HTB Academy: "Footprinting Lab - Hard" Walkthrough

Enumeration

Let's run a UDP and TCP nmap scan against the target host:

Here we see that SNMP is open, as well as SSH, POP3, and IMAP.

SNMP

Let's use onesixtyone to brute-force community strings for the SNMP service:

onesixtyone returns "backup" as the community string. Let's now use that to get the MIB and see if there are any useful strings in it.

A couple of lines down we find some credentials:

We can now use these credentials to pivot into the mail services available on the system.

IMAPS

First we use openssl to establish a connection to the IMAPS service:

Then we login using Tom's credentials:

From here, let's list the available mailboxes:

Let's take a look in the Inbox:

There's one message in the inbox. Let's fetch the message body and see what the contents is:

There's an SSH key in the body of the message. We can probably use this to access the system over SSH. Copy the body of the message into a local file on your host. Make sure to chmod 600 the file so that it has restrictive enough permissions and SSH doesn't give you a hard time.

SSH

Let's use the ssh key to try and access the system:

From here, start enumerating as thoroughly as possible. The goal of the exercise is to find the password for the HTB user.

If we run an ls -la in tom's home folder, we can see that there is a hidden .mysql_history file here.

Catting it shows us a set of mysql queries:

Let's check if mysql is running on the system:

Connect to the mysql instance using tom's user and the password you found in the SNMP data:

Repeat the commands you found in the .mysql_history file:

The HTB user's password will be found in that output. Happy hacking!