SSH
The user, mark, is found to be a system user within the Docker container and suspected to be a valid user in the host system.
Since the target system has a SSH server open, I will attempt to authenticate to it
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sshpass -p '2020bestyearofmylife' ssh mark@$IP
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-177-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of tue jun 20 06:11:59 UTC 2023
system load: 1.54
usage of /: 60.2% of 11.75GB
memory usage: 51%
swap usage: 0%
processes: 358
users logged in: 0
ip address for eth0: 10.10.11.165
ip address for br-3539a4850ffa: 172.20.0.1
ip address for docker0: 172.17.0.1
ip address for br-b3834f770aa3: 172.18.0.1
ip address for br-cc437cf0c6a8: 172.19.0.1
18 updates can be applied immediately.
12 of these updates are standard security updates.
to see these additional updates run: apt list --upgradable
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
last login: Tue Jun 20 05:25:44 2023 from 10.10.14.7
mark@seventeen:~$ whoami
mark
mark@seventeen:~$ hostname
seventeen
mark@seventeen:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:f7:8e brd ff:ff:ff:ff:ff:ff
inet 10.10.11.165/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
3: br-3539a4850ffa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ad:ed:89:94 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 brd 172.20.255.255 scope global br-3539a4850ffa
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:70:54:47:3c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: br-b3834f770aa3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:37:9a:86:c3 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-b3834f770aa3
valid_lft forever preferred_lft forever
6: br-cc437cf0c6a8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:1e:d1:50:bc brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-cc437cf0c6a8
valid_lft forever preferred_lft forever
8: veth3ba5125@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether f2:b1:d2:35:69:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
10: veth029ff08@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3539a4850ffa state UP group default
link/ether 32:da:9e:80:f5:5b brd ff:ff:ff:ff:ff:ff link-netnsid 1
12: veth26e4f9a@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 82:69:f7:99:dc:27 brd ff:ff:ff:ff:ff:ff link-netnsid 2
14: veth8c69545@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 7a:43:96:45:5d:56 brd ff:ff:ff:ff:ff:ff link-netnsid 3
16: veth0b6c881@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 92:07:82:b4:22:4a brd ff:ff:ff:ff:ff:ff link-netnsid 4
18: veth4387c3f@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ea:5b:23:3d:a5:a1 brd ff:ff:ff:ff:ff:ff link-netnsid 5
20: veth9eabe87@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 72:68:13:86:32:55 brd ff:ff:ff:ff:ff:ff link-netnsid 6
22: veth207300e@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 22:38:d3:15:aa:3b brd ff:ff:ff:ff:ff:ff link-netnsid 7
24: veth9a8a4fa@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether f6:44:eb:e1:ce:c6 brd ff:ff:ff:ff:ff:ff link-netnsid 8
26: veth983f638@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 4a:f1:50:33:b2:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 9
28: veth5e6b256@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ba:66:eb:55:17:b4 brd ff:ff:ff:ff:ff:ff link-netnsid 10
30: veth38f14e2@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether de:e2:71:28:5b:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 11Password reuse confirmed for the mark user
Initial Foothold established to the target system by making a lateral Movement to the mark user via SSH