SMTP is a transfer protocol whereas POP3 and IMAP are message retrieval protocols. Think about the purpose of each and which one could be used to view email messages.
Thanks Jlug. got there in the end 
1 Like
Check “Footprinting IMAP/POP3” module. It will help a lot. And of course, you have to retrieve a mail for the flag so think about the correct protocol.
any hint stuck in finding password
Hint from @pnebot is the one. Use the wordlist from the resources. If you still dont get, increase the timeout(atleast more than 40)
i got the username m**** and password p****** but when i try to login i get authentication error can someone help me
ps: login on pop3 instead of smtp (learnt this the hard way after wasting 2 hours GG)
So I found that after about 30 minutes, for whatever reason, the email services on the target stop. So ports 25, 110, 143, and 587 are no longer available after some time. If you’re having issues brute forcing the target, terminate the target box and launch it again. Brute force immediately and you should come up with finding the password.
4 Likes
The user name is marlin@inlanefreight.htb instead of marlin.
hydra -l marlin@inlanefreight.htb -P HTB/pws.list pop3://10.129.203.12 -t 10
2 Likes
I’m stuck… I have a creds and access to smtp and imap, but can’t find flag… Any ideas?
Hey there,
i have a issues with the smtp-user-enum Tool. I’m not sure where i should place the port.
But the commands here and the --help show it should work.
Thanks for the help!
the port option must be -u so u can try -u 25
1 Like
since telnet gets stuck I found the answer to question other way 
but want to understand why its hanging until disc, meaning what am I doing wrong?
└─$ sudo telnet -l red@cted 10.129.78.32 110
Trying 10.129.78.32…
Connected to 10.129.78.32.
Escape character is ‘^]’.
+OK POP3
^C^CConnection closed by foreign host.
(cancel doesn’t work?)
so I ain’t got next step asking for password…
can someone DM me with the correct telnet command or explanation here what is wrong?
thank you
I’m moving on anyway since I can’t lose time on this. good luck! 
Any reason why when running Hydra to find the password of the known username that it only gives a max of two tries then ends? This happens for both all services that are available to brute force so it’s not just pop3 or imap. I have increased the timeout value and increased the number of parallel tasks but it still just stops working. I have tried both the provided password list and the rockyou.txt wordlist but the same results. Spawned multiple targets as well. I can’t move onto the next part of this task to answer the question if I can’t find the password for this user I found.
[DATA] max 2 tasks per 1 server, overall 2 tasks, 2 login tries (l:2/p:1), ~1 try per task
Took me a while
- smtp-user enum to get username
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 - **Restart target machine, I don’t know why but just to make sure it works’
- hydra -l marlin@inlanefreight.htb -P HTB/pws.list pop3://10.129.203.12 -t 10
- telnet 10.129.216…254 110 ← use pop3 NOT smtp
- USER **** pass***
- LIST
- RETR 1
4 Likes
Yeah, i had this problem, thank you! You saved me a lot of time!
So, on the first question did you guys submit the username m***** or the email? I tried both, but it says it is incorrect. Tryed to connect to the POP3 or the SMTP to get another user but without success. What am I doing wrong?