Attacking Common Services - Medium

dylvie · June 23, 2023, 10:39am

Maybe you have to wait or restart lab to be able to use the 2 last services.

quiquebella · July 9, 2023, 4:51pm

I can’t figure out how to enumerate the ftp service for more information. I found the p21xx but nothing seams to work. Neither looking for users. I already read that simon its a possible user but i could’t get a password for it, neither in pop3 or ftp… Could someone point some direction maybe in a direct message or something i cant figure it out…

N00bAcademy · July 12, 2023, 11:30am

If you use the dns service to enum the domain (axfr transfer) there’s a huge hint that the machine has a hidden service and therefore you should scan non-standard ports with nmap -p-:

int-ftp.inlanefreight.htb. 604800 IN A 127.0.0.1

I found that hint was cool, instead of starting with a blind -p- scan which would be blocked by many firewalls. Too bad the instance has to be restarted a couple of times to show the additional ports.

N00bAcademy · July 12, 2023, 11:32am

Respawn the machine a bunch of times, you should see another service with nmap -p-…

0xUN7H1NK4BLE · October 4, 2023, 2:53am

I was also stock for more then 2 day.
Here is what I learn…

Don’t panic
Scan all port (must be 6)
know the service running
try default password
you will get a file
use the file and the name for further enum.

kboom · November 25, 2023, 4:05am

Hint: Pay close attention to the result of your nmap scan, specially after identifying all the ports (not just default ones) and read carefully the result of the parameter -sC before you continue.

liquid4287 · January 7, 2024, 9:08pm

Nmap -p- scan has been running for about an hour and is on 48 percent can someone help with the elusive port so I can see if it is actually up

liquid4287 · January 7, 2024, 9:19pm

45 minutes plus looking for a port that might not have been loaded is pretty bullish imo

antoniocm1 · January 14, 2024, 6:56am

Remember to use:
nmap -sS -n -Pn -p- --min-rate 5000 IP
With this the scanning will not be delayed and they will know all the ports that are open

v1p3rz · January 14, 2024, 10:12pm

Try use rustscan to identify the port you are seeking.

https://www.geeksforgeeks.org/rustscan-faster-nmap-scanning-with-rust/

georgebush69 · January 19, 2024, 7:06pm

what do u do after u have the mynotes.txt? i imagine combine it with ‘Simon’ to log in somewhere? i’ve tried everything

r0hv1s · February 9, 2024, 10:58pm

apply with ssh

r0hv1s · February 9, 2024, 10:59pm

apply ssh

53b7ux · February 18, 2024, 12:02am

Is anyone able to give me a hint about what the default credentials are for FTP? I’ve tried many wordlists, manual testing, testing with hydra. Thank you!!

XSS · February 22, 2024, 9:39am

Dm me

jbanday · March 20, 2024, 6:04pm

Use the Nmap scan: nmap --min-rate 10000 -p- 10.129.203.7 to enumerate the target host. There is another port you can use to log in to the FTP server. Once you’re logged in to the FTP server change directory to the only one user. Download the file by using the command “get mynotes.txt” so you can bruteforce the password. You can use the Hydra command: hydra -l simon -P mynotes.txt ftp://10.129.230.7 -s 2121 to bruteforce the password for the user simon. Then use ssh to login as simon: ssh [email protected].

XPR · March 22, 2024, 7:30am

The Medium lab is easier then Easy lab !!

KiroMaged · April 24, 2024, 10:31pm

instead of -p- in nmap Use naabu for quick results

hngmn · July 4, 2024, 1:14am

I feel like the medium lab should have been the easy lab. Pretty straightforward. Do you scan across all ports and limit using a --min-rate value. Then you should gain access to m*****s.txt file, which will act as a password list for the user s****n.

deeexcee · July 12, 2024, 4:07pm

dont use rustscan, and check all ports with nmap