Other access methods

To learn more about how the system works, and possibly other vectors of exploits, I decided to further explore the web application.

Brute forcing SSH password

As we have seen previously, there are 2 users that stands out in the /etc/passwd file: joshua and charles. I attempted a password brute force attack on their SSH login with the wordlist from Metasploit /usr/share/wordlists/metasploit/unix_passwords.txt :

$ hydra -l joshua -P <wordlist> -t 6 ssh://<host>
$ hydra -l charles -P <wordlist> -t 6 ssh://<host>

I found the password 123456 for both usernames joshua and charles. We can now SSH with the usernames and gain a remote shell:

$ ssh <user>@<host>

PreviousFurther learning NextGaining remote shell with LFI2RCE

Last updated 6 months ago

hashtagBrute forcing SSH password

Brute forcing SSH password