> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/service-enumeration/lab-attack-chains/footprinting-hard.md).

# Footprinting - hard

Use this page to track the hard footprinting lab path.

### Target

* OS: `Linux`
* Difficulty: `Hard`
* Role: `MX` and management server
* Goal: recover the password for user `HTB`

### Attack chain summary

```
Full TCP scan
    → SSH, POP3, IMAP, IMAPS, and POP3S
    → UDP scan reveals SNMP
    → Bruteforce SNMP community string
    → snmpwalk leaks mailbox credentials
    → Log in to IMAP
    → Read inbox
    → Recover SSH private key
    → SSH to the host
    → Enumerate local users and services
    → Pivot to MySQL-related account data
    → Recover HTB password
```

### Key steps

#### 1. Run TCP and UDP scans

```bash
nmap -p- -sV <target_IP>
sudo nmap -sU --top-ports 1000 <target_IP>
```

**Findings**

* The host exposes `22`, `110`, `143`, `993`, and `995`
* The stack points to a Linux mail server
* UDP scanning reveals `SNMP`, which becomes the best next lead

#### 2. Find the SNMP community string

```bash
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <target_IP>
```

Once you have a valid string, walk the tree:

```bash
snmpwalk -v2c -c <community> <target_IP>
```

**Findings**

* SNMP leaks a credential pair
* The creds fit the mail services better than SSH

#### 3. Reuse the creds on IMAP

```bash
openssl s_client -connect <target_IP>:imaps
```

Or use an IMAP client with the recovered username and password.

**Findings**

* IMAP login succeeds
* The inbox contains an SSH private key
* The key gives a stronger access path than mail alone

#### 4. Reuse the key over SSH

```bash
chmod 600 id_rsa
ssh -i id_rsa <user>@<target_IP>
```

**Findings**

* SSH access succeeds
* Basic local enumeration does not expose the target password immediately
* `/etc/passwd` reveals a `mysql` user, which points to the next lead

#### 5. Pivot to local account backup data

**Findings**

* The server stores internal account data
* The MySQL path is the key lead after SSH access
* Querying or reading the relevant account data reveals the `HTB` password

### Why this worked

* TCP-only scans missed the real entry point
* SNMP exposed credentials that should never be public
* Mailbox contents exposed an SSH private key
* SSH access allowed local enumeration of stored account data

### Takeaways

* Add UDP scans when TCP results stall
* Treat SNMP as high-value early recon
* Check mailboxes for attached keys, creds, and internal notes
* Reuse every credential across mail, SSH, and database access


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/service-enumeration/lab-attack-chains/footprinting-hard.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
