Creds: "ceil:qwer1234”

Employees talking about SSH keys on forum.

No violent exploit

Initial IP: 10.129.74.11(HOST)

nmap -T2 10.129.74.11 -sV -vv
21/tcp   open  ftp     syn-ack ttl 63 ProFTPD 
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain  syn-ack ttl 63 ISC BIND 9.16.1 (Ubuntu Linux)
2121/tcp open  ftp     syn-ack ttl 63

FTP banner: 220 ProFTPD Server (ftp.int.inlanefreight.htb)

└─# dig axfr inlanefreight.htb @$HOST 

; <<>> DiG 9.20.11-4+b1-Debian <<>> axfr inlanefreight.htb @10.129.74.11
;; global options: +cmd
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      TXT     "MS=ms97310371"
inlanefreight.htb.      604800  IN      TXT     "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb.      604800  IN      TXT     "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
app.inlanefreight.htb.  604800  IN      A       10.129.18.15
internal.inlanefreight.htb. 604800 IN   A       10.129.1.6
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
ns.inlanefreight.htb.   604800  IN      A       10.129.34.136
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800

FTP on port 21 using given user is empty

FTP on port 2121 contains things:

• User folder, with .ssh and key + authorized keys

SSH key working for ceil

Flag is in /home/flag/flag.txt