Let's think about the scenario for a pentest/redteam project during which we are using 'our dedicated jump host'. "What if" someone will takeover this host? This time we'll try to check the potential results of this kind of attack. Here we go...
Today we'll start here:I believe that almost everybody who's reading this blog is probably (more or less) familiar with Metasploit Framework. Let's move forward to the quick setup of the environment we'll use today.
Environment
Today we will use Ubuntu VM (you can use Kali as well - your choice).
- Docker 'target' image (see below)
- Kali / Ubuntu VM
- Metasploit Framework (I used both versions to create some notes for this post: v5 and v6 - the latest one AFAIK)
- Python3 with pymetasploit3 module (presented before a bit in previous post).
When all is ready to go - let's move forward to the core-scenario.
(Un)Real Scenario
For the purpose of this post, let's say:
- we are working from location_A and our 'jump host' is in location_B
- the "jump host" is 'based' on the Metasploit Framework (msfrpcd with password).
- next we'll grab a shell on the Docker's 'target-image' to collect some session(s).
Like this - preparing msfrpcd:
Starting target docker image - for this case we'll use again Apache Tomcat (described for 'EnTer in 2022' before):
Next step - exploiting Tomcat to get a shell:
So far, so good.
(..."in the meantime..." )
Let's scan this (msfrpcd) VM:
Now we are ready to continue to move forward to the proper "scenario".
Rooting Pentesters Client
So now - let's switch to the part when we're attacking the attackers ;]
TL;DR:
do you remember the RPC protocol we talked about during the "EnTer in 2022" post? I'm sure you do. ;)
So we can skip directly to the point: we found the "attacker's jump host".
Next step...
Attacker's Base
Let's say our 'target attacker msfrpc C&C box' is already in the middle of the(ir) "project" and there are already "few sessions established".
Jump Around
Reading the fantastic manual - we can quickly prepare a small "client" for the MSFRPCd (started on the "attacker's box").
For example let's try to simply "connect if the password is valid":
Now we should be able to prepare a small 'quick & dirty client' to prepare a bruteforce attack against our 'target attackers jumphost'.
For example:
Well... next? ;]
Checking the script against our 'target lab':
Simple but works. ;)
[;
Next steps
At this stage we can continue:
Next:
Continuing with the docs:
At this stage I decided to switch to meterpreter:
After the 'switch' it was easier to interact with the sessions on remote jump host:
That's all! ;) Have fun!
Cheers,
Brak komentarzy:
Prześlij komentarz