Premise
In this walkthrough, we demonstrated the concept of network pivoting. We compromised the main windows target and discovered another windows server to which we also gained access by exploiting the MySQL server.
Skills Learned
- Windows Penetration Testing
- MySQL Server enumeration and exploitation
- Network Pivoting
- Metasploit
Finding a Hidden Network
I started with a privileged Meterpreter session on the first Metasploitable 3 machine. The first thing I did was run ifconfig
to check out the network interfaces. I found two: one was the standard VirtualBox adapter, but the other was on a completely different network, 192.168.56.x
. This was my first clue that there was more to this network than meets the eye.
Since I couldn’t directly reach this new network, I had to create a “pivot” or a tunnel through my compromised machine. I used a Metasploit module called autoroute
to add a route to the new network. This essentially told Metasploit to send any traffic for that network through my existing Meterpreter session.
Exploring the New Territory
With my route in place, I started scanning the new network for open ports. I used db_nmap
from within Metasploit and found that port 3306 (MySQL) was open on one of the hosts. This was a great find because databases often contain valuable information, like user credentials.
To connect to the MySQL server, I used another cool technique called port forwarding. I set up a rule in my Meterpreter session to forward all traffic from a local port on my machine to the MySQL port on the remote machine. This allowed me to connect to the remote database as if it were running on my own computer.
Cracking the Database
Once I was connected to the MySQL server, I found a WordPress database. I dumped the wp_users
table and found usernames and password hashes for a couple of users, including ‘admin’ and ‘vagrant’. I cracked the hashes using John the Ripper and got the passwords: ‘exploit’ and ‘vagrant’.
I tried to use these credentials to log into the WordPress site, but I had some trouble accessing the login page. It seemed to be running on a non-standard port that I couldn’t immediately find. So, I decided to switch gears and try a different approach.
The Final Takeover
Since I had valid credentials for the ‘vagrant’ user, I decided to try and get a shell on the second machine directly. I used a tool called psexec.py
to connect to the machine using the ‘vagrant’ username and password. To make this work, I had to set up another port forward, this time for the SMB service on port 445.
The psexec.py
tool worked like a charm, and I was greeted with a command prompt on the second machine. I ran whoami
, and to my delight, I had nt authority\system
privileges! I had successfully pivoted from one machine to another and gained full control of the second host. 🤘
Technical Commands I Used
Here are some of the key commands that I used throughout this process:
ifconfig
: To check the network interfaces on the compromised machine.use post/multi/manage/autoroute
: The Metasploit module for creating a route to a new network.db_nmap -p 3306 -sV 192.168.56.1/24
: To scan for the MySQL port on the new network.portfwd add -l 3306 -p 3306 -r 192.168.56.1
: To forward the remote MySQL port to my local machine.mysql -u root -h 127.0.0.1
: To connect to the forwarded MySQL port.SELECT user_login, user_pass FROM wp_users;
: The SQL query to dump the WordPress user credentials.sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
: To crack the password hashes.portfwd add -l 1122 -p 445 -r 192.168.56.1
: To forward the SMB port forpsexec.py
.python psexec.py vagrant@127.0.0.1
: To get a shell on the second machine.whoami
: To confirm my system-level privileges.
Hello there, just became alert to your blog through Google,
and found that it’s really informative.
I am going to watch out for brussels. I will
be grateful if you continue this in future.
Many people will be benefited from your writing.
Cheers!