Footprinting Lab - easy

Newuser · December 2, 2022, 6:58am

How I’m I supposed to find the password? Lab was easy with the password but I had to use the hint to get the password. Is there any other way of getting the password if not try to bruteforce it?

c0desec · December 6, 2022, 2:41pm

There is no way anyone who is new to this can find this. Thanks for the hint.

shad0w0lf · December 6, 2022, 4:55pm

There is no other way to get the password.

chodukken · December 22, 2022, 9:04am

Hi guys, I have solved the challenge, but I was wondering is there any way to find the credentials of Ceil without looking the Hint?
Can you do it with brute-forcing the SSH or ProFTPd?

Please let me know if you did it

Neverakswhy · December 26, 2022, 4:46pm

Finally Literally After 1 hr hit and trail
there are 2 ports open for ftp.
nmap -p- [ip]
wget -m --no-passive ftp://[user]:[user]@:2121
you will get all files in your local machine
→ ls -la [for seeing hiden files]
→ chmod the id_rsa to 600 before connecting

------even after reading this Even if you are unable to get flag please restart From Stating of the Module------

gitgud · December 30, 2022, 12:13pm

It’s not empty (port 2121) - use ls -la to show hidden files.

gitgud · December 30, 2022, 12:14pm

This is overshare - please do not give all the details away like this, answer specific questions with suggestions.

gitgud · December 30, 2022, 12:16pm

Sometimes, for some reason, HTB gives info that is absolutely required in the hints section. I have had a few people complain about it. In this case, the password should have been in the assignment, or since it’s simple you can likely brute it with a top1000 list, however the instructions also seem to imply one should not be using brute-force.

Neverakswhy · January 1, 2023, 2:39am

@gitgud Sorry.

jameskhor · January 2, 2023, 5:12am

wget -n --no-passive ftp://ceil:ceil@<ip>:2121
password is in “Hint”.
ls -lah
there is also a .bash_history for hint where the flag was stored on the target server.

cat .bash_history
chmod 600 id_rsa
sftp -i id_rsa ceil@ip

base on bash_history you should be able to find flag.txt

heros123h · January 6, 2023, 2:37am

“However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.”
I think it also has the same meaning as the saying in the Nmap article “Firewall and IDS/IPS Evasion - Easy Lab” is:
“This page shows us the number of alerts. We know that if we receive a specific amount of alerts, we will be banned. Therefore we have to test the target system as quietly as possible.”
So we have to check “quiet”.
If you have not seen the hint of Footprinting Lab - Easy. We will use metasploit to brute force ceil’s password. These are ceil’s password wordlists, which I extracted from rockyou.txt to fit this lab.

use auxiliary/scanner/ftp/ftp_login

heros123h · January 6, 2023, 2:37am

ashley11
animal1
angles
airhead
adam
7894561
25322532
121189
11112222
crackers
camelia
bhabycoh
JOSHUA
1q2w3e4r5t
muneca
mike
metalica
maiden
k123456
henderson
hellothere
giovanna
control
computador
baby01
sierra1
qwer1234
onepiece
nobody
lowrider
lissette
jamila
hotmail1

ThomasAquinas · January 6, 2023, 3:12am

I got the ssh key. i am confused now what to do

heros123h · January 6, 2023, 6:43am

Check out the article SSH Keys
GETTING STARTED - Privilege Escalation
https://academy.hackthebox.com/module/77/section/844
That will clear you up.

XSS · January 9, 2023, 10:34pm

For anyone who have problem with login with ssh key dont forget: the right permission for ssh keys is 0600

ak1va · January 11, 2023, 10:49am

Just use -i for the file.

Also the keys need to have a specific access (only you should be able to read it)

cyb3rsec · January 13, 2023, 12:48am

Hello,
I have tried everything with FTP and SSH and am stumped. I really would love to move on from this. Could you give me a hint?
Thanks

noobker · January 15, 2023, 7:12am

Assuming you are using Hints provided, and you have done basic nmap scan of the host. Then, everyone should see FTP port 21, and port 2121. With hints provided and FTP, then next you should read the two articles below

> https://www.makeuseof.com/view-hidden-files-and-folders-linux/#viewing-hidden-files-with-the-ls-command

After you understand what is the article above teach you, then you are done with 50% toward the solution.

Then, you should read another article below -

> https://docs.rackspace.com/support/how-to/logging-in-with-an-ssh-private-key-on-linuxmac

Same was described in earlier module - Getting Started - Privilege Escalation module too.

Once you understand the 2nd article then you will get the solution (flag) and can complete the lab.

This lab tried to teach us a few key points - FTP commands and SSH login - resulted from careless and misconfigured FTP and SSH configurations.

noobker · January 15, 2023, 7:13am

Assuming you are using Hints provided, and you have done basic nmap scan of the host. Then, everyone should see FTP port 21, and port 2121.

With hints provided and FTP service you see from basic nmap scan, then next you should read the articles below

https://www.makeuseof.com/view-hidden-files-and-folders-linux/#viewing-hidden-files-with-the-ls-command

After you understand what is the article above teach you, then you are done with 50% toward the solution.

Then, you should read another 2nd article below -

https://docs.rackspace.com/support/how-to/logging-in-with-an-ssh-private-key-on-linuxmac

Same was described in earlier module - Getting Started - Privilege Escalation module too.

Once you understand the 2nd article then you will get the solution (flag) in a matter of minutes and can complete the lab.

This lab tried to teach us a few key points - FTP commands and SSH login - resulted from careless and misconfigured FTP and SSH configurations.

cyb3rsec · January 15, 2023, 12:39pm

Thanks for the wealth of Information! I figured out the lab shortly after my post, but I will still read over everything you sent. Thanks again noobker