r.michaels
i discovered that there is another weather application process running on the 127.0.0.1:3001 socket with a different set of configuration. I was able to access the weather application using the credential (password reuse) extracted from the initial web server, and found out that one of the configurations allowed me to access the home directory of the running user where I found the SSH private key
┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ chmod 600 id_rsa.r.michaelsFirst, I will set the permission bits to 600 so that SSH can read the file as a valid SSH private key
┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ ssh r.michaels@$IP -i id_rsa.r.michaels
last login: Fri Sep 18 07:06:51 2020
netbsd 9.0 (generic) #0: Fri Feb 14 00:06:28 UTC 2020
Welcome to NetBSD!
luanne$ whoami
r.michaels
luanne$ hostname
luanne.htb
luanne$ /sbin/ifconfig
vmx0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
capabilities=7fd80<TSO4,IP4CSUM_Rx,TCP4CSUM_Rx,TCP4CSUM_Tx>
capabilities=7fd80<UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx>
capabilities=7fd80<UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
enabled=0
ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
ec_enabled=2<VLAN_HWTAGGING>
address: 00:50:56:b9:f2:06
media: Ethernet autoselect (10Gbase-T)
status: active
inet 10.10.10.218/24 broadcast 10.10.10.255 flags 0x0
inet6 fe80::250:56ff:feb9:f206%vmx0/64 flags 0x0 scopeid 0x1
lo0: flags=0x8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33624
inet 127.0.0.1/8 flags 0x0
inet6 ::1/128 flags 0x20<NODAD>
inet6 fe80::1%lo0/64 flags 0x0 scopeid 0x2I can then just SSH into the target system
Lateral Movement made to the r.michaels user via SSH