# Lab - Hard ## Now Let’s Begin 🚀 ## Lab -Hard Initially, we'll conduct reconnaissance to detect open ports. This involves performing TCP and UDP port scans to identify all available open ports.

Here are the open ports detected following a scan of TCP and UDP ports. I attempted to experiment with the IMAP and POP3 services, but unfortunately encountered no success. Let's now investigate the UDP services to determine potential findings. UDP Port 161 is accessible, indicating the presence of an SNMP service. **SNMP - Simple Network Management Protocol** is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...). For footprinting SNMP, we can use tools like `snmpwalk`, `onesixtyone`, and `braa`. `Snmpwalk` is used to query the OIDs with their information. `Onesixtyone` can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator. Since these community strings can be bound to any source, identifying the existing community strings can take quite some time. I attempted to utilize snmpwalk, but encountered no response.

Now I don't know the community string, so I used **`onesixtyone`**tool and **`Seclists`**wordlists to identify these community strings. In order to access the information saved on the **MIB** you need to know the community string on versions 1 and 2/2c and the credentials on version 3. The are 2 types of community strings: * **`public`** mainly **read only** functions * **`private`** **Read/Write** in general

I discovered a community string, which is enclosed within the brackets \[]. Let's utilize this community string with the braa tool to explore the available information.

After employing Braa with the discovered community string, I obtained credentials for a user named 'Tom'. Let's attempt to utilize these credentials with IMAP to ascertain the available data.

Here's what I've accomplished: 1. Logged in with the command**`LOGIN username password`** 2. Listed all directories using**`LIST "" *`** 3. Selected the 'INBOX' mailbox with **`SELECT "INBOX"`** 4. Checked for available messages with **`1 STATUS INBOX (MESSAGES)`** and found one 5. Retrieved the entire message with **`1 FETCH 1 all`** 6. Obtained the message content using **`1 FETCH 1 BODY[]`**

I discovered a private key associated with the user 'Tom' in the message. Let's attempt to SSH using this key.

I saved the private key as `id_rsa` and adjusted its permissions before using SSH to gain access to the target. After conducting enumeration, I compiled a list of all files within the current directory belonging to the user 'tom.' Subsequently, I examined the`.bash_history` file and discovered the presence of a MySQL command within it.

Let's attempt to access MySQL by entering the command **`mysql -u tom -p`**, utilizing the previously discovered password for the user 'Tom'.

Upon logging in, I discovered a database named **`users`**containing a table labeled as such. I proceeded to extract a comprehensive list of all columns within the **`users`** table, ultimately obtaining the password associated with the **`HTB`** user. We have successfully completed the lab. Thank you for taking the time to read this write-up; your attention is greatly appreciated.