In this phase of the engagement, a third internal server was assessed that serves as both a mail exchange (MX) and management server within Inlanefreight Ltd’s internal network. Due to its role in handling internal communications and account management, this system represents a high-value target.
This lab focuses on identifying information exposure and misconfigurations through controlled footprinting and enumeration.
The scope of this lab is limited to the third internal server, which functions as an MX and backup management system for internal domain accounts. The objective is to enumerate the server using non-intrusive techniques and obtain the credentials for the user account HTB as proof of successful assessment.
All testing was conducted using production-safe enumeration methods only.
Nmap Results:
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-20 18:13 CST
Nmap scan report for 10.129.88.39
Host is up (0.0096s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
110/tcp open pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL(PLAIN) TOP UIDL USER RESP-CODES CAPA AUTH-RESP-CODE PIPELINING STLS
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE OK LOGIN-REFERRALS SASL-IR LITERAL+ ID listed more AUTH=PLAINA0001 ENABLE have IMAP4rev1 capabilities post-login Pre-login STARTTLS
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE OK LOGIN-REFERRALS SASL-IR LITERAL+ ID listed AUTH=PLAINA0001 ENABLE more IMAP4rev1 capabilities have Pre-login post-login
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL TOP SASL(PLAIN) RESP-CODES CAPA AUTH-RESP-CODE PIPELINING USER
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=NIXHARD
| Subject Alternative Name: DNS:NIXHARD
| Not valid before: 2021-11-10T01:30:25
|_Not valid after: 2031-11-08T01:30:25
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 22.09 seconds
After scanning the target IP, I notice ports 22, 110, 143, 993, and 995 corresponding to ssh, pop3, imap, imaps, and pop3s.
Since we have a few sets of credentials, I firs attempted to login with the credentials.