I clearly misspoke a few posts ago, as two days of study time is not 24 hours of study time, but rather 48 hours of study time, as is evidenced by the time it took me to complete this module. This was an extremely comprehensive section regarding manually footprinting common services and the labs were particularly challenging. I don’t want to get DMCA’d by HTB, so I won’t list any specifics or walkthroughs from the module but rather some things I learned, some tips that helped me, and how my methodology has evolved as a result of these things.

Breaking it down

This module was composed of eleven practical lessons, each covering a different common service. Those services were: DNS, FTP, IMAP/POP3, IPMI, MSSSQL, MYSQL, NFS, ORACLE TNS, SMB, SMTP, and SNMP. These are all very common services to find running on servers and networks, and are often misconfigured in ways that allow unauthorized access and/or data exfiltration. Here’s a brief description of what each service does:

• DNS: resolves IP’s to domain names and vice versa.
• FTP: Allows remote file transfer.
• IMAP/POP3: Mail services for storage and retrieval of email.
• IPMI: Hardware host based management interface, required baseboard management controller. Think of dell iDrac, HP iLO. Can manage machines that are turned off.
• MSSQL: Microsoft SQL, proprietary SQL database service developed by and for Microsoft systems.
• MySql: Linux based SQL database service.
• NFS: Network file sharing system, often used between linux and unix systems.
• Oracle TNS: Protocol that facilitates communication between Oracle databases and client applications. Used frequently in finance, healthcare and retail.
• SMB: Network file sharing system, originally proprietary to Windows but can be used on all systems now.
• SMTP: Protocol for sending emails in an IP network, usually combined with IMAP/POP3.
• SNMP: Used for monitoring network devices, including servers, switches, and other infrastructure.

Each one of these could frankly be a post of it’s own due the sheer breadth of content. Most servers run at least one of these services, and many times there is a misconfiguration that can be exploited in those services.

Lab Challenges

These labs were all challenging in different ways, but the easy lab really was the most difficult for me. The overall goal is to enumerate an internal DNS server and locate a flag.txt text file. You are provided with some initial credentials, and given a hint about SSH keys located somewhere. The real challenge here was thinking simply. I overthought this significantly, and had a lot of trouble getting the FTP session to do anything as I was getting unhelpful response codes. I eventually realized I couldn’t see anything because the file was hidden, so using a more comprehensive listing command worked. Once here I grabbed the SSH keys and was able to authenticate and locate the flag.

.

The second’s challenge was to locate the password for a user named ‘HTB‘. During the initial scanning phase here I got tunnel vision trying to chase down an SMB share, but none of the scripts or commands I used worked. I took a step back and ran some different nmap scripts, which revealed a NFS share that I had missed earlier. I followed up on the NFS share, mounted it, and found some credentials in the share. I got stuck after this for a good while and had to look up a hint: RDP. Port 3389 is often used for RDP, which I know, I just hadn’t thought to follow up on it. So using the credentials from the NFS share I was able to login to the RDP, wherein I found a SQL client. The credentials didn’t work to authenticate here, and I had clearly missed something important so I went back to the top and started again. I had misused the smb commands so I got stuck here again until I used the HTB command cheat sheet. Once mounted, I found a text file with more credentials, which happened to be reused for the administrator on the SQL server. This allowed me to connect to the SQL database and grab the credentials.

.

The third challenge was also to discover the credentials for the ‘HTB‘ user, but this time from a mail server. I again started with some nmap scans, this time discovering the imap and pop3 services running. I couldn’t connect to these without credentials, and hit a wall at not seeing any other services running on the machine. I was tipped to double check which ports are being scanned. I followed this advice and realized that I had missed the UDP ports, so I scanned those as well and discovered that SNMP was running on the machine. I had to run a tool called onesixtyone to discover the community string, which I then used with snmpwalk to enumerate the snmp commands, which revealed credentials that I could use to access the pop3 mail service. Digging through this, I found an SSH key which I then used to connect to the ssh service. I spent a while digging around the server until eventually I decided to check the shell history, which revealed a MySql instance running on the server. After connecting to the MySql instance I was able to find the credentials.

Lessons Learned

The first lab really frustrated me initially, as it should have been so simple. It taught me to go more in depth with my directory listing, as people will hide files.

The second lab helped me realize that I need to slow it down. I got the first credential and ran out of runway, which tells me that I need to revisit every avenue after I discover credentials and see if they’ll work in other places. If I had tried to sign back into the SMB share again with the found credentials, I would have had a much easier time. That and if RDP is open and you have credentials, you might as well give them a try. Essentially, try credentials everywhere.

The third lab pushed me to enumerate everything. Missing the UDP ports was kind of a lightbulb moment for me where I realized that I was missing a whole other section of services. It certainly influenced my methodology.

Evolution of methodology

My methodology is evolving along with the course content, as I realized that I’ve only been scanning half of the ports on machines. From now on, the first thing I’ll do is two nmap scans, a TCP and UDP scan of all ports without versioning, and then a versioned scan afterwards. I’ll then follow up with a scripted scan for anything interesting to check for low hanging fruit. I also need to keep a reference sheet open for commands and remember the order of tools. After I find credentials, I’ll circle back and try them everywhere again, because credential reuse runs rampant.

Conclusion

It’s clear that I need to break up these posts into smaller, more technical snippets, so in the next module I’ll start doing that. The next module is called ‘Information Gathering – Web Edition‘, and will be more enumeration regarding web services using web archives, crawlers, search engine discovery, among other things. That one shouldn’t take too long, so I’ll post an update in a couple days. I put the Splunk training on the backburner to finish the module, and may pick it up on the side although this is much more enjoyable, so I’m more likely to pursue it. You may have noticed that I didn’t add color (I did add color, can’t be that lazy.) or code snippets to this post, that is because my brain is fried after 5 hours of studying and several more writing an outline and then this post. Thanks for taking the time to read it!