- `nmap` scan against target to determine what service is running on the named port - ssh is runing ![[images/Pasted image 20251130193939.png]] - Try `hydra` with `satwossh` and `2023-200_most_used_passwords.txt` - Hit! ![[images/Pasted image 20251130194033.png]] - ssh into target as `satwoosh` ![[images/Pasted image 20251130194325.png]] - poke around ![[images/Pasted image 20251130194526.png]] - let's grab the `passwords.txt` file and `IncidentReport.txt` with `scp` ![[images/Pasted image 20251130195058.png]] - create username list for Thomas Smith using `username-anarchy` ![[images/Pasted image 20251130195847.png]] - we have 15 permutations ![[images/Pasted image 20251130195924.png]] - this won't work we because there is no access to ftp externally only on `localhost` ![[images/Pasted image 20251130200716.png]] ![[images/Pasted image 20251130200732.png]] - let's create the username list on the target ![[images/Pasted image 20251130201109.png]] ![[images/Pasted image 20251130201023.png]] - try `hydra` with newly created `names.txt` and existing `password.txt` - bingo! ![[images/Pasted image 20251130201342.png]] - ftp into localhost service ![[images/Pasted image 20251130201750.png]]