InfoSec LAB

Poison_SSH

Created: 2 min read

SSH

There was an encoded password, which I decoded. The decoded password is Charix!2#4%6&8(0, which is extremely suggestive as it has a name in it.

The LFI vulnerability at the file parameter at the browse.php file also revealed the list of users within the target system, one of them being charix

The password is highly likely for the charix user.

┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ sshpass -p 'Charix!2#4%6&8(0' ssh charix@$IP
last login: Sat Jan 21 08:28:14 2023 from 10.10.14.10
freebsd 11.1-release (generic) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
 
Welcome to FreeBSD!
 
release notes, errata: https://www.FreeBSD.org/releases/
security advisories:   https://www.FreeBSD.org/security/
freebsd handbook:      https://www.FreeBSD.org/handbook/
freebsd faq:           https://www.FreeBSD.org/faq/
questions list: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
freebsd forums:        https://forums.FreeBSD.org/
 
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
 
show the version of freebsd installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
introduction to manual pages:  man man
freebsd directory layout:      man hier
 
Edit /etc/motd to change this login announcement.
Forget how to spell a word or a variation of a word? Use
 
	look portion_of_word_you_know
		-- Dru <genesis@istar.ca>
charix@poison:~ % whoami
charix
charix@poison:~ % hostname
Poison
charix@poison:~ % ifconfig
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:50:56:b9:65:58
	hwaddr 00:50:56:b9:65:58
	inet 10.10.10.84 netmask 0xffffff00 broadcast 10.10.10.255 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo

It is for the charix user. Initial Foothold established to the target system via SSH

Interactive Graph View

Backlinks