Hey everyone! Today I'm sharing how I solved the Footprinting Lab — Easy on Hack The Box. This lab is all about enumerating services and finding a flag. The scenario says we have an internal DNS server to investigate, and we already have some credentials: ceil:qwer1234. Also, the employees were talking about SSH keys. Let's dive in.

Step 1: Scanning the target

I started with a quick Nmap scan to see what's open.

nmap -sV -sC 10.129.1.87
None
Nmap scan results showing open ports and services

The important open ports were:

  • 22/tcp — SSH
  • 53/tcp — DNS
  • 2121/tcp — FTP
  • … and a few others.

Step 2: Logging into FTP

ftp 10.129.1.87 2121

When asked, I entered:

  • Username: ceil
  • Password: qwer1234
None
Successfully authenticated to the FTP server using Ceil's credentials

And I was in! The FTP server had a home directory with some files. I started looking around.

Step 3: Hunting for SSH keys

I remembered the note about SSH keys. Inside the user's home, I found a hidden .ssh folder. I changed into it and listed the files:

cd .ssh
ls

There it was: id_rsa — the private key for SSH. I downloaded it to my local machine:

get id_rsa

Then I exited FTP and set the right permissions for the key:

chmod 600 id_rsa

Step 4: Connecting via SSH

Now I used the key to log in as ceil:

ssh -i id_rsa ceil@10.129.1.87
None
Initializing SSH connection using the stolen private key
None
Successful shell access as user 'ceil' on NIXEASY

It worked without asking for a password. I was inside the server!

Step 5: Finding the flag

I started searching for the flag file. A simple find command did the trick:

find / -name "flag.txt" 2>/dev/null

It showed the path (something like /home/ceil/flag.txt). I read it:

cat /home/ceil/flag.txt
None

And there it was: HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}

None

That's it! I hope this writeup helps someone. If you have questions, feel free to ask. Happy hacking!