The third lab from Foot-printing module has the following description: The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access. Upon enumerating the server, both POP3 and IMAP ports were found to be open, along with the SSH port. imap/pop3/ssh -sC At this point, email credentials were needed. It took some time to connect the fact that this was also a backup server with the information obtained from the SNMP section in HTB . However, after running the onesixtyone tool, several interesting details were uncovered. onesixtyone As shown in the image above, there was a community string labeled "backup," and by using snmpwalk , the credential was retrieved. snmpwalk Using Tom's credentials, access to the mailbox was gained, revealing additional information. - First, a

  The second lab from Foot-printing module has the following description: This second server is a server that everyone on the internal network has access to. In our discussion with our client, we pointed out that these servers are often one of the main targets for attackers and that this server should be added to the scope. Our customer agreed to this and added this server to our scope. Here, too, the goal remains the same. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named HTB has been created. Accordingly, we need to obtain the credentials of this user as proof. The initial enumeration revealed connections to Windows Remote Management protocols and NFS modules. Further investigation of the NFS revealed a volume named TechSupport that contained several tickets available for exploration. This information can also be accessed using the showmount command:

  The first lab from Foot-printing module has the following description: We were commissioned by the company Inlanefreight Ltd to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture. The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production. Additionally, our teammates have found the following credentials " ceil:qwer1234 ", and they pointed out that some of the comp

  This post shares a walkthrough of a recent room released on the TryHackMe platform. The backtrack  is a medium-level room that involves capturing three flags. It required extensive research and the application of interesting techniques, so check it out! Foot-printing With the target machine and my Attackbox up and running, I began by checking for open ports using Nmap. Initially, I typically scan the top 1,000 ports to start manual checks using a browser or other tools, while additional port scanning can be performed in parallel to check the remaining ports or to utilize different scanning approaches. top 1000 syn scan In the initial scan, the following ports and services were identified: 22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 8080/tcp open  http            Apache Tomcat 8.5.93 8888/tcp open  sun-answerbook?(Aria2 WebUI) Later in the subsequent scans, we also identified the JSON-RPC port associated with the service running on port