FTP
Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
We’ll start scanning the target
And when we try to connect to de server, we get the banner
InFreight FTP v1.1
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
Our first try, will be with an anonymous user and anonymous password. And we go it 😀
Let’s see what is in this folder and download de flag.txt file
After that we just need to see the content in our machine
HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}
SMB
What version of the SMB server is running on the target system? Submit the entire banner as the answer.
First we want to scan the server
Samba smbd 4.6.2
What is the name of the accessible share on the target?
Now we can execute smbclient with no password
smbclient -L //10.129.80.140
sambashare
Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
Now we want to connect with that share that we discovered in the last exercise. List the content of the folder and get the file.
In our machine, we just need to read it.
HTB{o873nz4xdo873n4zo873zn4fksuhldsf}
Find out which domain the server belongs to.
We can use enum4linux to see the domain
DEVOPS
Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
We can see these information listing all shares of smb server
What is the full system path of that specific share? (format: “/directory/names”)
/home/sambauser
NFS
Enumerate the NFS service and submit the contents of the flag.txt in the “nfs” share as the answer.
We will use showmount to see mounts in NFS
Let’s mount them
HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}
Enumerate the NFS service and submit the contents of the flag.txt in the “nfsshare” share as the answer.
HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}
DNS
Interact with the target DNS using its IP address and enumerate the FQDN of it for the “inlanefreight.htb” domain.
ns.inlanefreight.htb
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{…})
You have to try axfr in all DNS you find in your digs.
HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}
What is the IPv4 address of the hostname DC1?
10.129.34.16
What is the FQDN of the host where the last octet ends with “x.x.x.203”?
This one takes a bit of trial and error with the tool dnsenum. We need to enumerate the correct subdomain and use the right wordlist. The proper command is:
dnsenum --dnsserver 10.129.212.31 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
win2k.dev.inlanefreight.htb
SMTP
Enumerate the SMTP service and submit the banner, including its version as the answer.
InFreight ESMTP v2.11
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
Use the footprinting-wordlist.txt provided as Resources
smtp-user-enum -t 10.129.212.31 -w 15 -U footprinting-wordlist.txt -v
robin
IMAP / POP3
Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.
InlaneFreight Ltd
What is the FQDN that the IMAP and POP3 servers are assigned to?
dev.inlanefreight.htb
Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{…})
HTB{roncfbw7iszerd7shni7jr2343zhrj}
What is the customized version of the POP3 server?
InFreight POP3 v9.188
What is the admin email address?
Let’s login using robin:robin as provided. I use Evolution tool.
- openssl s_client -connect <ip>:imaps
- 1 LOGIN robin robin
- 1 lIST “” *
- 1 SELECT DEV.DEPARTMENT.INT
- 1 fetch 1 all
- I had to analyse the stuff, but fortunately was able to figure out
- …admin@in…htb
devadmin@inlanefreight.htb
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{…})
1 FETCH 1 BODY[TEXT]
HTB{983uzn8jmfgpd8jmof8c34n7zio}
SNMP
Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.
devadmin@inlanefreight.htb
What is the customized version of the SNMP server?
InFreight SNMP v0.91
Enumerate the custom script that is running on the system and submit its output as the answer.
HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}
MySQL
Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)
MySQL 8.0.27
During our penetration test, we found weak credentials “robin:robin”. We should try these against the MySQL server. What is the email address of the customer “Otto Lang”?
MSSQL
Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.
This command runs for several minutes but the answer is under ms-sql-ntlm-info script.
ILF-SQL-01
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
Employees
Oracle TNS
Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.
E066D214D5421CCC
IPMI
What username is configured for accessing the host via IPMI?
Let’s use msfconsole to scan the server.
admin
What is the account’s cleartext password?
o crack the hash from the previous step, we can use Hashcat. For this, copy the hash above inside a file and execute de command bellow:
hashcat -m 7300 hash -a 0 /usr/share/wordlists/rockyou.txt --username
trinity
Footprinting Lab – Easy
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
Start with a simple enumeration.
Now We can do a script scan on that ports
There are two ftp services, on port 21 and 2121 We can try to login on ftp using provided credentials ceil:qwer1234
We can see that ftp is in passive mode. We can turn off it writing passive off but seems the folder is empty. Try with the other service on port 2121. On that ftp folder, we can see that there’s a .ssh folder owned by ceil. We can get his key to login using ssh, using the get command.
We can see that ftp is in passive mode. We can turn off it writing passive off but seems the folder is empty. Try with the other service on port 2121. On that ftp folder, we can see that there’s a .ssh folder owned by ceil. We can get his key to login using ssh. After make the login, find the file and get the content.
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
Footprinting Lab – Medium
Enumerate the server carefully and find the username “HTB” and its password. Then, submit this user’s password as the answer.
Let’s start with a fast scan
It seems to be a Windows server with a smb server on port 445 Now start a script scan.
There are some http services. On both port it gaves me 404 Not Found. I run a directory scan using ffuf
Meanwhile, let’s try to see if the nfs service is hidding something
Let’s mount it
Enter in this directory and searh the file with size grather than 0.
Checking the content folder we can see a lot of tickets, one of them hide some credentials.
Try these credentials with freexrdp. There’s a Microsoft SQL Server Management. We can try same credentials with no luck. Ont he filesystem there’s a file named important.txt that reveal some credentials.
Try these credentials with freexrdp. There’s a Microsoft SQL Server Management. We can try same credentials with no luck. Ont he filesystem there’s a file named important.txt that reveal some credentials.
Close and open freexrdp again, now using the password that you found as Administrator user.
Try them on MSSQL. No luck, maybe is the admin passowrd? Got it! We can see a table dbo.devsacc that seems to store some users credentials. HTB is hiding here.
lnch7ehrdn43i7AoqVPK4zWR
Footprinting Lab – Hard
Enumerate the server carefully and find the username “HTB” and its password. Then, submit HTB’s password as the answer.
Start with fast and script scan with nmap
Since we can’t do so much with these services, maybe something is hiding on other protocols. Let’s try with an udp scan.
Since we can’t do so much with these services, maybe something is hiding on other protocols. Let’s try with an udp scan.
We can try to use snmpwalk with public community, but no luck. We can try to enumerate with some community wordlist, but in the description of the challenge they say that is a backup server. Maybe it is backup? Yes! We can find credentials
tom:NMds732Js2761
Are they of ssh? No, user tom can’t login using ssh. Try to login with imap using telnet. In the email we can find a ssh private key.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxyU9XWTS+UBbY3lVFH0t+F
+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQqYreqEj6pjTj8wguR0Sd
hfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHFdND3urVhelyuQ89BtJqB
abmrB5zzmaltTK0VuAxR/SFcVaTJNXd5Utw9SUk4/l0imjP3/ong1nlguuJGc1s47tqKBP
HuJKqn5r6am5xgX5k4ct7VQOQbRJwaiQVA5iShrwZxX5wBnZISazgCz/D6IdVMXilAUFKQ
X1thi32f3jkylCb/DBzGRROCMgiD5Al+uccy9cm9aS6RLPt06OqMb9StNGOnkqY8rIHPga
H/RjqDTSJbNab3w+CShlb+H/p9cWGxhIrII+lBTcpCUAIBbPtbDFv9M3j0SjsMTr2Q0B0O
jKENcSKSq1E1m8FDHqgpSY5zzyRi7V/WZxCXbv8lCgk5GWTNmpNrS7qSjxO0N143zMRDZy
Ex74aYCx3aFIaIGFXT/EedRQ5l0cy7xVyM4wIIA+XlKR75kZpAVj6YYkMDtL86RN6o8u1x
3txZv15lMtfG4jzztGwnVQiGscG0CWuUA+E1pGlBwfaswlomVeoYK9OJJ3hJeJ7SpCt2GG
cAAAdIRrOunEazrpwAAAAHc3NoLXJzYQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxy
U9XWTS+UBbY3lVFH0t+F+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQ
qYreqEj6pjTj8wguR0SdhfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHF
dND3urVhelyuQ89BtJqBabmrB5zzmaltTK0VuAxR/SFcVaTJNXd5Utw9SUk4/l0imjP3/o
ng1nlguuJGc1s47tqKBPHuJKqn5r6am5xgX5k4ct7VQOQbRJwaiQVA5iShrwZxX5wBnZIS
azgCz/D6IdVMXilAUFKQX1thi32f3jkylCb/DBzGRROCMgiD5Al+uccy9cm9aS6RLPt06O
qMb9StNGOnkqY8rIHPgaH/RjqDTSJbNab3w+CShlb+H/p9cWGxhIrII+lBTcpCUAIBbPtb
DFv9M3j0SjsMTr2Q0B0OjKENcSKSq1E1m8FDHqgpSY5zzyRi7V/WZxCXbv8lCgk5GWTNmp
NrS7qSjxO0N143zMRDZyEx74aYCx3aFIaIGFXT/EedRQ5l0cy7xVyM4wIIA+XlKR75kZpA
Vj6YYkMDtL86RN6o8u1x3txZv15lMtfG4jzztGwnVQiGscG0CWuUA+E1pGlBwfaswlomVe
oYK9OJJ3hJeJ7SpCt2GGcAAAADAQABAAACAQC0wxW0LfWZ676lWdi9ZjaVynRG57PiyTFY
jMFqSdYvFNfDrARixcx6O+UXrbFjneHA7OKGecqzY63Yr9MCka+meYU2eL+uy57Uq17ZKy
zH/oXYQSJ51rjutu0ihbS1Wo5cv7m2V/IqKdG/WRNgTFzVUxSgbybVMmGwamfMJKNAPZq2
xLUfcemTWb1e97kV0zHFQfSvH9wiCkJ/rivBYmzPbxcVuByU6Azaj2zoeBSh45ALyNL2Aw
HHtqIOYNzfc8rQ0QvVMWuQOdu/nI7cOf8xJqZ9JRCodiwu5fRdtpZhvCUdcSerszZPtwV8
uUr+CnD8RSKpuadc7gzHe8SICp0EFUDX5g4Fa5HqbaInLt3IUFuXW4SHsBPzHqrwhsem8z
tjtgYVDcJR1FEpLfXFOC0eVcu9WiJbDJEIgQJNq3aazd3Ykv8+yOcAcLgp8x7QP+s+Drs6
4/6iYCbWbsNA5ATTFz2K5GswRGsWxh0cKhhpl7z11VWBHrfIFv6z0KEXZ/AXkg9x2w9btc
dr3ASyox5AAJdYwkzPxTjtDQcN5tKVdjR1LRZXZX/IZSrK5+Or8oaBgpG47L7okiw32SSQ
5p8oskhY/He6uDNTS5cpLclcfL5SXH6TZyJxrwtr0FHTlQGAqpBn+Lc3vxrb6nbpx49MPt
DGiG8xK59HAA/c222dwQAAAQEA5vtA9vxS5n16PBE8rEAVgP+QEiPFcUGyawA6gIQGY1It
4SslwwVM8OJlpWdAmF8JqKSDg5tglvGtx4YYFwlKYm9CiaUyu7fqadmncSiQTEkTYvRQcy
tCVFGW0EqxfH7ycA5zC5KGA9pSyTxn4w9hexp6wqVVdlLoJvzlNxuqKnhbxa7ia8vYp/hp
6EWh72gWLtAzNyo6bk2YykiSUQIfHPlcL6oCAHZblZ06Usls2ZMObGh1H/7gvurlnFaJVn
CHcOWIsOeQiykVV/l5oKW1RlZdshBkBXE1KS0rfRLLkrOz+73i9nSPRvZT4xQ5tDIBBXSN
y4HXDjeoV2GJruL7qAAAAQEA/XiMw8fvw6MqfsFdExI6FCDLAMnuFZycMSQjmTWIMP3cNA
2qekJF44lL3ov+etmkGDiaWI5XjUbl1ZmMZB1G8/vk8Y9ysZeIN5DvOIv46c9t55pyIl5+
fWHo7g0DzOw0Z9ccM0lr60hRTm8Gr/Uv4TgpChU1cnZbo2TNld3SgVwUJFxxa//LkX8HGD
vf2Z8wDY4Y0QRCFnHtUUwSPiS9GVKfQFb6wM+IAcQv5c1MAJlufy0nS0pyDbxlPsc9HEe8
EXS1EDnXGjx1EQ5SJhmDmO1rL1Ien1fVnnibuiclAoqCJwcNnw/qRv3ksq0gF5lZsb3aFu
kHJpu34GKUVLy74QAAAQEA+UBQH/jO319NgMG5NKq53bXSc23suIIqDYajrJ7h9Gef7w0o
eogDuMKRjSdDMG9vGlm982/B/DWp/Lqpdt+59UsBceN7mH21+2CKn6NTeuwpL8lRjnGgCS
t4rWzFOWhw1IitEg29d8fPNTBuIVktJU/M/BaXfyNyZo0y5boTOELoU3aDfdGIQ7iEwth5
vOVZ1VyxSnhcsREMJNE2U6ETGJMY25MSQytrI9sH93tqWz1CIUEkBV3XsbcjjPSrPGShV/
H+alMnPR1boleRUIge8MtQwoC4pFLtMHRWw6yru3tkRbPBtNPDAZjkwF1zXqUBkC0x5c7y
XvSb8cNlUIWdRwAAAAt0b21ATklYSEFSRAECAwQFBg==
-----END OPENSSH PRIVATE KEY-----We can use it to login. We are in! I notice that .bash_history has some infromation. There’s a command.
Try use the same credentials of imap, it works!
cr3n4o7rzse7rzhnckhssncif7ds