Basic Network Pivoting

Assalamualaikum

Today i want to share about basic network pivoting (single pivots) that I’ve learned from attackdefense challenge. source link is here. The challenge name is Pivoting II.

What is network pivoting ?

A reference from offsec, “Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’) to be able to move around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems”.

In this pivoting challenge, the network architecture is as shown below:

TARGET A : 192.53.20.3

TARGET B : 192.253.95.3

.

Note : because this challenge is basic pivoting, all the pivoting step with ez vulnerable machine and meterpreter session. It is possible to do it manually by creating own lab but it will not be discussed on this post. All the machines in this lab scenario is also already provided by attackdefense.

As seen above, the targets are on different subnet so we need to jump around. To reach Target B we need to first compromise Target A.

let’s go!

First i check the owned kali machine ip address that shown as 192.53.20.2

The first targeted machine was assigned to 192.53.20.3. Let’s do a quick port scanning against the first machine.

The nmap result shown the target is linux machine that has service running on port 80 and 3306. Checking the service on port 80 and we got the information about v-cms modules in the target.

at this point we try to search exploit v-cms module via metasploit and get it.

next I use exploit/linux/http/vcms_upload with payload generic/shell_reverse_tcp

after executing this exploit, i got the RCE with root privilege. Quickly get the flag on target machine A.

then spawn a meterpreter shell by upgrading the command shell sessions.

check the network details targeted machine A which are needed for creating the pivot.

Now the next plan is to attack the next Target B subnet which shown in the eth1 as 192.253.95.2/24. For this time metasploit has a script that allow us to attack the second network using the first compromised target. this module is called autoroute. Next, use the autoroute module to set up the pivoting.

Next I’m going to attack the Target B which has ip 192.253.95.3 then do port scanning to Target B and it has FTP and SSH services. We attack this Target B using compromised Target A.

After do some information gathering in the Target B. it has port 21 service with running vsftpd which is a vulnerable FTP service for which the module is available in metasploit.

Sometimes, the exploit fails first time. In such cases, run the exploit again

The second flag in target B is achieved. We attack this machine by using the compromised target A.

That’s all, so this is a basic network pivoting scenario which can be started via internal network and overtake another system/target as much as you can. It happens often during penetration testing.