svc
Testing the Gitea credential against the target SSH server
┌──(kali㉿kali)-[~/archive/htb/labs/busqueda]
└─$ sshpass -p jh1usoih2bkjaspwe92 ssh svc@$IP
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-69-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of mon nov 27 09:44:37 PM UTC 2023
system load: 0.037109375
usage of /: 81.5% of 8.26GB
memory usage: 61%
swap usage: 9%
processes: 244
users logged in: 0
ipv4 address for br-c954bf22b8b2: 172.20.0.1
ipv4 address for br-cbf2c5ce8e95: 172.19.0.1
ipv4 address for br-fba5a3e31476: 172.18.0.1
ipv4 address for docker0: 172.17.0.1
ipv4 address for eth0: 10.10.11.208
ipv6 address for eth0: dead:beef::250:56ff:feb9:8e12
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
see https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
last login: Tue Apr 4 17:02:09 2023 from 10.10.14.19
svc@busqueda:~$
svc@busqueda:~$ whoami
svc
svc@busqueda:~$ hostname
busqueda
svc@busqueda:~$ ifconfig
br-c954bf22b8b2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.20.0.1 netmask 255.255.0.0 broadcast 172.20.255.255
ether 02:42:3f:f4:e9:05 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-cbf2c5ce8e95: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255
inet6 fe80::42:b7ff:fe96:fbcb prefixlen 64 scopeid 0x20<link>
ether 02:42:b7:96:fb:cb txqueuelen 0 (Ethernet)
RX packets 6182 bytes 6200301 (6.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6153 bytes 1447710 (1.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-fba5a3e31476: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:fe:de:7c:f7 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:95:39:04:f2 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.208 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:8e12 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:8e12 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:8e:12 txqueuelen 1000 (Ethernet)
RX packets 1574024 bytes 254154499 (254.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1932310 bytes 570092465 (570.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5365400 bytes 566191341 (566.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5365400 bytes 566191341 (566.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth2d5e8ec: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2cf7:d2ff:fef5:859d prefixlen 64 scopeid 0x20<link>
ether 2e:f7:d2:f5:85:9d txqueuelen 0 (Ethernet)
RX packets 13376 bytes 7403485 (7.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11671 bytes 5638204 (5.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth8104adb: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::50c5:a0ff:fe24:9162 prefixlen 64 scopeid 0x20<link>
ether 82:af:f1:a3:3d:75 txqueuelen 0 (Ethernet)
RX packets 15459 bytes 6120060 (6.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17190 bytes 3050124 (3.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0It turns out the password for the Gitea user, cody, is reused for the system account, svc
This essentially means that the svc account is the cody user
sudo
This was rather confusing as I have already gained the initial foothold as the svc account, yet making a lateral movement to the svc account again
svc@busqueda:~$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is requiredThis is all due to the security context
svc@busqueda:~$ sudo -l -S 'jh1usoih2bkjaspwe92'
sudo -l -S 'jh1usoih2bkjaspwe92'
[sudo] password for svc: jh1usoih2bkjaspwe92
sudo: jh1usoih2bkjaspwe92: command not foundsudo is broken in the current context
svc@busqueda:~$ sudo -l
sudo -l
Matching Defaults entries for svc on busqueda:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *