InfoSec LAB

Admirer_SSH

Created: 2 min read

SSH

Upon successfully exploiting CVE-2021-43008, data exfiltration has been made to read the source code of the index.php file located in the web root directory in the target system. A CLEARTEXT DB credential was hard-coded into the file, and validated to the target SSH server at a later stage.

In the following sections, I will be making the initial foothold to the target system via SSH using the credential of the waldo user

┌──(kali㉿kali)-[~/archive/htb/labs/admirer]
└─$ ssh waldo@admirer.htb             
The authenticity of host 'admirer.htb (10.10.10.187)' can't be established.
ed25519 key fingerprint is sha256:MfZJmYPldPPosZMdqhpjGPkT2fGNUn2vrEielbbFz/I.
this host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:16: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added 'admirer.htb' (ED25519) to the list of known hosts.
waldo@admirer.htb's password: 
Linux admirer 4.9.0-19-amd64 x86_64 GNU/Linux
 
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
last login: Thu Aug 24 16:09:42 2023 from 10.10.14.23
waldo@admirer:~$ whoami
waldo
waldo@admirer:~$ hostname
admirer
waldo@admirer:~$ ifconfig
-bash: ifconfig: command not found
waldo@admirer:~$ /sbin/ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.187  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:1993  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:1993  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:19:93  txqueuelen 1000  (Ethernet)
        RX packets 1919002  bytes 317152855 (302.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1789651  bytes 1003404540 (956.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 7352  bytes 726168 (709.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7352  bytes 726168 (709.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the waldo user via SSH

Interactive Graph View

Backlinks