d0razi's brain

1. FootPrinting

21 min read

Which version of the FTP server is running on the target system? Submit the entire banner as the answer.

[Oct 16, 2025 - 11:00:49 (KST)] exegol-academy_htb
FTP # nmap -sC -sV 10.129.30.202 -T4
Starting Nmap 7.93 ( https://nmap.org ) at 2025-10-16 11:00 KST
Nmap scan report for 10.129.30.202
Host is up (0.20s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp
| fingerprint-strings:
|   GenericLines:
|     220 InFreight FTP v1.1

InFreight FTP v1.1

Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.

[Oct 16, 2025 - 11:11:43 (KST)] exegol-academy_htb
FTP # ftp 10.129.30.202
Connected to 10.129.30.202.
220 InFreight FTP v1.1
Name (10.129.30.202:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||46972|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt
226 Transfer complete
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||38403|)
150 Opening BINARY mode data connection for flag.txt (39 bytes)
    39       98.92 KiB/s
226 Transfer complete
39 bytes received in 00:00 (0.17 KiB/s)

SMB

What version of the SMB server is running on the target system? Submit the entire banner as the answer.

SMB # nmap -sC -sV 10.129.30.202 -T4
Starting Nmap 7.93 ( https://nmap.org ) at 2025-10-16 11:16 KST
Nmap scan report for 10.129.30.202
Host is up (0.21s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 3f4c8f10f1aebecd31247ca14eab846d (RSA)
|   256 7b30376750b9ad91c08ff702783b7c02 (ECDSA)
|_  256 889e0e07fecad05c60abcf1099cd6ca7 (ED25519)
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34929/tcp6  mountd
|   100005  1,2,3      52027/udp6  mountd
|   100005  1,2,3      53691/tcp   mountd
|   100005  1,2,3      55054/udp   mountd
|   100021  1,3,4      40829/tcp6  nlockmgr
|   100021  1,3,4      45543/tcp   nlockmgr
|   100021  1,3,4      50601/udp6  nlockmgr
|   100021  1,3,4      53710/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2

Samba smbd 4.6.2

What is the name of the accessible share on the target?

[Oct 16, 2025 - 11:18:53 (KST)] exegol-academy_htb
SMB # smbclient -N -L //10.129.30.202
 
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        sambashare      Disk      InFreight SMB v3.1
        IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

sambashare

Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.

[Oct 16, 2025 - 11:20:55 (KST)] exegol-academy_htb
SMB # smbclient //10.129.30.202/sambashare
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Nov  8 22:43:14 2021
  ..                                  D        0  Tue Nov  9 00:53:19 2021
  .profile                            H      807  Tue Feb 25 21:03:22 2020
  contents                            D        0  Mon Nov  8 22:43:45 2021
  .bash_logout                        H      220  Tue Feb 25 21:03:22 2020
  .bashrc                             H     3771  Tue Feb 25 21:03:22 2020
 
                5090944 blocks of size 1024. 1765936 blocks available
smb: \> get contents\flag.txt
getting file \contents\flag.txt of size 38 as contents\flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

Find out which domain the server belongs to.

[Oct 16, 2025 - 15:05:10 (KST)] exegol-academy_htb
SMB # enum4linux-ng 10.129.202.5 -A
ENUM4LINUX - next generation (v1.3.4)
---
 ===================================================
|    Domain Information via RPC for 10.129.202.5    |
 ===================================================
[+] Domain: DEVOPS
[+] Domain SID: NULL SID
[+] Membership: workgroup member

DEVOPS

Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.

[Oct 16, 2025 - 15:05:10 (KST)] exegol-academy_htb
SMB # enum4linux-ng 10.129.202.5 -A
ENUM4LINUX - next generation (v1.3.4)
---
 ======================================
|    Shares via RPC on 10.129.202.5    |
 ======================================
[*] Enumerating shares
[+] Found 3 share(s):
IPC$:
  comment: IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
  type: IPC
print$:
  comment: Printer Drivers
  type: Disk
sambashare:
  comment: InFreight SMB v3.1
  type: Disk

InFreight SMB v3.1

What is the full system path of that specific share? (format: “/directory/names”)

[Oct 16, 2025 - 15:13:29 (KST)] exegol-academy_htb
SMB # rpcclient -U '' -N "10.129.202.5"
rpcclient $> netshareenu
netshareenum     netshareenumall
rpcclient $> netshareenu
netshareenum     netshareenumall
rpcclient $> netshareenumall
netname: print$
        remark: Printer Drivers
        path:   C:\var\lib\samba\printers
        password:
netname: sambashare
        remark: InFreight SMB v3.1
        path:   C:\home\sambauser\

/home/sambauser

NFS

Enumerate the NFS service and submit the contents of the flag.txt in the “nfs” share as the answer.

[Oct 26, 2025 - 22:17:25 (KST)] exegol-academy_htb
NFS # showmount -e '10.129.202.5'
Export list for 10.129.202.5:
/var/nfs      10.0.0.0/8
/mnt/nfsshare 10.0.0.0/8]
[Oct 26, 2025 - 22:19:23 (KST)] exegol-academy_htb
NFS # mkdir nfs_mount
[Oct 26, 2025 - 22:19:36 (KST)] exegol-academy_htb
NFS # mount -t nfs 10.129.202.5:/ ./nfs_mount
[Oct 26, 2025 - 22:20:03 (KST)] exegol-academy_htb
NFS # cat nfs_mount/var/nfs/flag.txt
HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}

HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}

Enumerate the NFS service and submit the contents of the flag.txt in the “nfsshare” share as the answer.

[Oct 26, 2025 - 22:22:14 (KST)] exegol-academy_htb
NFS # cat nfs_mount/mnt/nfsshare/flag.txt
HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}

HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}

DNS

Interact with the target DNS using its IP address and enumerate the FQDN of it for the “inlanefreight.htb” domain.

[Oct 26, 2025 - 23:04:29 (KST)] exegol-academy_htb
DNS # dig ANY inlanefreight.htb @10.129.80.249
 
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ANY inlanefreight.htb @10.129.80.249
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51892
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 675137e478e1860d0100000068fe2a7050bde8af516d0f42 (good)
;; QUESTION SECTION:
;inlanefreight.htb.             IN      ANY
 
;; ANSWER SECTION:
inlanefreight.htb.      604800  IN      TXT     "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb.      604800  IN      TXT     "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb.      604800  IN      TXT     "MS=ms97310371"
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
 
;; ADDITIONAL SECTION:
ns.inlanefreight.htb.   604800  IN      A       127.0.0.1
 
;; Query time: 197 msec
;; SERVER: 10.129.80.249#53(10.129.80.249) (TCP)
;; WHEN: Sun Oct 26 23:04:30 KST 2025
;; MSG SIZE  rcvd: 437

ns.inlanefreight.htb

Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{…})

[Oct 26, 2025 - 23:17:59 (KST)] exegol-academy_htb
DNS # dig axfr internal.inlanefreight.htb @ns.inlanefreight.htb
 
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr internal.inlanefreight.htb @ns.inlanefreight.htb
;; global options: +cmd
internal.inlanefreight.htb. 604800 IN   SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN   TXT     "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN   TXT     "HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}"
internal.inlanefreight.htb. 604800 IN   TXT     "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN   TXT     "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
internal.inlanefreight.htb. 604800 IN   NS      ns.inlanefreight.htb.
dc1.internal.inlanefreight.htb. 604800 IN A     10.129.34.16
dc2.internal.inlanefreight.htb. 604800 IN A     10.129.34.11
mail1.internal.inlanefreight.htb. 604800 IN A   10.129.18.200
ns.internal.inlanefreight.htb. 604800 IN A      127.0.0.1
vpn.internal.inlanefreight.htb. 604800 IN A     10.129.1.6
ws1.internal.inlanefreight.htb. 604800 IN A     10.129.1.34
ws2.internal.inlanefreight.htb. 604800 IN A     10.129.1.35
wsus.internal.inlanefreight.htb. 604800 IN A    10.129.18.2
internal.inlanefreight.htb. 604800 IN   SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 197 msec
;; SERVER: 10.129.80.249#53(ns.inlanefreight.htb) (TCP)
;; WHEN: Sun Oct 26 23:18:07 KST 2025
;; XFR size: 15 records (messages 1, bytes 677)

HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}

What is the IPv4 address of the hostname DC1?

10.129.34.16

What is the FQDN of the host where the last octet ends with “x.x.x.203”?

[Oct 26, 2025 - 23:42:54 (KST)] exegol-academy_htb
DNS # gobuster dns -d 'dev.inlanefreight.htb' -w `fzf-wordlists` -r inlanefreight.htb -i -t 100
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     dev.inlanefreight.htb
[+] Threads:    100
[+] Resolver:   inlanefreight.htb
[+] Show IPs:   true
[+] Timeout:    1s
[+] Wordlist:   /opt/lists/seclists/Discovery/DNS/fierce-hostlist.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found: dev1.dev.inlanefreight.htb [10.12.3.6]
 
Found: ns.dev.inlanefreight.htb [127.0.0.1]
 
Found: win2k.dev.inlanefreight.htb [10.12.3.203]
 
Progress: 2280 / 2281 (99.96%)
===============================================================
Finished
===============================================================

win2k.dev.inlanefreight.htb

SMTP

기본개념

  • 정의 : IP 네트워크에서 이메일을 전송하기 위한 프로토콜
  • 역할: 클라이언트와 서버 간, 또는 서버와 서버 간의 이메일 전송에 사용
  • 포트:
    • Port 25: 기본적인 SMTP 통신 포트
    • Port 587: 인증된 사용자가 STARTTLS 명령을 통해 암호화된 연결을 시작할 때 사용
    • Port 465: SSL/TLS 암호화 연결에 사용

전송 흐름

  1. MUA (Mail User Agent): 사용자 클라이언트 (예: 아웃룩, Gmail)
  2. MSA (Mail Submission Agent): 메일 제출을 받아 유효성을 검사
  3. MTA (Mail Transfer Agent): 스팸 확인 및 DNS 조회를 통해 다른 서버로 메일을 전송
  4. MDA (Mail Delivery Agent): 최종 목적지 서버에서 메일을 수신자의 메일박스로 전달

주요 취약점

  • 평문 전송 : 기본적으로 SMTP는 암호화되지 않아 모든 명령, 데이터, 인증 정보를 평문으로 전송
  • 발신자 인증 부족 : 프로토콜 자체에 발신자 인증이 없어 ‘메일 스푸핑’(발신자 위조)에 취약
  • 오픈 릴레이 : 가장 심각한 설정 취약점. mynetworks = 0.0.0.0/0 처럼 잘못 설정되면, 누구나 이 서버를 스팸이나 피싱 메일 발송에 악용 가능

Questions

Enumerate the SMTP service and submit the banner, including its version as the answer.

SMTP # telnet 10.129.72.120 25
Trying 10.129.72.120...
Connected to 10.129.72.120.
Escape character is '^]'.
220 InFreight ESMTP v2.11

InFreight ESMTP v2.11

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

사용한 wordlistsResources 안에서 받았습니다.

msf6 > search smtp_enum
 
Matching Modules
================
 
   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/smtp/smtp_enum  .                normal  No     SMTP User Enumeration Utility
   
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smtp/smtp_enum
 
msf6 > use 0
msf6 auxiliary(scanner/smtp/smtp_enum) > options
 
Module options (auxiliary/scanner/smtp/smtp_enum):
 
   Name       Current Setting                          Required  Description
   ----       ---------------                          --------  -----------
   RHOSTS                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metaspl
                                                                 oit/basics/using-metasploit.html
   RPORT      25                                       yes       The target port (TCP)
   THREADS    1                                        yes       The number of concurrent threads (max one per host)
   UNIXONLY   true                                     yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /opt/tools/metasploit-framework/data/wo  yes       The file that contains a list of probable users accounts.
              rdlists/unix_users.txt
 
View the full module info with the info, or info -d command.
 
msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 10.129.72.120
rhosts => 10.129.72.120
msf6 auxiliary(scanner/smtp/smtp_enum) > set user_file /workspace/Footprinting/SMTP/footprinting-wordlist.txt
user_file => /workspace/Footprinting/SMTP/footprinting-wordlist.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 10.129.72.120:25      - 10.129.72.120:25 Banner: 220 InFreight ESMTP v2.11
[+] 10.129.72.120:25      - 10.129.72.120:25 Users found: robin
[*] 10.129.72.120:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

robin

IMAP / POP3

기본 개념

IMAP (Internet Message Access Protocol)

  • 서버에서 이메일을 온라인으로 직접 관리
  • 폴더 구조 지원 및 여러 클라이언트 간 동기화 가능
  • 이메일이 삭제될 때까지 서버에 보관됨
  • 포트 143 (평문), 993 (SSL/TLS)

POP3 (Post Office Protocol 3)

  • 제한된 기능: 목록 조회, 검색, 삭제만 가능
  • IMAP보다 단순한 구조
  • 포트 110 (평문), 995 (SSL/TLS)

주요 명령어

IMAP 명령어

  • LOGIN - 사용자 로그인
  • LIST - 디렉토리 목록
  • SELECT - 메일함 선택
  • FETCH - 메시지 데이터 검색
  • LOGOUT - 연결 종료

POP3 명령어

  • USER/PASS - 인증
  • STAT - 저장된 이메일 수 요청
  • RETR - 이메일 다운로드
  • DELE - 이메일 삭제
  • QUIT - 연결 종료

보안 취약점

위험한 설정

  • auth_debug - 인증 디버그 로깅 활성화
  • auth_debug_passwords - 비밀번호 로깅
  • auth_verbose_passwords - 인증 비밀번호 상세 로깅
  • auth_anonymous_username - 익명 로그인 허용

보안 이슈

  • 기본적으로 평문 전송 (암호화 없음)
  • 명령어, 이메일, 인증 정보가 노출 가능
  • SSL/TLS를 통한 암호화 권장

정찰(Footprinting) 방법

Nmap 스캔

  • 포트 110, 143, 993, 995 스캔
  • SSL 인증서 정보 확인 (조직명, 도메인 등)
  • 서비스 버전 및 지원 기능 확인

cURL 활용

  • curl -k 'imaps://[IP]' --user [username]:[password]
  • TLS 버전, 인증서 상세 정보, 배너 확인 가능
  • 메일함 목록 조회

Questions

Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.

InlaneFreight Ltd

What is the FQDN that the IMAP and POP3 servers are assigned to?

dev.inlanefreight.htb

Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{…})

 
Footprinting # openssl s_client -connect 10.129.141.10:imaps
CONNECTED(00000003)
Cant use SSL_get_servername
depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   i:C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  8 23:10:05 2021 GMT; NotAfter: Aug 23 23:10:05 2295 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEUzCCAzugAwIBAgIUDf35PqFuv6Uv0EECM8dFmNSZoY8wDQYJKoZIhvcNAQEL
BQAwgbcxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxv
bmRvbjEaMBgGA1UECgwRSW5sYW5lRnJlaWdodCBMdGQxHDAaBgNVBAsME0Rldk9w
cyBEZXDDg2FydG1lbnQxHjAcBgNVBAMMFWRldi5pbmxhbmVmcmVpZ2h0Lmh0YjEs
MCoGCSqGSIb3DQEJARYdY3RvLmRldkBkZXYuaW5sYW5lZnJlaWdodC5odGIwIBcN
MjExMTA4MjMxMDA1WhgPMjI5NTA4MjMyMzEwMDVaMIG3MQswCQYDVQQGEwJVSzEP
MA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xGjAYBgNVBAoMEUlubGFu
ZUZyZWlnaHQgTHRkMRwwGgYDVQQLDBNEZXZPcHMgRGVww4NhcnRtZW50MR4wHAYD
VQQDDBVkZXYuaW5sYW5lZnJlaWdodC5odGIxLDAqBgkqhkiG9w0BCQEWHWN0by5k
ZXZAZGV2LmlubGFuZWZyZWlnaHQuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxvMwFE6m+iBUSujb5d6DUy1xDYR5awzQRwddyvq6iBrMxbnptSrn
+j0UOKWHCOpD5LREwP26ghUg0lVJzfo+v5pQJGnxEXKg0OFlzWEd8xgx/JWW/z1/
rDsWlNa2yYZkCy68YWJlC7UZxvcDFrI0V0pDJIkrjForw26laoYDkrh1A5F8uUXD
1TwRLLYo+NGmtNHT3BADJpv6aFUZ4CGrqBQNi7XpsTZ948WLhUwQvWmebiK06Dai
TvMNKBctjWAiNI4xvq34W9hIUaPxT1JJzuujRslep6nHGHW00QEWTWgyOMYThc3b
HtKIHMfDLTUMz7s8RhVVwlWE6+ly1DMRgQIDAQABo1MwUTAdBgNVHQ4EFgQUGDTC
9B5KCKPWT7vXbnMunL/mEE4wHwYDVR0jBBgwFoAUGDTC9B5KCKPWT7vXbnMunL/m
EE4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEADh0v5XWCf3KO
atrWcoiIOC67Z0ZIO7yEF+fQo8z+Wx1dWzmCFVu7u4+l7slcdJICCGBbOX8eItWS
chwzgnWJToyX8PWY8lSaB8ifMDQcr457Y7O6NmvgU35sRcLnYYqXzu2oh0lxsFLR
vL1wpyDLPhhoI++j1fELhiJ3GWiUQrb0vfJPcbSkHTgzf0hm7mLJTaqt3WfS/Gr2
8Oh7vSfzvqvHLE7HHAO0G5Q81zo+wWsrQF0s40HEF/raEMfOy2Htm79YjyjAlLWf
ueS+u8rX2smOYdRIpL3UPx7+yZPGu47vYoetde1Z5cfTCgmeS05BQ2qMOp6Tw6+G
xUuqg8nK1Q==
-----END CERTIFICATE-----
subject=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
issuer=C = UK, ST = London, L = London, O = InlaneFreight Ltd, OU = DevOps Dep\C3\83artment, CN = dev.inlanefreight.htb, emailAddress = [email protected]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1667 bytes and written 377 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F33055E85E205FE312DB9A02721F86480284C46CFAAA9E3FA9F2DF1D747E6097
    Session-ID-ctx:
    Resumption PSK: 037CBAF5F1F4C617A592B65D8FD313C4A82CCD05E675F06DC43BFE440EE20DE904BAEF3AB7C09424E22CFA1E05627F94
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b2 8d 52 df 0d 6c 13 69-c2 c3 c2 65 9f e0 5b c2   ..R..l.i...e..[.
    0010 - 60 5f 4b 2f ec 25 b8 4b-d7 cf e3 00 5a 2a 33 6c   `_K/.%.K....Z*3l
    0020 - f5 fb e0 5e 73 39 2d 6e-56 d5 04 eb 64 dd ee 62   ...^s9-nV...d..b
    0030 - d9 2a 4a fd 6a 91 96 11-f0 9d 88 ba fc e4 73 17   .*J.j.........s.
    0040 - 1f 60 eb aa 11 67 b6 90-f1 f3 8b ab 7a 5a d6 e9   .`...g......zZ..
    0050 - c7 ab 4b 14 0a 82 95 a9-8b 87 f5 b3 0f d8 29 65   ..K...........)e
    0060 - bd 55 2f 64 0a 6e 34 5e-98 bc b6 d0 b4 2d 44 24   .U/d.n4^.....-D$
    0070 - ea 07 10 54 30 89 3d 15-e8 9c 0e c1 f7 df 4f fb   ...T0.=.......O.
    0080 - 81 ce 00 56 2c ef 54 fd-dc 25 6e 59 0b 4b e7 7f   ...V,.T..%nY.K..
    0090 - b1 0d b2 12 f1 99 98 16-be 9c 9c ce 45 8b 89 84   ............E...
    00a0 - f1 cb c5 cb e3 51 76 80-e7 58 17 a0 a7 21 1e 39   .....Qv..X...!.9
    00b0 - 03 25 a3 e0 43 bf e4 68-0b 12 9c 3b 76 55 c1 e7   .%..C..h...;vU..
 
    Start Time: 1763712544
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 34AD1C2CA32E95D4AB67E2FCCB695F5455717FBC053948BA3033F69EAFC7F030
    Session-ID-ctx:
    Resumption PSK: D482EA66BE01410371ED05F0A03ABF705E6DDC5153824BBA37E6F4FD4CD0C2E51F222D89D3E79E0BDD89A78278EB0B40
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b2 8d 52 df 0d 6c 13 69-c2 c3 c2 65 9f e0 5b c2   ..R..l.i...e..[.
    0010 - 5b 50 54 3f ff 5b 55 e4-bb 07 83 fa 77 07 bf 26   [PT?.[U.....w..&
    0020 - 7d d4 f8 4b 1a a0 00 c4-8b 38 f7 d8 7a 70 80 2c   }..K.....8..zp.,
    0030 - 22 b6 25 ef 2b 84 6d 3d-ee 21 5c 7d 9a 13 50 3f   \".%.+.m=.!\}..P?
    0040 - 69 56 88 2a 34 82 f9 7d-9c 56 08 05 ff 47 98 ad   iV.*4..}.V...G..
    0050 - fd e6 f6 01 76 d4 62 d9-b4 d3 fb ba 95 42 8a 1f   ....v.b......B..
    0060 - dd b1 d5 b2 bb a1 5b 63-3b fd df 32 6d 35 9d 16   ......[c;..2m5..
    0070 - a6 9a e3 d4 b3 ee 03 a1-54 19 2e 20 d2 6f ad a1   ........T.. .o..
    0080 - 3f bc c5 ab 3a ac a9 d1-0f a7 b5 2b 9d 1e e8 bc   ?...:......+....
    0090 - 18 52 90 0f 7c 3b 90 11-ed 73 87 c9 15 8c 84 30   .R..|;...s.....0
    00a0 - a6 58 be 07 52 1e 9e fb-87 5d 69 1a 8e 07 eb 25   .X..R....]i....%
    00b0 - 9d d1 5d b6 30 c3 c7 69-62 6c 1e 62 62 49 ed 6b   ..].0..ibl.bbI.k
 
    Start Time: 1763712544
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}

HTB{roncfbw7iszerd7shni7jr2343zhrj}

What is the customized version of the POP3 server?

InFreight POP3 v9.188

What is the admin email address?

msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 10.129.72.120
rhosts => 10.129.72.120
msf6 auxiliary(scanner/smtp/smtp_enum) > set user_file /workspace/Footprinting/SMTP/footprinting-wordlist.txt
user_file => /workspace/Footprinting/SMTP/footprinting-wordlist.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 10.129.72.120:25      - 10.129.72.120:25 Banner: 220 InFreight ESMTP v2.11
[+] 10.129.72.120:25      - 10.129.72.120:25 Users found: robin
[*] 10.129.72.120:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

계정 정보 robin / robin

a1 LOGIN robin robin
a1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
a2 LIST "" *
* LIST (\Noselect \HasChildren) "." DEV
* LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
* LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
* LIST (\HasNoChildren) "." INBOX
a2 OK List completed (0.001 + 0.000 secs).
a3 SELECT "DEV.DEPARTMENT.INT"
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1636414279] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
a3 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
a4 FETCH 1:* (BODY[HEADER.FIELDS (SUBJECT FROM)])
* 1 FETCH (BODY[HEADER.FIELDS (SUBJECT FROM)] {57}
Subject: Flag
From: CTO <[email protected]b>
 
)
a4 OK Fetch completed (0.001 + 0.000 secs).
a5 FETCH 1 BODY[]
* 1 FETCH (BODY[] {167}
Subject: Flag
To: Robin <[email protected]b>
From: CTO <[email protected]b>
Date: Wed, 03 Nov 2021 16:13:27 +0200
 
HTB{983uzn8jmfgpd8jmof8c34n7zio}
)
a5 OK Fetch completed (0.001 + 0.000 secs).

devadmin

Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{…})

HTB{983uzn8jmfgpd8jmof8c34n7zio}

SNMP

기본 개념

  • 목적: 네트워크 장비(라우터, 스위치, 서버, IoT 등)의 모니터링 및 원격 제어/설정
  • 동작 방식:
    • Polling (요청/응답): 클라이언트가 정보를 요청하고 장비가 응답 (UDP 161번 포트)
    • Trap (알림): 장비에서 특정 이벤트 발생 시, 요청 없이 클라이언트에게 데이터 전송 (UDP 162번 포트)

핵심 요소: MIB & OID

MIB (Management Information Base)

  • 장비가 가진 정보들의 데이터베이스 구조
  • 제조사마다 다르며, 텍스트 파일로 되어 있고, 실제 데이터가 있는게 아닌 데이터의 위치와 속성만 정의

OID (Object Identifier)

  • MIB 트리 내에서 특정 정보를 가리키는 고유 주소
  • 계층적 숫자 구조로 되어 있음 (ex: 1.3.6.1.2)

버전별 특징

버전특징보안 수준비고
v1최초 버전. 암호화 없음.낮음모든 데이터(커뮤니티 스트링 포함) 평문 전송.
v2c기능 확장, 대량 전송 지원.낮음Community String 기반 인증. 여전히 평문 전송. 가장 많이 쓰임.
v3인증(ID/PW) 및 암호화 지원.높음설정이 복잡하여 관리자들이 v2c를 계속 쓰는 경우가 많음.

설정과 보안 위협

  • 주로 잘못된 설정(Misconfiguration)을 노림

Community String

  • ID/PW 역할을 하는 문자열
  • v1, v2c에서는 평문으로 전송되기 때문에 도청(Sniffing) 시 탈취 가능

위험한 설정 예시

  • rwuser noauth: 인증 없이 전체 OID 트리에 읽기/쓰기 권한 부여
  • rwcommunity: 특정 IP나 전체에 대해 읽기/쓰기 권한 부여

Footprinting 도구

snmpwalk

  • 사용 목적: OID를 순차적으롤 조회하여 장비의 상세 정보 수집 Example
snmpwalk -v2c -c public <Target_IP>

onesixtyone

  • 사용 목적: Community String을 브루트포싱하여 조회 Example
onesixtyone -c /path/to/wordlist.txt <Target_IP>

braa

  • 사용 목적: Community String을 이미 알고, 특정 OID 대역을 대량으로 스캔하는 도구 Example
braa public@<Target_IP>:.1.3.6.*

Questions

Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.

What is the customized version of the SNMP server?

Enumerate the custom script that is running on the system and submit its output as the answer.

그래프 뷰