2 - Medium - JA Smith

# Recon - Add target ip to `/etc/hosts` - Ping working![[images/Pasted image 20251020203520.png]] - Light nmap scan ![[images/Pasted image 20251020213027.png]] - Deep nmap scan ![[images/Pasted image 20251020213256.png]] - UDP nmap scan![[images/Pasted image 20251020204559.png]] - OS nmap scan ![[images/Pasted image 20251020214456.png]] # DNS Enum - dig any![[images/Pasted image 20251020204336.png]] - dig axfr ![[images/Pasted image 20251020204408.png]] - add entries to `/etc/hosts` - run `subrute.py` after updating local `resolvers.txt` file ```bash ./subbrute.py inlanefreight.htb -s /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -r ./resolvers.txt ``` - run `dig axfr` on new sub domains - nothing ![[images/Pasted image 20251020205504.png]] # POP3 Enum - brute-force 110 with hydra - too long - brute-force pop3 with metaploit - too long # FTP - restarted VPN and reset the target - now ftp/2121 and ftp/30021 show up - anonymous login to ftp/30021 ![[images/Pasted image 20251020213518.png]] - `mynotes.txt` includes what looks like potential passwords - save to `passwords.txt` - **use these with `hyrda` to brute-force pop3** then maybe we can read some emails # POP3 Enum (take 2) - redo brute-force attempts with password list - try with provided user list - no dice![[images/Pasted image 20251020213944.png]] - try with another userlist - short list failed ![[images/Pasted image 20251020214025.png]] - try with simon only port 110 - gucci! save to `creds.txt`![[images/Pasted image 20251020214654.png]] - login into pop3s/995 ```bash openssl s_client -connect <target_ip>:pop3s USER xxx PASS xxx ``` ![[images/Pasted image 20251021082719.png]] - login into pop3/110 ```bash telnet <target_ip> 110 USER xxx PASS xxx LIST RETR <number> ``` ![[images/Pasted image 20251021083056.png]] - we have a privkey # SSH Enum - copy privkey to local machine and chmod 600 the file - we need a password for the privkey ![[images/Pasted image 20251021083320.png]] - the previously found password worked; we're on the box![[images/Pasted image 20251021083428.png]] - basic enum ![[images/Pasted image 20251021084625.png]] - we have the flag