Having some trouble with the Hard Lab from the Footprinting Skills Assessment. If anyone is able to point me in the right direction it would be greatly appreciated.
Scenario: The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.
Question: Enumerate the server carefully and find the username âHTBâ and its password. Then, submit HTBâs password as the answer.
Iâve scanned the IP with NMAP and found POP, IMAP, SSH and SNMP services. Either I havenât found something or I am not using the correct lists or commands.
Have you fully enumerated those services? That module does a great job at providing you with just about everything you need to accomplish the labs. I say âjust aboutâ because you will have to do some surface level research in regards to finding specific commands.
I agree, the modules do everything really well giving everything we need. Thatâs why I am starting to second guess myself. I scanned the target machine and found TCP ports open for SSH, IMAP and POP3 and UDP for DHCP and SNMP. Once I had them identified, I scanned each protocol using all the NSE scripts looking for a misconfiguration or possibly creds to enumerate IMAP or POP3.
The only port that I did not look at closer is DHCP but getting into that now.
I also attempted to use onesixtyone and Braa for the SNMP. If one of those are supposed return an artifact of interest, then I may be using the wrong list or flags.
No, your approach is in line with solving the lab. You said you used onesixtyone and braa? If you used both of those with no result, I suggest going back to the section relevant for those tools. Make sure youâre using the correct syntax. If youâre concerned about the correct list to use, the one mentioned in the SNMP section should work just fine.
using onesixtyone should dump a user and password. carefully look over the output since you already know it has SNMP. once you have completed that step enumerate your email servers. Happy Hunting!
I managed to ssh in with tomâs credentials, and this is where I got stuck. I sniffed around and couldnât find anything useful. As the question asks to find the username HTB I searched etc/passwd and noticed there wasnât a user on the system called HTB.
Hint 1:
It finally clicked that maybe there was a database of some kind (maybe similar to a previous lab) where the user HTB was stored.
I strongly recommend you spend some time with Hint 1 before moving on to Hint 2. Hint 2 will point you in the right direction but this module is about learning for yourself.
Hint 2:
Sure enough a mysql client was present and you have the required creds, using sql you can find what youâre looking forfairly easy
onesixtyone doing nothing what shuld i do
is my syntax correct
sudo onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.202.20
i also tried snmpwalk but no results
snmpwalk -v2c -c public 10.129.202.20
Please Any one help me out
Hey all!
Stuck on this⌠I am connected via ssh as tom⌠not seeing anything related to the HTB account in these files⌠someone said something about a DB - not seeing any mysql ports openâŚ
Hey buddy need your help if you can. i have the username but when i use this command openssl s_client -connect 10.129.202.20:imaps
i canât get the email of anything everything doesn;t work
1 SELECT INBOX
Youâre in the right place but youâll need to dig into the mailbox a bit. There are some additional child items in there that youâll need to enumerate. If you run a curl command against the imap, you should get an idea of what youâre working with.
