Attacking Common Services - Attacking Email Services (SMTP)

PhiLight · June 10, 2022, 8:56am

I’m trying to answer the second question: “Access the email account using the user credentials that you discovered and submit the flag in the email as your answer.”

I discovered the user m*****, then tried to bruteforce the password using the provided list and rockyou.txt. Nothing worked. I’m not sure what I’m missing.

discovolante · June 10, 2022, 9:29am

Well done finding the user. Think about how you log into your mail service. Do you just use the username or do you need to complete your username with something?

PhiLight · June 10, 2022, 2:20pm

Thank you. Got it

Submarine · November 23, 2022, 5:20pm

Any advice on finding the user for the first question? Things I’ve tried:

Using the smtp-user-enum script with the provided user and password list from resources turns up no usernames since authentication is required.
Password spraying the RDP and MSSQL services with hyrda. Hydra tends to have false positives when attacking RDP as the user names and passwords it finds don’t work.
I made a telnet connection to the POP3 and SMTP services, however it appears that authentication is needed for both to enumerate users with VRFY

I’ve been stuck on this one for several hours now.

flawd · January 10, 2023, 2:37am

how did you login into his email account? is there a web interface somewhere, not seeing it.

flawd · January 10, 2023, 3:41am

nvm, got it.

cmarrod · January 24, 2023, 5:59pm

I`m stuck here… got user and password but in the telnet session I get no emails

Oneey · January 24, 2023, 11:04pm

Try to find it using the openssl command and loggin in there, telnet will just give you the banner

cmarrod · January 25, 2023, 10:18am

Thank! I got it I was trying through the wrong port!

Neverakswhy · January 30, 2023, 8:40am

Finally

first enumerate for user
find users password ( use full username for brute )
we have user and pass
post exploitation : Use Evolu** email clint if you unable to give commands

pr0ximity · March 3, 2023, 11:08am

The ‘full username’ is a very helpful note. Thanks!

emdeh · March 13, 2023, 10:43pm

I’m still stuck on the last question. I tried to brute force imap and pop3 using the full username and pw lists, thinking it might reveal another password for a different user that I could reuse but I get nothing. Can something give me a hint on how to find the pw?

Edit: I got it. I tried again on my VM instead of the pwnbox and it worked. didn’t need to use the full username list either.

llamatoe · April 11, 2023, 8:28am

I had an issue where the machine I spawned only had SQL servers open. Not sure why,… but of course running anything the email ports gave me no results. I had to reset the machine, then I was given a machine with the correct ports open.

Oddly enough, I was still able to enumerate the email username from the machine that had SQL ports open.

veepn · May 25, 2023, 3:14pm

Im attempting to brute force using the ‘m*****@inlanefreight.htb’ using both SMTP and POP3 with both the password list provided and rock you and both will not work. Any ideas?

veepn · May 25, 2023, 3:34pm

wow same here, wasted 2 hours. Love spending money to learn when the issues end up being on HTB. Worthless

veepn · May 28, 2023, 2:43pm

Issue was with HTB, not wordlist

veepn · May 28, 2023, 8:01pm

Sweet, that was not my issue lol - maybe read what I said again. Nothing to do with wordlists.

pnebot · August 3, 2023, 8:28pm

smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.132.243

johny · September 19, 2023, 4:56pm

I have the credentials but im struggling to obtain the flag. Can anyone point me in the right direction. Thanks

jlug331221 · September 21, 2023, 8:35pm

Think about how to login to the server and which protocol to use. Hint: telnet is your friend here. I had to google that part and which commands to use. Hope this helps!