22:21 +0000

I will cover solution steps of the "Explosion" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'. This is a VIP machine so you'd need an upgrade from your free plan.

Introduction
Remote access software represents a legitimate way to connect to other hosts to perform actions or offer support. The interactions involved by using any type of remote access tool can either be CLI-based (Command Line Interface) or GUI-based (Graphical User Interface). These tools use the same protocol at their base to communicate with the other hosts, which is RDP. RDP (Remote Desktop Protocol) operates on ports 3389 TCP and 3389 UDP. The only difference consists of how the information relayed by this protocol is presented to the end-user.

Command Line Interface-based Remote Access Tools have been around forever. A rudimentary example of this is Telnet , which was explored briefly in the Meow machine. . In its most basic configuration, Telnet is considered insecure due to lacking the ability to encrypt the data being sent through it securely. This implies that an attacker with access to a network TAP (Traffic Access Point) could easily intercept the packets being sent through a Telnet connection and read the contents, be they login credentials, sensitive files, or anything else. Telnet, which runs on port 23 TCP by default, has mainly been replaced by its more secure counterpart, SSH , running on port 22 TCP by default.

SSH, which stands for Secure Shell Protocol, adds the required layers of authentication and encryption to the communication model, making it a much more viable approach to perform remote access and remote file transfers. It is used both for patch delivery, file transfers, log transfer, and remote management in today's environment.

SSH uses public-key cryptography to verify the remote host's identity, and the communication model is based on the Client-Server architecture , as seen previously with FTP, SMB, and other services. The local host uses the server's public key to verify its identity before establishing the encrypted tunnel connection. Once the tunnel is established, symmetric encryption methods and hashing algorithms are used to ensure the confidentiality and integrity of the data being sent over the tunnel.

In order to be able to see the remote host's display, one can resort to CLI-based tools such as xfreerdp . Tools such as this one are called Remote Desktop Tools , despite being part of the Remote Access family.

Check Hack the Box - Meow on how to connect to the VPN and spawn the machine.

TASK 1: What does the 3-letter acronym RDP stand for? Remote Desktop Protocol

TASK 2: What is a 3-letter acronym that refers to interaction with the host through a command line interface? CLI

TASK 3: What about graphical user interface interactions? GUI

TASK 4: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23? telnet

TASK 5: What is the name of the service running on port 3389 TCP? ms-wbt-server

TASK 6: What is the switch used to specify the target host's IP address when using xfreerdp? /v:

TASK 7: What username successfully returns a desktop projection to us with a blank password? Administrator

Submit Flag:

We start, as always, with an nmap scan, resulting in open ports running RDP. We have run the scan with the version scanning switch enabled to determine the exact versions of all the services running on open ports on the target, thus assessing the actual operating system of the machine and any additional potential vulnerabilities due to outdated software.

sudo nmap <$IP> -Pn -sV -A 
or
sudo nmap -sV <$IP>

-sV : Probe open ports to determine service/version info.

It is always a good idea to research the ports found in order to understand the big picture. SpeedGuide is a good resource for those just starting out with their networking basics and interested in understanding more common ports at a glance.

Looking at the SpeedGuide entry for port 3389 TCP. It is typically used for Windows Remote Desktop and Remote Assistance connections (over RDP - Remote Desktop Protocol). We can quickly check for any misconfigurations in access control by attempting to connect to this readily available port without any valid credentials, thus confirming whether the service allows guest or anonymous connections or not.

If you need to install xfreerdp , you can proceed with one of the following commands:

sudo apt-get install freerdp2-x11
sudo apt-get install freerdp3-x11

We can first try to form an RDP session with the target by not providing any additional information for any switches other than the target IP address. This will make the script use your own username as the login username for the RDP session, thus testing guest login capabilities.

/v:{target_IP} : Specifies the target IP of the host we would like to connect to.

We can try a myriad of other default accounts, such as user, admin, Administrator, and so
on. In reality, this would be a time-consuming process. I tried with the username Administrator. We will also be specifying to the script that we would like to bypass all requirements for a security certificate so that our own script does not request them. The target, in this case, already does not expect any. Let us take a look at the switches we will need to use with xfreerdp in order to connect to our target in this scenario successfully:

/cert:ignore : Specifies to the scrips that all security certificate usage should be
ignored.
/u:Administrator : Specifies the login username to be "Administrator".
/v:{target_IP} : Specifies the target IP of the host we would like to connect to.

We can see a file on the desktop with the name flag. And Congratulations! We have successfully retrieved the flag value.

On submitting it you will receive message as "Explosion has been Pwned".

Credits: HTB Official Write-up

Dear Gentle Reader feel free to reach out for queries and feedback. 🥷

Hack The Box - Redeemer (Redis)

Adhishri Kothiyal — Mon, 01 Sep 2025 13:58:35 +0000

I will cover solution steps of the "Redeemer" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'.

Introduction

Databases are a collection of organized information that can be easily accessed. In most environments, database systems are very important because they communicate information related to your sales transactions, product inventory, customer profiles and marketing activities.

There are different types of databases and one among them is Redis, which is an 'in-memory' database. In-memory databases are the ones that rely essentially on the primary memory for data storage (meaning that the database stores data in the server's RAM); in contrast to databases that store data on the disk or SSDs. In-memory databases like Redis are typically used to cache data that is frequently requested for quick retrieval. For example, if there is a website that returns some prices on the front page of the site. As the primary memory is significantly faster than the secondary memory, the data retrieval time in the case of 'in-memory' databases is very small, thus offering very efficient & minimal response times.

What is Redis?

Redis (REmote DIctionary Server) is an open-source advanced NoSQL key-value data store used as a database, cache, and message broker. The data is stored in a dictionary format having key-value pairs. It is typically used for short term storage of data that needs fast retrieval. Redis does backup data to hard drives to provide consistency. It's often referred to as a "Swiss Army knife" for developers because of its versatility.

In-memory databases like Redis are typically used to cache data that is frequently requested for quick retrieval. For Example, if there is a website that returns some prices on the front page of the site. The website may be written to first check if the needed prices are in Redis, and if not, then check the traditional database (like MySQL or MongoDB). When the value is loaded from the database, it is then stored in Redis for some shorter period of time (seconds or minutes or hours), to handle any similar requests that arrive during that timeframe. For a site with lots of traffic, this configuration allows for much faster retrieval for the majority of requests, while still having stable long term storage in the main database.

At its core, Redis is a key-value store, means data is stored like a dictionary. You have a key (like a label) and a value (the data itself). For example: key = "user:1:password", value = "P@ssw0rd123". Unlike simple key-value stores that only handle strings, Redis has built-in support for a variety of complex data structures, including strings, lists,sets,hashes,Sorted Sets, etc. For developers, Redis is a powerful tool for caching, session management, and real-time data. For a pentester, it's often a treasure chest left wide open.

The Super Simple Analogy: A Public Whiteboard. When you're scanning a target and you see port 6379 open, your brain should immediately think: "There's a public whiteboard here. Is the door unlocked? And what's written on it?"

A server configuration (requirepass) is used for setting up a password. The default is "no" and the port will listen for connections from ANYONE on the internet. This misconfiguration is extremely common. The developers just installed it and forgot to secure it.

The server

Redis runs as server-side software so its core functionality is in its server component. The server listens for connections from clients, programmatically or through the command-line interface.

The CLI

The command-line interface (CLI) is a powerful tool that gives you complete access to Redis’s data and its functionalities if you are developing a software or tool that needs to interact with it.

Database

The database is stored in the server's RAM to enable fast data access. Redis also writes the contents of the database to disk at varying intervals to persist it as a backup, in case of failure

redis-cli

To be able to interact remotely with the Redis server, we need to download the redis-cli utility using the following:

sudo apt install redis-tool

Alternatively, we can also connect to the Redis server using the netcat utility, but we will be using redis-cli in this write-up as it is more convenient to use.

P.S. The target was spawn more than once hence the article might have screenshots from different IP addresses in different networks but they represent the same target.

Check Hack the Box - Meow on how to connect to the VPN and spawn the machine.

TASK 1: Which TCP port is open on the machine? 6379

sudo nmap -p- -Pn <$IP> --min-rate 10000 -v
sudo nmap <$IP> -p- -sV
sudo nmap -p- <$IP>

TASK 2: Which service is running on the port that is open on the machine? redis
TASK 3: What type of database is Redis? Choose from the following options: (i) In-memory Database (ii) Traditional Database
TASK 4: Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments. redis-cli
TASK 5: Which flag is used with the Redis command-line utility to specify the hostname? -h

Connect to the redis-cli server :

redis-cli -h <$IP>

TASK 6: Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server? info

The keyspace section provides statistics on the main dictionary of each database. The statistics include the number of keys, and the number of keys with an expiration. In our case, under the Keyspace section, we can see that only one database exists with index 0.

TASK 7: What is the version of the Redis server being used on the target machine? 5.0.7

TASK 8: Which command is used to select the desired database in Redis? select

To select a database we can use select command

select 0

TASK 9: How many keys are present inside the database with index 0? 4

TASK 10: Which command is used to obtain all the keys in a database? *keys **

We can list all the keys present in the database using the command :

keys *

Submit Flag:
We can view the values stored for a corresponding key using the get command followed by the keynote. I used get flag to see the value of the key named flag. And Congratulations! We have successfully retrieved the flag value from the Redis database.

get <key>

On submitting it you will receive message as "Redeemer has been Pwned" and Challenge solved successfully.

Credits: HTB Official Write-up

Dear Gentle Reader feel free to reach out for queries and feedback.🥷

[Boost]

Adhishri Kothiyal — Wed, 27 Aug 2025 21:48:18 +0000

Adhishri Kothiyal

Aug 27 '25

Hack the box - Dancing (SMB)

#hackthebox #security #cybersecurity #computerscience

Comments

2 min read

Hack the box - Dancing (SMB)

Adhishri Kothiyal — Wed, 27 Aug 2025 20:39:38 +0000

I will cover solution steps of the “Dancing” machine, which is part of the ‘Starting Point’ labs and has a difficulty rating of ‘Very Easy’.

Refresh the page in browser to see the new connection and then we can activate the machine by clicking the ‘Spawn Machine’ button. The machine is now active and showing a target IP address

TASK 1: What does the 3-letter acronym SMB stand for? Server Message Block

TASK 2: What port does SMB use to operate at? 445

TASK 3: What is the service name for port 445 that came up in our Nmap scan? microsoft-ds

TASK 4: What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing? -L

TASK 5: How many shares are there on Dancing? 4

TASK 6: What is the name of the share we are able to access in the end with a blank password? WorkShares

TASK 7:What is the command we can use within the SMB shell to download the files we find? get

Submit root Flag:
Let's run nmap to find the open ports using the following command:

nmap -sV -sC {IP Address}
nmap -sV -sC 10.129.4.215
or
nmaap -p 137,139,445 10.129.4.215 -A

Alright, so we've got ourselves a Windows box here with three ports open. After a bit of sleuthing, it turns out Port 445 is running SMB (version 3.1.1).

smbclient -L <IP>
smbclient -L 10.129.4.215

Using the -L flag with the smbclient command, like smbclient -L {IP Address}, gives us a sneak peek into the shares hanging out on our target machine. We've got four sharenames staring back at us. Time to crack them open and see what goodies they've got stashed away. Let's dive in and explore each one!

Let's see if we can access any of these shares using the below commands:

smbclient //10.129.4.215/Admin$
smbclient //10.129.4.215/C$
smbclient //10.129.4.215/IP$ 
smbclient //10.129.4.215/Workshares

We wear able to access Ip but it had no files and finally we were able to access Workshares without a password. Workshares has 2 directories. I accessed James.P and found a flags.txt file. I downlaoded the file using the get command:

get flag.txt

And there we get the flag! On submitting it you will receive message as "Dancing has been Pwned" and Challenge solved successfully.

> Gentle Reader feel free to reach out for queries and feedback. 🥷

Hack the Box — Meow (telnet)

Adhishri Kothiyal — Wed, 27 Aug 2025 19:48:45 +0000

I will cover solution steps of the “Meow” machine, which is part of the ‘Starting Point’ labs and has a difficulty rating of ‘Very Easy’.

Login to Hack the Box portal and navigate to Starting Point’s page, where you will be prompted to choose between a PWNBOX or an OVPN (i.e. OpenVPN) connection. A PWNBOX is a pre-configured, browser-based virtual machine and requires a HackTheBox VIP+ membership for unlimited access. I have used the OVPN method and Kali Linux through VMWare Workstation for this challenge.

Download the VPN (.ovpn) configuration file and open a terminal window and run below mentioned command.

sudo openvpn [path/to/filename].ovpn

Note: [filename] should be replaced with the name of your downloaded .ovpn file for the Starting Point lab.

You will see the Initialization Sequence Completed line at the end, which confirms we have now connected to the Meow machine.

Refresh the page in browser to see the new connection and then we can activate the machine by clicking the ‘Spawn Machine’ button. The machine is now active and showing a target IP address.

TASK 1: What does the acronym VM stand for?: Virtual Machine

TASK 2: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell: Terminal

Task 3: What service do we use to form our VPN connection into HTB labs? : openvpn

Task4: What tool do we use to test our connection to the target with an ICMP echo request?: ping

Task5: What is the name of the most common tool for finding open ports on a target? : nmap

TASK 6: What service do we identify on port 23/tcp during our scans? : telnet

TASK 7: What username is able to log into the target over telnet with a blank password? root

Submit Flag:

To find the flag we’d run an nmap scan:

nmap -p- <IP> 
nmap -p- 10.129.77.62 
or 
nmap -v 10.129.77.62

We’d find port 23 open and now we’ll try to connect to telnet using below command:

telnet <IP> 
telnet 10.129.77.62

It asks for Meow Login. Let’s try:

username:root 
password: [just enter without entering any password]

Lastly run the below commands to check for existing files and to check its contents.

ls -al 
cat flag.txt

You will receive message as “Meow has been Pwned” and Challenge solved successfully.

Dear Reader feel free to reach out for queries and feedback.🥷

Tic-Tac-Toe: Python3

Adhishri Kothiyal — Mon, 16 Oct 2023 11:42:54 +0000

Hello Dev(s),

This is my first blog post of DEV and I am doing this as a part of my CS 101 course.

Lately I have been brushing up my coding skills. I haven't coded since past 6 years and all the concepts are very blurry right now. To start fresh I decided to take up a Codecademy learning path. I enrolled myself in Computer Science career path. The first part of the path's curriculum includes learning a language & its basics. I have invested my time so far in learning Python3. The last assignment of the first section is to build a terminal based game. The objectives of this project were:

Build a terminal program using Python
Add at least one interactive feature using input()
Use Git version control
Use the command line and file navigation
Write a technical blog post on the project

Thinking about what to build was kind of scary. Since I have never made any game before I was scared about few things like: from where will I begin, what the logic would be and how will I end. I decided to take one step at a time and not think much about the next. Gathering all the courage and lot of motivation from my lovely husband I decided to pick up something simple and a game who's rules I already knew hence Tic-tac-toe

Here's a rundown to my program:

First I printed down a small welcome message for the players. I also created a 1-D list (g_board) to store the markers (X or 0) or the empty blocks in the game board. Initial value of each item in list is " "

Then I created a function to print the board when a player makes a move. For players the blocks are numbered from 1-9 while in the program the g_board list is accessed from 0-8, thus while printing the player's choice I decreased 1 and then tried to access the game board. Every print statement is 1 row in the game board. Each block in the game board was accessed by g_board[block_number].

Next functions are:

To switch the player for turns and decide the marker symbol for each player. Player A marks on the board as X and Player B as 0 (which_playerNmarker()).
To take the choice input from each player in their respective turns (player_ip()). The input() function takes in an input as a string thus I am using int() function to change typer from string -> integer.
To check for empty strings in the game board (contains()). We need to check empty strings because if we have no empty blocks then it means the game board is full and if there is no winner then there is a tie.

Next was a function to check for win or tie (winORtie()) and last but not the least a loop to keep the game running until someone either wins or it's a tie. In the end the winner gets printed.

Logic for winORtie(): If the winner is none then the loop runs and checks 8 possible options for a player to win. If the marker is on the following blocks the player wins:
1, 2, 3
4, 5, 6
7, 8, 9
1, 4, 7
2, 5, 8
3, 6, 9
1, 5, 9
3, 5, 7
Lastly the function checks if there is no empty string and none of the above conditions were fulfilled then it's a tie.

(Note: This is the best I could think at that time and I was not sure if that was the best solution. For now I know 2 more logics that can be implemented but I haven't tried them personally. That's a task for some other day. I haven't implemented file system as well. Also I did realize that I need a way to determine if a particular block has been marked by the other player. In this program if Player B chooses a block already marked by Player A the program will rewrite the block with Player B's marker. This shouldn't happen. I haven't figured out how to solve that problem, so I'll probably improve my code down in the future.)

REFACTORING:

Later I refactored the winORtie() function to make it simpler and neater. The logic remains the same though.

Wanna see how it runs? ⚡️

Haha Fun eh? If you are still interested to look at my code then check out my GitHub repo here