Custom Application
Nmap discovered an unknown service on the target port 54321
┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ nc $IP 54321
a
bNo response
┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ socat stdio ssl:10.10.99.145:54321,cert=cert.pub,key=key.pri,verify=0
2024/07/11 15:02:32 socat[190390] W refusing to set empty SNI host name
__ __ _ _ _____ _ _ _____ _
\ \ / / | | | | | __ \ | | | | | __ \ | |
\ \_/ /_ _| |__ | |__ __ _ | | | | __ _| |__ | |__ __ _ | | | | ___ | |
\ / _` | '_ \| '_ \ / _` | | | | |/ _` | '_ \| '_ \ / _` | | | | |/ _ \| |
| | (_| | |_) | |_) | (_| | | |__| | (_| | |_) | |_) | (_| | | |__| | (_) |_|
|_|\__,_|_.__/|_.__/ \__,_| |_____/ \__,_|_.__/|_.__/ \__,_| |_____/ \___/(_)
Welcome: 'Barney Rubble' is authorized.
b3dr0ck> Using both certificate and private key from the recovery application, I am able to authenticate as the Barney Rubble user. Some kind of shell is open
b3dr0ck> ls
Unrecognized command: 'ls'
This service is for login and password hintsIt claims that this service is for login and password hints
b3dr0ck> login
Login is disabled. Please use SSH instead.Login is disable, and SSH is suggested
b3dr0ck> password
Password hint: d1ad7c0a3805955a35eb260dab4180dd (user = 'Barney Rubble')d1ad7c0a3805955a35eb260dab4180dd appears to be a MD5 password hash, but uncrack-able
It might actually be a password for that Barney Rubble user.
I will test it on the SSH server