InfoSec LAB

BitForge_Lateral_Movement_jack

Created: 2 min read

jack

A CLEARTEXT credential of the jack user was captured by PSPY. While the credential is valid for the target MySQL instance, there might be password reuse

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bitforge]
└─$ ssh jack@bitforge.lab
The authenticity of host 'bitforge.lab (192.168.196.186)' can't be established.
ED25519 key fingerprint is SHA256:GYats4sApIm2CiXiv6CqklOr+LDIDCrer/01h6J9yFg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bitforge.lab' (ED25519) to the list of known hosts.
jack@bitforge.lab's password: 
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-51-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
 System information as of Sat Apr 12 05:08:05 PM UTC 2025
 
  System load:  0.0               Processes:               170
  Usage of /:   63.8% of 9.75GB   Users logged in:         0
  Memory usage: 53%               IPv4 address for ens192: 192.168.196.186
  Swap usage:   0%
 
 
Expanded Security Maintenance for Applications is not enabled.
 
244 updates can be applied immediately.
96 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
 
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
jack@BitForge:~$ whoami
jack
jack@BitForge:~$ hostname
BitForge
jack@BitForge:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:5a:98 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.196.186/24 brd 192.168.196.255 scope global ens192
       valid_lft forever preferred_lft forever

Password reuse confirmed Lateral Movement made to the jack user via SSH

Interactive Graph View

Backlinks