InfoSec LAB

b3dr0ck_Lateral_Movement

Created: 1 min read

fred

Locating the application root revealed the hard-coded credential of the fred user, double-encoded in base64 format The decoded value is YabbaDabbaD0000!

┌──(kali㉿kali)-[~/archive/thm/b3dr0ck]
└─$ ssh fred@$IP                                                         
fred@10.10.99.145's password: YabbaDabbaD0000!
fred@b3dr0ck:~$ whoami
fred
fred@b3dr0ck:~$ hostname
b3dr0ck
fred@b3dr0ck:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:34:2b:d3:fb:8f brd ff:ff:ff:ff:ff:ff
    inet 10.10.99.145/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 3184sec preferred_lft 3184sec
    inet6 fe80::34:2bff:fed3:fb8f/64 scope link 
       valid_lft forever preferred_lft forever

Lateral Movement made to the fred user via SSH

Interactive Graph View

Backlinks