Lab - Hard
Hello everyone, today we're diving into the Hard-level Footprinting Walkthrough lab in the HTB Academy Penetration Testing Course. Our goal? Obtain the password for the user "HTB."
Last updated
Hello everyone, today we're diving into the Hard-level Footprinting Walkthrough lab in the HTB Academy Penetration Testing Course. Our goal? Obtain the password for the user "HTB."
Last updated
Initially, we'll conduct reconnaissance to detect open ports. This involves performing TCP and UDP port scans to identify all available open ports.
Here are the open ports detected following a scan of TCP and UDP ports.
I attempted to experiment with the IMAP and POP3 services, but unfortunately encountered no success. Let's now investigate the UDP services to determine potential findings. UDP Port 161 is accessible, indicating the presence of an SNMP service.
SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
For footprinting SNMP, we can use tools like snmpwalk
, onesixtyone
, and braa
. Snmpwalk
is used to query the OIDs with their information. Onesixtyone
can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator. Since these community strings can be bound to any source, identifying the existing community strings can take quite some time.
I attempted to utilize snmpwalk, but encountered no response.
Now I don't know the community string, so I used onesixtyone
tool and Seclists
wordlists to identify these community strings.
In order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.
The are 2 types of community strings:
public
mainly read only functions
private
Read/Write in general
I discovered a community string, which is enclosed within the brackets []. Let's utilize this community string with the braa tool to explore the available information.
After employing Braa with the discovered community string, I obtained credentials for a user named 'Tom'. Let's attempt to utilize these credentials with IMAP to ascertain the available data.
Here's what I've accomplished:
Logged in with the commandLOGIN username password
Listed all directories usingLIST "" *
Selected the 'INBOX' mailbox with SELECT "INBOX"
Checked for available messages with 1 STATUS INBOX (MESSAGES)
and found one
Retrieved the entire message with 1 FETCH 1 all
Obtained the message content using 1 FETCH 1 BODY[]
I discovered a private key associated with the user 'Tom' in the message. Let's attempt to SSH using this key.
I saved the private key as id_rsa
and adjusted its permissions before using SSH to gain access to the target.
After conducting enumeration, I compiled a list of all files within the current directory belonging to the user 'tom.' Subsequently, I examined the.bash_history
file and discovered the presence of a MySQL command within it.
Let's attempt to access MySQL by entering the command mysql -u tom -p
, utilizing the previously discovered password for the user 'Tom'.
Upon logging in, I discovered a database named users
containing a table labeled as such. I proceeded to extract a comprehensive list of all columns within the users
table, ultimately obtaining the password associated with the HTB
user.
We have successfully completed the lab. Thank you for taking the time to read this write-up; your attention is greatly appreciated.