Skip to content

Footprinting Lab - Easy

ℹ️ Informations

Question

Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

📋 Walkthrough

Start with a simple enumeration. 

nmap -p- --min-rate=10000 10.129.241.181

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
2121/tcp open  ccproxy-ftp
Now We can do a script scan on that ports 
nmap -p21,22,53,2121 -sCV 10.129.241.181

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp?
22/tcp   open  ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
|   256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_  256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp   open  domain       ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
2121/tcp open  ccproxy-ftp?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are two ftp services, on port 21 and 2121 We can try to login on ftp using provided credentials ceil:qwer1234 
ftp ceil@10.129.241.181

Connected to 10.129.241.181.
220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.241.181]
331 Password required for ceil
Password: 
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||56097|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>
We can see that ftp is in passive mode. We can turn off it writing passive off but seems the folder is empty. Try with the other service on port 2121. On that ftp folder, we can see that there's a .ssh folder owned by ceil. We can get his key to login using ssh

ssh -i id_rsa ceil@10.129.241.181
Flag is in a directory on the file-system.

Answer

HTB{*******************************************************}