SSH
The Docker container that I found myself in after exploiting the target Bolt CMS instance turned out to have SSH installed within the container. This is rather an unusual find as it would be unnecessary to have SSH inside a Docker container in the first place.
Nevertheless, I will be testing those 3 credentials that I found earlier from the jamobi instance against the host’s SSH server
www-data@2f9b5795d152:/var/www/talkative.htb/bolt/public$ ssh saul@172.17.0.1
The authenticity of host '172.17.0.1 (172.17.0.1)' can't be established.
ecdsa key fingerprint is sha256:kUPIZ6IPcxq7Mei4nUzQI3JakxPUtkTlEejtabx4wnY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/var/www/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
saul@172.17.0.1's password: bZ89h}V<S_DA
Permission denied, please try again.
saul@172.17.0.1's password: )SQWGm>9KHEA
Permission denied, please try again.
saul@172.17.0.1's password: jeO09ufhWD<s
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-81-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of thu 08 jun 2023 04:12:23 PM UTC
system load: 0.1
usage of /: 73.1% of 8.80GB
memory usage: 69%
swap usage: 30%
processes: 375
users logged in: 0
ipv4 address for br-ea74c394a147: 172.18.0.1
ipv4 address for docker0: 172.17.0.1
ipv4 address for eth0: 10.10.11.155
ipv6 address for eth0: dead:beef::250:56ff:feb9:6b83
18 updates can be applied immediately.
8 of these updates are standard security updates.
to see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
saul@talkative:~$ whoami whoami
saul
saul@talkative:~$ hostname hostname
talkative
saul@talkative:~$ ifconfig ifconfig
br-ea74c394a147: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:64ff:fe90:d8e3 prefixlen 64 scopeid 0x20<link>
ether 02:42:64:90:d8:e3 txqueuelen 0 (Ethernet)
RX packets 6630 bytes 20212234 (20.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12315 bytes 916414 (916.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:a2ff:feea:560d prefixlen 64 scopeid 0x20<link>
ether 02:42:a2:ea:56:0d txqueuelen 0 (Ethernet)
RX packets 8317 bytes 9128762 (9.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7787 bytes 850379 (850.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.155 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:6b83 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:6b83 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:6b:83 txqueuelen 1000 (Ethernet)
RX packets 21540 bytes 1875477 (1.8 MB)
RX errors 0 dropped 126 overruns 0 frame 0
TX packets 20210 bytes 26276421 (26.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 19276 bytes 1517298 (1.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19276 bytes 1517298 (1.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth0280656: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::7c54:8bff:fe66:47d8 prefixlen 64 scopeid 0x20<link>
ether 7e:54:8b:66:47:d8 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 2021 (2.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth3786957: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::6cb1:45ff:fe2d:6546 prefixlen 64 scopeid 0x20<link>
ether 6e:b1:45:2d:65:46 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth19c62f9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::64b6:26ff:fede:d61f prefixlen 64 scopeid 0x20<link>
ether 66:b6:26:de:d6:1f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth33160cf: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::63:eeff:fe4c:7ea3 prefixlen 64 scopeid 0x20<link>
ether 02:63:ee:4c:7e:a3 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 1951 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth54b43b3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::3054:c3ff:fe64:a21d prefixlen 64 scopeid 0x20<link>
ether 32:54:c3:64:a2:1d txqueuelen 0 (Ethernet)
RX packets 141782 bytes 20198530 (20.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 125139 bytes 26563023 (26.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth5a0d258: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2c21:17ff:feea:f885 prefixlen 64 scopeid 0x20<link>
ether 2e:21:17:ea:f8:85 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth7860d21: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::943a:dff:fef0:bbd1 prefixlen 64 scopeid 0x20<link>
ether 96:3a:0d:f0:bb:d1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth8310bba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::8c49:efff:fec6:3738 prefixlen 64 scopeid 0x20<link>
ether 8e:49:ef:c6:37:38 txqueuelen 0 (Ethernet)
RX packets 2553 bytes 4525318 (4.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2422 bytes 211650 (211.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth9fa8847: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::cc59:20ff:fef8:336c prefixlen 64 scopeid 0x20<link>
ether ce:59:20:f8:33:6c txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 1951 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethb442d3b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::e898:22ff:fe64:4218 prefixlen 64 scopeid 0x20<link>
ether ea:98:22:64:42:18 txqueuelen 0 (Ethernet)
RX packets 123053 bytes 29904757 (29.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 139368 bytes 19464287 (19.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethc422253: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::4cfa:18ff:fe72:315e prefixlen 64 scopeid 0x20<link>
ether 4e:fa:18:72:31:5e txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 1951 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethc863988: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::28f9:c9ff:fe78:90ff prefixlen 64 scopeid 0x20<link>
ether 2a:f9:c9:78:90:ff txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 1951 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethce71688: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::40d3:20ff:fe66:cd97 prefixlen 64 scopeid 0x20<link>
ether 42:d3:20:66:cd:97 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethce6908c: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::84c9:17ff:febc:3f9d prefixlen 64 scopeid 0x20<link>
ether 86:c9:17:bc:3f:9d txqueuelen 0 (Ethernet)
RX packets 6630 bytes 20305054 (20.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12334 bytes 917840 (917.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethd846909: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::d028:6bff:fe2a:a762 prefixlen 64 scopeid 0x20<link>
ether d2:28:6b:2a:a7:62 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethd461be3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::809c:2fff:fe69:40ce prefixlen 64 scopeid 0x20<link>
ether 82:9c:2f:69:40:ce txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethd7f1430: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f82f:29ff:fe76:8567 prefixlen 64 scopeid 0x20<link>
ether fa:2f:29:76:85:67 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethe31f4af: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fc7c:7eff:fee1:55d4 prefixlen 64 scopeid 0x20<link>
ether fe:7c:7e:e1:55:d4 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1909 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethff0a19a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::dcf0:1dff:fe0d:1dfb prefixlen 64 scopeid 0x20<link>
ether de:f0:1d:0d:1d:fb txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 1951 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target system as the saul user via SSH
I figured that the target host’s IP address would be 172.17.0.1 since that of the current environment is 172.17.0.13
However, it would also work with the IP address of 10.10.11.155