Important notes

  • Target IP -> 10.129.45.206

For this last footprinting lab we have to find the HTB credentials. So let’s start by giving it the good old reliable nmap -sC -sV <ip>.

Imagem

Ok. So we have an e-mail server. Not very good since both require a user and a password. Let’s do a UDP scan of the 50 top ports.

Imagem

Nice! We have a SNMP service. Let’s run onesixyone to find the communities. Using the SNMP discovery list, we find a community called [backup].

Imagem

Let’s walk it with snmpwalk -v2c -c backup <ip> >> snmpwalk.txt. This way we can send the output of nmpwalk to a txt file for grepping.

Imagem

Analyzing the file, we see that there is a script that fail to alter the password of an user. This user is tom and his password is NMds732Js2761.

Imagem

SSH is no good.

Imagem

So let’s try the IMAP service.

Imagem

It worked! Let’s see what’s in here.

Imagem

Selecting INBOX and looking at the e-mails, we find a ssh key.

Imagem

Let’s copy it to our machine and change the permissions with chmod 600 key.

Imagem

And we’re in! Let’s cat /etc/passwd and look at the users.

Imagem

Look’s like we have a mysql on the system. Let’s connect to it.

Imagem

With the password we found early, we were able to connect to the mysql. Let’s enumerate it.

Imagem

Now, let’s find HTB and grab their credentials.

Imagem