Footprinting Lab - Hard

Perhaps the server allows a protocol other than the one advertised? Its worth a try…

Had a hard time with this one. Once you ssh in, and you see the same key… what can that tell you? Tom isn’t the only user right?

Exactly, Tom is not the only user in the server.

Did you get an answer to this? I kind of stepped away from the SNMP for a while and focused on the other services when I saw that it was v3

Yup. You do in fact have to dig into the snmp. It it weird but somehow community strings work with this version or maybe nmap service scan just fooled us.

i think i grabbed the right ssh key chmod 600 used but still denied (public key) response . any hints dear ladies and gentlemen?

Owned. My opinion is that Medium lab was harder.

So I got some credentials after the initial footprinting and they’re valid for the mailbox but I’m concerned because all inboxes that I see have 0 messages and I’m just wondering if it should be like this?

Could I ask for a hint on where to look, when having access to the mailbox?

I’m having trouble ssh’n in the the box i use this

chmod 600 id_rsa

sudo ssh -i id_rsa *********@

the id_rsa says openssh private key. I dont know if thats the problem but I keep getting permission denied (publickey). I don’t know what I’m doing wrong.

ssh-add id_rsa

you need to be in the root account for this to work

if anybody still has issues with this lab,here is the solution.
nmap enumeration of the target points to snmp ,so use the snmp commands on the cheat sheets to obtain the community name and eventually use the community name to bruteforce and obtain credentials which you will use on imap to obtain a private key.use the private to ssh into the target as root but with thesame password you obtained from the other user .when you have sshed just cat the sql folder to obtain credentials for HTB.


For those who are still stuck use evolution ‘apt install evolution’ to get the key you need the credentials from braa to access the IMAP via evolution check out this 143,993 - Pentesting IMAP - HackTricks.

Hey everyone,

I’m starting to hit a wall with this one. Any pointers would be a huge help. So far, I was able to enumerate the credentials, and was able to gain access to the key needed to ssh into the server. I also performed a chmod 600 to update the permissions and I’m still receiving a “Permission denied (public key)” error. Anyone have any idea why?

1 Like

DM me bro i don’t want to put spoilers here. It is a simple fix.

1 Like

I’ve just been having trouble finding this particular file to cat. Ive looked in every thing I can find to do with sql, used cat on every file, but still no flag. I’m beginning to get really burned out on this one.

1 Like

just take a deep breathe and go over the whole process again and if you have sshed with right credentials ,the file is right there in the home directory.

If anyone is still stuck. The RSA key you find can be used to SSH into the server for another user other than Tom. Enumerate system and find which local users are on there.

For people having an error while SSHing with “tom” : “error in libcrypto”, the problem is coming from the syntax of your key file, just fix the formatting and you will get rid of the error.

This will help : Load key "id_rsa": error in libcrypto · Issue #20054 · openssl/openssl · GitHub

I breezed through this late last night, then tried recreating the process this morning and couldnt understand how I got ssh root so easily but couldn’t get it today. The issue was that last night I forgot to specify which user I was ssh-ing in as…