> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/interacting-with-common-services.md).

# Interacting with common services

### Key notes

* **Goal:** connect fast and pull useful data.
* **Focus:** file shares, email, and databases.
* **What you want:** creds, configs, readable files, writable paths, and service-specific access.
* **Exam mindset:** validate access, search fast, reuse everything.

### Quick workflow

1. Identify the exposed service.
2. Try the easiest client first.
3. Mount or map it locally if possible.
4. Search for creds, configs, keys, and secrets.
5. Reuse every username and password elsewhere.

***

### File share services

Use file-sharing services to find:

* readable shares
* writable paths
* config files
* credential files
* source code
* user context

Common internal targets include SMB, NFS, FTP, TFTP, and SFTP.

Some environments also sync cloud storage locally. The workflow stays the same. Connect, browse, search, and reuse what you find.

***

### Server Message Block (SMB)

SMB is common in Windows environments.

Use it to:

* browse shares
* map remote paths
* search for secrets
* confirm whether access is anonymous or credentialed

### Windows

#### GUI

Press `[WINKEY] + [R]` and enter the share path, for example: `\\192.168.220.129\Finance\`

![Windows Server 2012 R2 desktop with Run dialog open, showing network path entry.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/windows_run_sharefolder2.jpg)

If the share allows anonymous access, or your current user already has access, it opens directly.

![File explorer open to network path \192.168.220.133\Finance showing Contracts folder.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/finance_share_folder2.jpg)

If not, Windows prompts for credentials.

![Windows Security prompt for network credentials with fields for username, password, and domain.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/auth_request_share_folder2.jpg)

#### Command Prompt

Use [dir](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dir) to list a remote share directly.

{% code title="Windows CMD - DIR" %}

```cmd
C:\htb> dir \\192.168.220.129\Finance\

Volume in drive \\192.168.220.129\Finance has no label.
Volume Serial Number is ABCD-EFAA

Directory of \\192.168.220.129\Finance

02/23/2022  11:35 AM    <DIR>          Contracts
               0 File(s)          4,096 bytes
               1 Dir(s)  15,207,469,056 bytes free

```

{% endcode %}

Use [net use](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/gg651155\(v=ws.11\)) to map the share to a drive letter.

{% code title="Windows CMD - Net Use" %}

```cmd
C:\htb> net use n: \\192.168.220.129\Finance

The command completed successfully.

```

{% endcode %}

Use explicit creds when needed.

{% code title="Windows CMD - Net Use with credentials" %}

```cmd
C:\htb> net use n: \\192.168.220.129\Finance /user:plaintext Password123

The command completed successfully.

```

{% endcode %}

Once mapped, treat it like a local drive.

Count files fast:

{% code title="Windows CMD - Count files" %}

```cmd
C:\htb> dir n: /a-d /s /b | find /c ":\"

29302

```

{% endcode %}

Command breakdown:

{% code title="DIR command breakdown" %}

```cmd
dir n: /a-d /s /b | find /c ":\"

```

{% endcode %}

| **Syntax** | **Description**                                                |
| ---------- | -------------------------------------------------------------- |
| `dir`      | Application                                                    |
| `n:`       | Directory or drive to search                                   |
| `/a-d`     | `/a` is the attribute and `-d` means not directories           |
| `/s`       | Displays files in a specified directory and all subdirectories |
| `/b`       | Uses bare format (no heading information or summary)           |

Search by filename first. Good patterns include:

* `cred`
* `password`
* `users`
* `secrets`
* `key`
* source files like `.cs`, `.c`, `.go`, `.java`, `.php`, `.asp`, `.aspx`, and `.html`

{% code title="Filename search examples" %}

```cmd
C:\htb>dir n:\*cred* /s /b

n:\Contracts\private\credentials.txt


C:\htb>dir n:\*secret* /s /b

n:\Contracts\private\secret.txt

```

{% endcode %}

Search inside files with [findstr](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/findstr).

{% code title="Windows CMD - Findstr" %}

```cmd
c:\htb>findstr /s /i cred n:\*.*

n:\Contracts\private\secret.txt:file with all credentials
n:\Contracts\private\credentials.txt:admin:SecureCredentials!

```

{% endcode %}

More `findstr` examples are [here](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/findstr#examples).

#### PowerShell

PowerShell gives you the same access path with better scripting support.

List share contents:

{% code title="Windows PowerShell" %}

```powershell
PS C:\htb> Get-ChildItem \\192.168.220.129\Finance\

    Directory: \\192.168.220.129\Finance

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/23/2022   3:27 PM                Contracts

```

{% endcode %}

Map the share with `New-PSDrive`:

{% code title="Windows PowerShell - New-PSDrive" %}

```powershell
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"

Name           Used (GB)     Free (GB) Provider      Root                                               CurrentLocation
----           ---------     --------- --------      ----                                               ---------------
N                                      FileSystem    \\192.168.220.129\Finance

```

{% endcode %}

If creds are required, build a [PSCredential object](https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential).

{% code title="Windows PowerShell - PSCredential Object" %}

```powershell
PS C:\htb> $username = 'plaintext'
PS C:\htb> $password = 'Password123'
PS C:\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\htb> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

Name           Used (GB)     Free (GB) Provider      Root                                                              CurrentLocation
----           ---------     --------- --------      ----                                                              ---------------
N                                      FileSystem    \\192.168.220.129\Finance

```

{% endcode %}

Count files recursively:

{% code title="Windows PowerShell - GCI" %}

```powershell
PS C:\htb> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count

29302

```

{% endcode %}

Search by filename:

{% code title="Windows PowerShell - Search by filename" %}

```powershell
PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

    Directory: N:\Contracts\private

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/23/2022   4:36 PM             25 credentials.txt

```

{% endcode %}

Search inside files with `Select-String`:

{% code title="Windows PowerShell - Select-String" %}

```powershell
PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

N:\Contracts\private\secret.txt:1:file with all credentials
N:\Contracts\private\credentials.txt:1:admin:SecureCredentials!

```

{% endcode %}

#### Linux

Mount the share locally, then use normal Linux tools on it.

{% code title="Linux - Mount" %}

```bash
impale7@htb[/htb]$ sudo mkdir /mnt/Finance
impale7@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance

```

{% endcode %}

You can also use a credential file.

{% code title="Linux - Mount with credential file" %}

```bash
impale7@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile

```

{% endcode %}

The file `credentialfile` should look like this:

{% code title="CredentialFile" %}

```txt
username=plaintext
password=Password123
domain=.

```

{% endcode %}

{% hint style="info" %}
Install `cifs-utils` first if needed: `sudo apt install cifs-utils`
{% endhint %}

Search by filename:

{% code title="Linux - Find" %}

```bash
impale7@htb[/htb]$ find /mnt/Finance/ -name *cred*

/mnt/Finance/Contracts/private/credentials.txt

```

{% endcode %}

Search inside files:

{% code title="Linux - Grep" %}

```bash
impale7@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred

/mnt/Finance/Contracts/private/credentials.txt:1:admin:SecureCredentials!
/mnt/Finance/Contracts/private/secret.txt:1:file with all credentials

```

{% endcode %}

### What to look for in shares

Prioritize:

* credentials
* scripts
* config files
* backups
* source code
* SSH keys
* database connection strings

***

### Other services

The same loop applies to FTP, TFTP, NFS, and similar services:

1. connect
2. validate access
3. browse or mount
4. search for useful data

#### Email

For email, the common split is:

* SMTP for sending
* POP3 or IMAP for retrieval

Use a client like [Evolution](https://wiki.gnome.org/Apps/Evolution) when you need to test mailbox access quickly.

{% code title="Linux - Install Evolution" %}

```bash
impale7@htb[/htb]$ sudo apt-get install evolution
...SNIP...

```

{% endcode %}

{% hint style="info" %}
If Evolution throws `bwrap: Can't create file at ...`, start it with `export WEBKIT_FORCE_SANDBOX=0 && evolution`
{% endhint %}

#### Video - Connecting to IMAP and SMTP using Evolution

Click on the image below to see a short video demonstration.

[![Email account summary with settings for jason@inlanefreight.htb, including server details.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/ConnectToIMAPandSMTP.jpg)](https://www.youtube.com/watch?v=xelO2CiaSVs)

When testing mail access, confirm:

* server IP or hostname
* POP3 or IMAP access
* SMTP auth requirements
* TLS, SMTPS, IMAPS, or STARTTLS support

Use the `Check for Supported Types` option under authentication to validate the supported method.

#### Databases

Databases often hold the highest-value data on the target.

Common access paths:

|      |                                                                                                                  |
| ---- | ---------------------------------------------------------------------------------------------------------------- |
| `1.` | Command Line Utilities (`mysql` or `sqsh`)                                                                       |
| `2.` | Programming Languages                                                                                            |
| `3.` | A GUI application to interact with databases such as HeidiSQL, MySQL Workbench, or SQL Server Management Studio. |

Focus on relational databases first. In most CPTS-style targets, that means MySQL or MSSQL.

**MySQL example**

![MySQL Database diagram with labeled components.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/3_way_to_interact_with_MySQL.png)

***

### Command line utilities

#### MSSQL

From Linux, use [sqsh](https://en.wikipedia.org/wiki/Sqsh). From Windows, use [sqlcmd](https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility).

Start an interactive session like this:

{% code title="Linux - SQSH" %}

```bash
impale7@htb[/htb]$ sqsh -S 10.129.20.13 -U username -P Password123

```

{% endcode %}

`sqlcmd` supports several usage patterns:

* At the command prompt.
* In Query Editor in SQLCMD mode.
* In a Windows script file.
* In an operating system (Cmd.exe) job step of a SQL Server Agent job.

{% code title="Windows - SQLCMD" %}

```cmd
C:\htb> sqlcmd -S 10.129.20.13 -U username -P Password123

```

{% endcode %}

More `sqlcmd` usage is in the [Microsoft documentation](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility).

#### MySQL

Use the MySQL client on Linux or Windows.

Install it if needed using this [guide](https://dev.mysql.com/doc/mysql-getting-started/en/#mysql-getting-started-installing).

{% code title="Linux - MySQL" %}

```bash
impale7@htb[/htb]$ mysql -u username -pPassword123 -h 10.129.20.13

```

{% endcode %}

{% code title="Windows - MySQL" %}

```cmd
C:\htb> mysql.exe -u username -pPassword123 -h 10.129.20.13

```

{% endcode %}

#### GUI application

Native GUI options include [MySQL Workbench](https://dev.mysql.com/downloads/workbench/) and [SQL Server Management Studio or SSMS](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms).

For a cross-platform option, use [dbeaver](https://github.com/dbeaver/dbeaver).

Install it from the `.deb` package downloaded from <https://github.com/dbeaver/dbeaver/releases>:

{% code title="Install dbeaver" %}

```bash
impale7@htb[/htb]$ sudo dpkg -i dbeaver-<version>.deb

```

{% endcode %}

Run it with:

{% code title="Run dbeaver" %}

```bash
impale7@htb[/htb]$ dbeaver &

```

{% endcode %}

To connect, you usually need:

* valid credentials
* the target IP and port
* the database engine

#### Video - Connecting to MSSQL DB using dbeaver

Click on the image below for a short video demonstration of connecting to an MSSQL database using `dbeaver`.

[![SQL Server connection settings with host, database, and user details.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/ConnectToMSSQL.jpg)](https://www.youtube.com/watch?v=gU6iQP5rFMw)

Click on the image below for a short video demonstration of connecting to a MySQL database using `dbeaver`.

#### Video - Connecting to MySQL DB using dbeaver

[![MySQL connection settings with host, port, and user details.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/116/ConnectToMYSQL.jpg)](https://www.youtube.com/watch?v=PeuWmz8S6G8)

Once connected, enumerate:

* databases
* tables
* users
* password material
* command execution options

You can use common [Transact-SQL statements](https://docs.microsoft.com/en-us/sql/t-sql/statements/statements?view=sql-server-ver15) to start that process.

### Tools to know

Learn the default clients first. Then layer faster tools on top.

**Tools to Interact with Common Services**

| **SMB**                                                                                  | **FTP**                                     | **Email**                                          | **Databases**                                                                                                                |
| ---------------------------------------------------------------------------------------- | ------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| [smbclient](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html)          | [ftp](https://linux.die.net/man/1/ftp)      | [Thunderbird](https://www.thunderbird.net/en-US/)  | [mssql-cli](https://github.com/dbcli/mssql-cli)                                                                              |
| [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)                              | [lftp](https://lftp.yar.ru/)                | [Claws](https://www.claws-mail.org/)               | [mycli](https://github.com/dbcli/mycli)                                                                                      |
| [SMBMap](https://github.com/ShawnDEvans/smbmap)                                          | [ncftp](https://www.ncftp.com/)             | [Geary](https://wiki.gnome.org/Apps/Geary)         | [mssqlclient.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py)                             |
| [Impacket](https://github.com/SecureAuthCorp/impacket)                                   | [filezilla](https://filezilla-project.org/) | [MailSpring](https://getmailspring.com/)           | [dbeaver](https://github.com/dbeaver/dbeaver)                                                                                |
| [psexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py)   | [crossftp](http://www.crossftp.com/)        | [mutt](http://www.mutt.org/)                       | [MySQL Workbench](https://dev.mysql.com/downloads/workbench/)                                                                |
| [smbexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py) |                                             | [mailutils](https://mailutils.org/)                | [SQL Server Management Studio or SSMS](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms) |
|                                                                                          |                                             | [sendEmail](https://github.com/mogaal/sendemail)   |                                                                                                                              |
|                                                                                          |                                             | [swaks](http://www.jetmore.org/john/code/swaks/)   |                                                                                                                              |
|                                                                                          |                                             | [sendmail](https://en.wikipedia.org/wiki/Sendmail) |                                                                                                                              |

***

### General troubleshooting

If access fails, check the basics first:

* Authentication
* Privileges
* Network Connection
* Firewall Rules
* Protocol Support

When a service returns an error, use the exact error text. That usually gets you to the fix faster than guessing.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/interacting-with-common-services.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
