HTB Academy : Footprinting Skills Assessment Lab - Hard

Login : HTB Academy

Having some trouble with the Hard Lab from the Footprinting Skills Assessment. If anyone is able to point me in the right direction it would be greatly appreciated.

Scenario: The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.

Question: Enumerate the server carefully and find the username “HTB” and its password. Then, submit HTB’s password as the answer.

I’ve scanned the IP with NMAP and found POP, IMAP, SSH and SNMP services. Either I haven’t found something or I am not using the correct lists or commands.

Any feedback is greatly appreciated! Thanks!


Have you fully enumerated those services? That module does a great job at providing you with just about everything you need to accomplish the labs. I say ‘just about’ because you will have to do some surface level research in regards to finding specific commands.

Thanks for getting back to me so quick GuyKazuya!

I agree, the modules do everything really well giving everything we need. That’s why I am starting to second guess myself. I scanned the target machine and found TCP ports open for SSH, IMAP and POP3 and UDP for DHCP and SNMP. Once I had them identified, I scanned each protocol using all the NSE scripts looking for a misconfiguration or possibly creds to enumerate IMAP or POP3.

The only port that I did not look at closer is DHCP but getting into that now.

I also attempted to use onesixtyone and Braa for the SNMP. If one of those are supposed return an artifact of interest, then I may be using the wrong list or flags.

Maybe my approach was wrong?


No, your approach is in line with solving the lab. You said you used onesixtyone and braa? If you used both of those with no result, I suggest going back to the section relevant for those tools. Make sure you’re using the correct syntax. If you’re concerned about the correct list to use, the one mentioned in the SNMP section should work just fine.


Perfect! Thanks so much for putting some light where I need it.

1 Like

Sure thing :slight_smile:

using onesixtyone should dump a user and password. carefully look over the output since you already know it has SNMP. once you have completed that step enumerate your email servers. Happy Hunting!

1 Like

I’m connected to tom’s ssh I dont know what to do further. I didn’t find any useful files on that machine.

I solved it.
thanks to PayloadBunny gave me a nice hint.

So I ran into the same issue as Someone.

I managed to ssh in with tom’s credentials, and this is where I got stuck. I sniffed around and couldn’t find anything useful. As the question asks to find the username HTB I searched etc/passwd and noticed there wasn’t a user on the system called HTB.

Hint 1:

It finally clicked that maybe there was a database of some kind (maybe similar to a previous lab) where the user HTB was stored.

I strongly recommend you spend some time with Hint 1 before moving on to Hint 2. Hint 2 will point you in the right direction but this module is about learning for yourself.

Hint 2:

Sure enough a mysql client was present and you have the required creds, using sql you can find what you’re looking forfairly easy


onesixtyone doing nothing what shuld i do
is my syntax correct
sudo onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt
i also tried snmpwalk but no results
snmpwalk -v2c -c public
Please Any one help me out


I am SSH as tom, stuck as well - help?

Hey all!
Stuck on this… I am connected via ssh as tom… not seeing anything related to the HTB account in these files… someone said something about a DB - not seeing any mysql ports open…

Thanks for any clues!

1 Like

Try to use different tool maybe from github to find community user.

Hey buddy need your help if you can. i have the username but when i use this command openssl s_client -connect
i can’t get the email of anything everything doesn;t work

  • 1 EXISTS
    any idea what i should use ?

Hey Trav,

You’re in the right place but you’ll need to dig into the mailbox a bit. There are some additional child items in there that you’ll need to enumerate. If you run a curl command against the imap, you should get an idea of what you’re working with.

1 Like

i’ve found the solution…
IMAP 101: Manual IMAP Sessions - IMAP commands - Atmail email

this article really helped me !!

1 Like

Glad to see that you found it, Trav. Sorry for not responding so quick, that j-o-b thing gets in the way sometimes.

For anyone stuck in tom’s ssh, use the ‘history’ command and look at the commands tom used.

1 Like

oh my god, u r genius!!! How did u come up with??

1 Like