[infra-2] Obtaining access to the internal mail

Description

Gain access to the email of a company employee and send an email to getmailflag@edu.stf

<aside> 💡

TLDR: My brute force attempts on the mail login page FAILED, but I'll walk you through how to access the internal mail login page

</aside>

Below is the wordlist provided for our use:

Spray.txt

password
anna
dancer
qwerty
12345678
omgpop
peanut
alexander
summer
ricardo

First, to locate the internal mail page, we need to identify our DNS server. Based on our previous reconnaissance, we found bind.edu.stf, which likely indicates it's a DNS server.

BIND (Berkeley Internet Name Domain) is a widely used open-source software suite for DNS that translates human-readable domain names into IP addresses.

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sn 10.124.1.224/27

Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-09-06 12:37 EDT
Nmap scan report for 10.124.1.225
Host is up (0.21s latency).
Nmap scan report for aircraft.edu.stf (10.124.1.231)
Host is up (0.21s latency).
Nmap scan report for calculator.edu.stf (10.124.1.232)
Host is up (0.21s latency).
Nmap scan report for library.edu.stf (10.124.1.233)
Host is up (0.21s latency).
Nmap scan report for wp.edu.stf (10.124.1.234)
Host is up (0.21s latency).
Nmap scan report for www.edu.stf (10.124.1.235)
Host is up (0.21s latency).
Nmap scan report for gallery.edu.stf (10.124.1.236)
Host is up (0.21s latency).
Nmap scan report for utils.edu.stf (10.124.1.237)
Host is up (0.21s latency).
Nmap scan report for shop.edu.stf (10.124.1.238)
Host is up (0.21s latency).
Nmap scan report for tokenizer.edu.stf (10.124.1.239)
Host is up (0.21s latency).
Nmap scan report for bind.edu.stf (10.124.1.240)
Host is up (0.21s latency).
Nmap scan report for smashmusic.edu.stf (10.124.1.241)
Host is up (0.21s latency).
Nmap scan report for test-webserver.edu.stf (10.124.1.242)
Host is up (0.21s latency).
Nmap scan report for vpn.edu.stf (10.124.1.253)
Host is up (0.21s latency).
Nmap done: 32 IP addresses (14 hosts up) scanned in 2.64 seconds

To confirm that it is a DNS server, I ran an nmap scan using this command