SSH
I was able to capture the authentication packet to the proxy server made by the tbuckley user
The credential could also be seen through PSPY process
Validating the credential against the SSH server
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ ssh tbuckley@gofer.htb
tbuckley@gofer.htb's password:
Linux gofer.htb 5.10.0-23-amd64 #1 SMP Debian 5.10.179-2 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have no mail.
tbuckley@gofer:~$ whoami
tbuckley
tbuckley@gofer:~$ hostname
gofer.htb
tbuckley@gofer:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:0b:c9 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.225/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft foreverCredential validated
Lateral Movement made to the tbuckley user