InfoSec LAB

Doctor_Lateral_Movement_shaun

Created: 1 min read

shaun

There was an Apache2 log that recorded a POST request containing a potential password. While I found it strange that someone put a password into the email field, I will still test it for password reuse against the system users

web@doctor:/var/log$ su shaun
password: Guitar123
 
shaun@doctor:/var/log$
shaun@doctor:/var/log$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)

Password reuse confirmed It belongs to the shaun user

shaun@doctor:~/.ssh$ whoami 
shaun
shaun@doctor:~/.ssh$ hostname 
doctor
shaun@doctor:~/.ssh$ ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:eb:28 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.209/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:eb28/64 scope global dynamic mngtmpaddr 
       valid_lft 86399sec preferred_lft 14399sec
    inet6 fe80::250:56ff:feb9:eb28/64 scope link 
       valid_lft forever preferred_lft forever

Lateral Movement made to the shaun user

Interactive Graph View

Backlinks