InfoSec LAB

Postman_Lateral_Movement_Matt

Created: 2 min read

Matt

A SSH backup file present in the target system appeared to belong to the Matt user. While the encrypted RSA key was indeed password-protect, it could easily be cracked due to a weak password being used.

Now that the decrypted SSH key is available for use

SSH Fail

┌──(kali㉿kali)-[~/archive/htb/labs/postman]
└─$ ssh Matt@$IP -i ssh_backup/id_rsa
Connection closed by 10.10.10.160 port 22

Attempting to authenticate to the target system as the Matt user via SSH fails

redis@Postman:/opt$ cat /etc/ssh/sshd_config | grep -v '^#'
 
[...REDACTED...]
 
DenyUsers Matt
 
[...REDACTED...]

Looking into the sshd configuration file reveals the reason It’s because the Matt user is on the blacklist and this was already enumerated by PEAS earlier I just didn’t pay enough attention

It is possible that the password might be reused to encrypt the SSH key of the Matt user In that case, computer2008 is the password of the Matt user

Password Reuse

redis@postman:~$ su Matt
password: computer2008
matt@postman:/var/lib/redis$ whoami
Matt
matt@postman:/var/lib/redis$ hostname
Postman
matt@postman:/var/lib/redis$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.160  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:6363  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:6363  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:63:63  txqueuelen 1000  (Ethernet)
        RX packets 12406  bytes 4877206 (4.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13928  bytes 10544970 (10.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  base 0x2000  
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 19122  bytes 1358182 (1.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19122  bytes 1358182 (1.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Testing for password reuse confirms that computer2008 is the password of the Matt user Lateral Movement made to the Matt user via password reuse

Interactive Graph View

Backlinks