Step 3 - Enumeration continued

I didnt know you had to manually do this but Nikto wouldnt scan the users directories on its own, I had to manually specify this using the -r switch

Nothing too interesting right there, lets move onto the next user

Look at that! Pirrip has the .ssh directory available. Lets browse to it and see what's there.

Wow, we can download the users private and public keys. Remember our Nmap results from earlier? The server is running OpenSSH which uses RSA for cryptography. RSA uses 2 keys a public and private key. If an attacker gets a hold of your private key it is very very bad. They can assume your identity and login without needing to supply your password. Lets grab those RSA keys.

I downloaded both keys and put them in my home /.ssh directory We need to chmod the files so they have the correct permissions

Now lets try to login using pirrips keys

Step 3 - Enumeration

Now that we know there are some web servers running and other services lets see what we can find out about them.

We can use wget to download that page to our box so we can extract some of those email addresses.

Lets cut that file so we only show user id's

Great! Now we have user ID's we can test with. I also ran Nikto against this host to see what we could find out.

Nikto shows that this server might be susceptible to directory indexing. I used Dirbuster to see what I could find out.

Dirbuster didn't return anything interesting when I scanned the .100 target. But look what it showed on the .101 box

It looks like our UserID list we made earlier wasn't entirely accurate. I edited it down to only inlcude the names found in the dirbuster report - pirrip, havisham, magwitch

I tried browsing the ~pirrip directory on the web server but there were no files found