Ethan Feng
Developver/Programer
,
  • Residence:
    Australia
  • City:
    Canberra
Mandarin
English
Japanese
Python
Web develop
Js
C#
Linux
  • Problem Solving
  • Coding/Debugging
  • Cybersecurity base
  • Highly adaptive

Footprinting Lab Easy

Initial Reconnaissance with nmap

Using the following nmap command, we began our initial reconnaissance:

nmap -sV -T4 -p- -A 10.129.202.41

The results showed various services and ports open:

NFS Services Exploration

From the nmap scan, we identified NFS services. To explore further:

  • Created a directory for mount: sudo mkdir /mnt/TechSupport
  • Mounted the remote directory: sudo mount -t nfs 10.129.202.41:/TechSupport TechSupport

Contents inside the 'TechSupport' directory:

NFS Result

Try to cat one of the flie is empty then I use ls -la to see the detial

NFS Result

We can see ticket4238791283782.txt has something

cat ticket4238791283782.txt

we get the conversation below

Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)

01:27 PM | Operator: Hello,.
So what brings you here today?

01:27 PM | alex: hello

01:27 PM | Operator: Hey alex!
What do you need help with?

01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?

01:38 PM | Operator: Of course

01:42 PM | alex: here it is:

                        smtp {
                            host=smtp.web.dev.inlanefreight.htb
                            #port=25
                            ssl=true
                            user="alex"
                            password="lol123!mD"
                            from="alex.g@web.dev.inlanefreight.htb"
                        }
                        securesocial {
                            onLoginGoTo=/
                            onLogoutGoTo=/login
                            ssl=false
                            userpass {
                                withUserNameSupport=false
                                sendWelcomeEmail=true
                                enableGravatarSupport=true
                                signupSkipLogin=true
                                tokenDuration=60
                                tokenDeleteInterval=5
                                minimumPasswordLength=8
                                enableTokenJob=true
                                hasher=bcrypt
                            }
                            cookie {
                                # name=id
                                # path=/login
                                # domain="10.129.2.59:9500"
                                httpOnly=true
                                makeTransient=false
                                absoluteTimeoutInMinutes=1440
                                idleTimeoutInMinutes=1440
                            }
                        }
                        
Remote Desktop Connection

With the obtained credentials, an attempt was made to access the system using Remote Desktop:

  • Installed necessary tools: sudo apt-get install rdesktop
  • Initiated connection: rdesktop 10.129.202.41
RDP Result

Try login Microsoft sql server not success

trysql result

search the computer file see what we can get then we get a important.txt

find important.txt
Use the credentials

Try the credentials on sql server still not works

xfreerdp /v:10.129.202.41 /u:Administrator /p:'87N1ns@slls83’

Try to run the Microsoft sql server as a Administrator it works

Search the database get the result