Footprinting Lab — Easy Walkthrough|By Hackerhalt

Hacker Halt
3 min readOct 31, 2024

--

I received an email from John regarding an internal penetration test at Inlanefreight Ltd. The objective is to assess the company’s security measures and identify potential vulnerabilities. This engagement will involve a thorough evaluation of the network infrastructure, applications, and any associated systems to ensure robust security practices are in place

Practical

We have been provided with employee credentials: username “ceil” and password “qwer1234.” These credentials could potentially be used for SSH, FTP, Telnet, and other services. Next, we will scan the company’s IP address to assess the available services and their security.

Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

Nmap Scanning

I initially conducted a basic Nmap scan to identify open ports. The results revealed several noteworthy open ports, including FTP, SSH, DNS, and an additional FTP port on 2121.

Enumeration

At this initial stage, we have the credentials “ceil”. While it is unclear where these credentials can be utilized, they may be applicable for SSH or the FTP services. Notably, there are two FTP ports running on the same server: the default port and a custom port, 2121, which is associated with the ProFTPD server. Additionally, anonymous login is not permitted.

After analyzing the Nmap results, I’ve identified a hint from port 2121, which is running the ProFTPD server. It appears that the username “ceil” may be used for this FTP server. I suggest we proceed by attempting to log in with these credentials.

Success! We have gained access to the FTP server using the user credentials.

Although we have gained access to the FTP server, we have not yet located any flags. Next, let’s enumerate the FTP server to uncover any interesting information or files that may be present.

We have discovered a hidden folder named .ssh, which contains the SSH key for the user "ceil." By using the id_rsa key, we can log in without needing a password. Next, let's copy the RSA key from the FTP server to our local system using the GET command.

SSH Access Using id_rsa Key

ssh -i id_rsa ceil@10.129.249.89

BOOM Here We Get The Flag.txt File

Conclusion

In conclusion, this CTF exercise demonstrated a successful approach to accessing and enumerating an FTP server. Initially, we identified open ports using Nmap and obtained user credentials. By logging into the FTP server, we discovered a hidden .ssh folder containing an SSH private key. This key allows for passwordless login, showcasing the importance of secure credential management and the potential vulnerabilities associated with misconfigured services. Overall, this CTF provided valuable insights into network security practices and the methodologies used in penetration testing.

--

--

Hacker Halt
Hacker Halt

Written by Hacker Halt

Professional Cyber Security Trainer , Red Teamer , Bug Bounty Hunter , YouTube Content Creator , CEH , VAPT , CCNA , MAPT , CFI @haltacademy