InfoSec LAB

Base_Lateral_Movement

Created: 2 min read

To John

┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ ssh john@$IP              
The authenticity of host '10.129.95.184 (10.129.95.184)' can't be established.
ed25519 key fingerprint is sha256:k5IdZDsfwGXeUvZjXYi4d9cAO2nJByqN20fOhFdpZTo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.129.95.184' (ED25519) to the list of known hosts.
john@10.129.95.184's password: thisisagoodpassword
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-151-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
  system information as of fri oct  7 13:43:46 UTC 2022
 
  system load:  1.55              Processes:             120
  usage of /:   67.9% of 2.83GB   Users logged in:       0
  memory usage: 26%               IP address for ens160: 10.129.95.184
  swap usage:   0%
 
  => There are 2 zombie processes.
 
 
10 updates can be applied immediately.
8 of these updates are standard security updates.
to see these additional updates run: apt list --upgradable
 
 
john@base:~$ whoami
john
john@base:~$ id
uid=1000(john) gid=1000(john) groups=1000(john)
john@base:~$ hostname
base
john@base:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.95.184  netmask 255.255.0.0  broadcast 10.129.255.255
        inet6 dead:beef::250:56ff:fe96:61b0  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:fe96:61b0  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:96:61:b0  txqueuelen 1000  (Ethernet)
        RX packets 1342596  bytes 238065201 (238.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1280413  bytes 579386957 (579.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 18489  bytes 1589931 (1.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18489  bytes 1589931 (1.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The credential extracted from the web config file was for the john user password re-use case

First thing to check is the current user’s sudo privilege

Interactive Graph View

Backlinks