Pivoting

For this lab, I had access to a machine with a public facing IP address and I knew that it was able to connect to another network using IPSec.


The first job was to scan the machine which had a public IP address:



I could see that ports 139 and 445 were open. Port 139 uses NetBIOS over a TCP connection. NetBIOS allows machines to communicate with each other and share resources on a Local Area Network. It can also be used with the Service Message Block protocol and a TCP/IP stack to facilitate remote sharing of resources over the internet. Port 445 is used by SMB on its own in order to share resources. SMB has a number of security vulnerabilities, so I decided to take a closer look using nmblookup



The -A flag shows us the NetBIOS names in the name table. NetBIOS names refer to resources and are made up of 16 bytes. The first 15 bytes can be specified by the user (15 characters) while the last one is reserved as a hexadecimal (00 to FF) byte to specify what type of resource it is. The interesting resource type in the screenshot above is the one listed as 20 as 20 indicates a server service. This meant that the machine @ 10.130.40.70 was serving resources. I therefore decided to try to list the shares using smbclient with -N for no password.



Even though an anonymous login was allowed, I did not have permission to view any data, so I moved to msfconsole to use a module which brute forces account details for smb.



As well as the usual RHOSTS parameter, we also need to specify a path to a username file and a password file.



This module found test:12345 but this was not listed as an admin account.



It went on to find administrator:password and this was listed as an admin account!



I used an nmap script to enumerate the SMB shares further, but this was not really a necessary step.



I now tried to connect once more using smbclient with the discovered username and password. This time I was able to view the shares but not access them.



The next step was to attempt to gain a meterpreter shell using the /smb/psexec module in msfconsole. The username and password I discovered earlier were set as the SMBUSER and SMBPASS parameters along with the usual RHOSTS, LHOST and LPORT.




This successfully established a reverse meterpreter shell! The next step was to attempt to use the compromised machine to pivot onto the network which it was using IPSec to connect to. This network was unreachable from the public internet, so it would be great if this pivoting attempt could work.


I used meterpreter's autoroute module. I did not specify the netmask as it was /24 which is a default as far as I know. If it had been using a different subnet mask, I could have specified it with NETMASK=x.x.x.x where x.x.x.x would have been the netmask in decimal notation



I then used background on the session and ran msfconsole's portscan/tcp module against the network I had just pivoted to. This scan discovered a machine with ports 139 and 445 open which was unreachable from the public internet!





My next job was to get access to the resources being shared by the machine @ 170.30.111.10 so I went back into the meterpreter session. I opened a regular shell and checked the user ID.



I needed to be a different user so I used ctrl + z to background the channel before launching the incognito extension. From here, I listed the tokens I could use and then I impersonated eLS-Win7\Administrator. I had to escape the \







I was now able to use net view to see the shares @ 172.30.111.10 and then net use to map one of them to a drive. Again, I had to escape the first \





Finally, I had a look at the Confidential.txt file and then downloaded the shared directory to my local machine. This concluded a compromise of a machine on a network which was not accessible directly from the public internet. This lab proved to me the importance of pivoting and further enumerating newly discovered networks.









Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more