SSH
The CLEARTEXT password for the SNMPv3 authentication turns out to belongs to the james user.
┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ sshpass -p 'SuperSecurePassword123__' ssh james@$IP
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of thu dec 28 12:22:14 PM UTC 2023
system load: 0.0830078125
usage of /: 65.3% of 8.09GB
memory usage: 23%
swap usage: 0%
processes: 261
users logged in: 1
ipv4 address for br-028c7a43f929: 172.20.0.1
ipv4 address for br-24ddaa1f3b47: 172.19.0.1
ipv4 address for br-3d63c18e314d: 172.21.0.1
ipv4 address for br-7d5c72654da7: 172.22.0.1
ipv4 address for br-a8a89c3bf6ff: 172.18.0.1
ipv4 address for docker0: 172.17.0.1
ipv4 address for eth0: 10.10.11.193
ipv6 address for eth0: dead:beef::250:56ff:feb9:d25d
0 updates can be applied immediately.
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
james@mentor:~$ whoami
james
james@mentor:~$ hostname
mentor
james@mentor:~$ ifconfig
br-028c7a43f929: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.20.0.1 netmask 255.255.0.0 broadcast 172.20.255.255
ether 02:42:05:24:4c:de txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-24ddaa1f3b47: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255
ether 02:42:91:6d:19:94 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-3d63c18e314d: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.21.0.1 netmask 255.255.0.0 broadcast 172.21.255.255
ether 02:42:50:81:fe:3b txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-7d5c72654da7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.0.1 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::42:1cff:fefa:2974 prefixlen 64 scopeid 0x20<link>
ether 02:42:1c:fa:29:74 txqueuelen 0 (Ethernet)
RX packets 772672 bytes 64890629 (64.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 698476 bytes 74873509 (74.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-a8a89c3bf6ff: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:39:6b:f2:5a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:11:63:61:ef txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.193 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:d25d prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:d25d prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:d2:5d txqueuelen 1000 (Ethernet)
RX packets 619041 bytes 74767288 (74.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 689671 bytes 70518758 (70.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5222 bytes 371182 (371.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5222 bytes 371182 (371.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1fbf3a9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::e007:5dff:fe58:a035 prefixlen 64 scopeid 0x20<link>
ether e2:07:5d:58:a0:35 txqueuelen 0 (Ethernet)
RX packets 131 bytes 19145 (19.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 200 bytes 17321 (17.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth79ba3f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::c73:30ff:fe0d:6d10 prefixlen 64 scopeid 0x20<link>
ether 0e:73:30:0d:6d:10 txqueuelen 0 (Ethernet)
RX packets 351 bytes 19888 (19.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 378 bytes 21610 (21.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethda9f088: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::81f:24ff:fe8c:3447 prefixlen 64 scopeid 0x20<link>
ether 0a:1f:24:8c:34:47 txqueuelen 0 (Ethernet)
RX packets 772190 bytes 75669004 (75.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 697974 bytes 74840188 (74.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Lateral Movement made to the james user via SSH