Intro
The Footprinting module consists of eleven sub-modules. This write-up will focus on the coverage of the first three sections, providing detailed explanations and analysis for each.
1. FTP
Task 1: Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
To determine which version of the FTP server is running on the target’s system, we can directly connect to it or use Nmap by running -sV target ip command.
┌──(solo㉿HTB)-[~]
└─$ ftp 10.129.199.51
Connected to 10.129.199.51.
220 InFreight FTP v1.1
Answer: InFreight FTP v1.1
Task 2: Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
Let’s start with anonymous login and hit enter during password prompt.
┌──(solo㉿HTB)-[~]
└─$ ftp 10.129.199.51
Connected to 10.129.199.51.
220 InFreight FTP v1.1
Name (10.129.199.51:solo): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Now, we will simply use ls -al command to list everything. Lastly we will download the flag by using get command.
ftp> ls -al
229 Entering Extended Passive Mode (|||63808|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftpuser ftpuser 4096 Nov 8 2021 .
drwxr-xr-x 2 ftpuser ftpuser 4096 Nov 8 2021 ..
-rw-r--r-- 1 ftpuser ftpuser 220 Nov 8 2021 .bash_logout
-rw-r--r-- 1 ftpuser ftpuser 3771 Nov 8 2021 .bashrc
-rw-r--r-- 1 ftpuser ftpuser 39 Nov 8 2021 flag.txt
-rw-r--r-- 1 ftpuser ftpuser 807 Nov 8 2021 .profile
226 Transfer complete
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||24376|)
150 Opening BINARY mode data connection for flag.txt (39 bytes)
39 27.81 KiB/s
226 Transfer complete
39 bytes received in 00:00 (0.93 KiB/s)
ftp>
Answer: HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}
2. SMB
Task 1: What version of the SMB server is running on the target system? Submit the entire banner as the answer.
To find out which version of SMB is running in the target system, we will utilize NMAP. SMB usually connects to the Samba server over TCP ports 137, 138, 139 but CIFS which is the extension of the SMB protocol uses TCP port 445 only.
┌──(solo㉿HTB)-[~]
└─$ nmap -p 139,445 -sV -Pn 10.129.83.52
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Answer: Samba smbd 4.6.2
Task 2: What is the name of the accessible share on the target?
By deploying -L flag, we can display a list of the server’s shares with the smbclient command from our host. Additionally, using the -N flag allows us to use null session, which is anonymous access without the input of existing users or valid passwords.
┌──(solo㉿HTB)-[~]
└─$ smbclient -N -L //10.129.83.52
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk InFreight SMB v3.1
IPC$ IPC IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
Answer: sambashare
Task 3: Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
Let’s connect and provide nothing as password.
┌──(solo㉿HTB)-[~]
└─$ smbclient //10.129.83.52
Password for [WORKGROUP\htb]:
Try "help" to get a list of possible commands.
smb: \>
We used help command to get a list of possible commands from which we used the l command to list everything. Afterwards we navigated to the contents path and deployed the l command again. Lastly we used the get command to download the flag.txt file.
smb: \> l
.
..
.profile
contents
.bash_logout
.bashrc
smb: \> cd contents\
smb: \contents\> ls
.
..
flag.txt
smb: \contents\> get flag.txt
getting file \contents\flag.txt of size 38 as flag.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
Answer: sambashare
Task 4: Find out which domain the server belongs to.
After using NMAP and its NSE scripts which provided us with limited information, we decided to resort to other tools. One of the handy tools for this is rpcclient. The tool is a concept and a central tool to realize operational and work-sharing structures in networks and client-server architectures.
┌──(solo㉿HTB)-[~]
└─$ rpcclient -U "" 10.129.83.52
Password for [WORKGROUP\]:
Once again we used help command to get a list of possible commands from which we used the srvinfo command to get server query info.
rpcclient $> querydominfo
Domain: DEVOPS
Server: DEVSMB
Comment: InlaneFreight SMB server (Samba, Ubuntu)
Total Users: 0
Total Groups: 0
Total Aliases: 0
Sequence No: 1709712810
Force Logoff: -1
Domain Server State:
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
Answer: DEVOPS
Task 5: Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
This task was rather confusing and it took us longer than we wish to admit as the additional information could have been anything. We started by enumerating all of the netnames. Through trial and error we managed to find the correct answer which in this case is InFreight SMB v3.1.
┌──(solo㉿HTB)-[~]
└─$ rpcclient $> netshareenumall
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: sambashare
remark: InFreight SMB v3.1
path: C:\home\sambauser\
password:
netname: IPC$
remark: IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
path: C:\tmp
password:
Answer: InFreight SMB v3.1
Task 6: What is the full system path of that specific share? (format: “/directory/names”)
This task is easy and we already have the answer at hand. We just have to convert the system path from Windows to Linux.
┌──(solo㉿HTB)-[~]
└─$ C:\home\sambauser\ ----> /home/sambauser
Answer: /home/sambauser
3. NFS
Task 1: Enumerate the NFS service and submit the contents of the flag.txt in the “nfs” and the “nfsshare” share as the answer.
When footprinting NFS, the TCP ports 111 and 2049 are essential. We can also get information about the NFS service and the host via RPC, as shown below.
┌──(solo㉿HTB)-[~]
└─$ sudo nmap 10.129.202.5 -p 111,2049 -sV -sC
Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for 10.129.202.5
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 43200/udp mountd
| 100005 1,2,3 51516/udp6 mountd
| 100005 1,2,3 51981/tcp6 mountd
| 100005 1,2,3 54673/tcp mountd
| 100021 1,3,4 40933/tcp6 nlockmgr
| 100021 1,3,4 41459/tcp nlockmgr
| 100021 1,3,4 42432/udp6 nlockmgr
| 100021 1,3,4 56017/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
Next we will deploy NSE script to retrieve list of all currently running RPC services, their names and descriptions, and the ports they use.
┌──(solo㉿HTB)-[~]
└─$ sudo nmap --script nfs* 10.129.202.5 -sV -p 111,2049
Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for 10.129.202.5
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| nfs-ls: Volume /var/nfs
| access: Read Lookup Modify Extend Delete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 65534 65534 4096 2021-11-08T15:08:27 .
| ?????????? ? ? ? ? ..
| rw-r--r-- 65534 65534 39 2021-11-08T15:08:27 flag.txt
|
|
| Volume /mnt/nfsshare
| access: Read Lookup Modify Extend Delete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 65534 65534 4096 2021-11-08T14:06:40 .
| ?????????? ? ? ? ? ..
| rw-r--r-- 65534 65534 59 2021-11-08T14:06:40 flag.txt
|_
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
| /var/nfs 4062912.0 3330488.0 506328.0 87% 16.0T 32000
|_ /mnt/nfsshare 4062912.0 3330488.0 506328.0 87% 16.0T 32000
| nfs-showmount:
| /var/nfs 10.0.0.0/8
|_ /mnt/nfsshare 10.0.0.0/8
2049/tcp open nfs 3-4 (RPC #100003)
Now that we have discovered NFS services, let’s mount it to our local machine.
┌──(solo㉿HTB)-[~]
└─$ showmount -e 10.129.202.5
Export list for 10.129.202.5:
/var/nfs 10.0.0.0/8
/mnt/nfsshare 10.0.0.0/8
┌──(solo㉿HTB)-[~]
└─$ mkdir target-NFS
┌──(solo㉿HTB)-[~]
└─$ sudo mount -t nfs 10.129.202.5:/ ./target-NFS/ -o nolock
┌──(solo㉿HTB)-[~]
└─$ cd target-NFS
tree .
.
├── mnt
│ └── nfsshare
│ └── flag.txt
└── var
└── nfs
└── flag.txt
Answer: HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}
Answer: HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}
Conclusion
This module offers an exceptional opportunity for individuals seeking to acquire proficient skills in utilizing different Host Based Enumeration tools. Mastery of these tools is highly recommended for anyone aspiring to excel in this field, making this module an essential resource for knowledge acquisition.