Day 27: Lateral Movement Strategy — Why Credentials Trump Pivoting 🕵️‍♂️

🛠️ The "Script-to-Root" Pipeline

I started the day by exploiting a common misconfiguration: A Python backup script owned by root but world-writable (777).

• The Vulnerability: sudo -l revealed the user could run /usr/bin/python3 /opt/backup.py with no password.
• The Exploit: echo 'import os; os.system("/bin/bash")' > /opt/backup.py.
• The Result: Executing the sudo command spawned a root shell.

🔓 Lateral Movement: The Hierarchy of Access

Once I achieved root, the focus shifted to the internal network (192.168.1.0/24). I had to choose between accessing a Database (3306) or an SSH target (22).

1. Credential Prioritization

I found database credentials in a config file: appuser:AppPass123.

• Common Mistake: Trying to use these for SSH.
• Correct Move: Use them for the Database to harvest more user info, then look for system-level passwords for SSH.

2. To Pivot or Not to Pivot?

Many beginners jump straight to chisel or ssh -D. I learned to ask three questions first:

1. Do I have a username/password? -> Try direct SSH.
2. Do I have an SSH Key? -> Use it immediately.
3. Is the port reachable? -> If YES, connect directly. If NO, then pivot.

Follow my journey: #1HourADayJourney