paul
Earlier, I was able to learn that CuteNews stores user data in a bunch of serialized PHP objects. I then managed to deserialize those user data and extract a few password hashes. One of the password hashes that I cracked belongs to the paul user.
Here, I will be testing password reuse
┌──(kali㉿kali)-[~/archive/htb/labs/passage]
└─$ sshpass -p atlanta1 ssh paul@$IP
paul@10.10.10.206: Permission denied (publickey).
www-data@passage:/var/www/html/CuteNews/cdata/users$ su
password: atlanta1
paul@passage:/var/www/html/CuteNews/cdata/users$ whoami
paul
paul@passage:/var/www/html/CuteNews/cdata/users$ hostname
passage
paul@passage:/var/www/html/CuteNews/cdata/users$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:04:69 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.206/24 brd 10.10.10.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:469/64 scope global mngtmpaddr dynamic
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:feb9:469/64 scope link
valid_lft forever preferred_lft foreverWhile the paul user was denied for SSH access to the target system, I was able to change to the paul user from the existing session
Password reuse confirmed
Lateral Movement made to the paul user