Tips for an Information Security Analyst/Pentester career - Ep. 47: Post-exploitation (pt. 3)

This time we're gonna talk about pivoting.

We're using post-exploitation techniques in order to gain access to an internal subnet unreachable from Kali.

Configuration

a) Kali Linux 3 2017: one network adapter (Bridged configuration)

b) Windows 7: two network adapters (network adapter 1: Bridged configuration; network adapter 2: custom network, static IP configuration: 172.16.137.3, subnet mask 255.255.255.240)

c) Windows XP SP 3: one network adapter (custom network, static IP configuration: 172.16.137.4, subnet mask 255.255.255.240).

Problem

We have no direct way of attacking the Windows XP machine from Kali, as it's located in an unreachable subnet.

If, for example, our Windows XP machine was located in the internal network and our Windows 7 was in the DMZ, there would be no way for us to exploit the XP machine directly from the attacking machine, which doesn't belong to that network nor has access to it.

Solution

We can only attack Windows 7 and then, once we have a Meterpreter session open, reach XP from there, as the two Windows VMs are on the same subnet.

a) attack

I created a payload using Veil, as shown in Episode 43, in order to attack Windows 7.

I moved it to the web server directory, I downloaded it to Windows 7 and ran it successfully (no antivirus alert popped up, great!).

Then I used multi/handler to pick up the reverse connection from our victim machine.

We easily get a Meterpreter session and also a privilege escalation, by using windows/local/bypassuac (see video for more details)

b) adding a manual route

Now that we have a Meterpreter session open, we can add a manual route to our Windows XP machine.

I did this through a Meterpreter script called autoroute. There's also a Meterpreter command (route add), but, for some reason, I was unable to get it to work.

c) Recon on Windows XP

We can now try to attack our Windows XP VM through our Windows 7 VM, but we need to start from scratch, from the recon stage.

For us to understand what ports are open on XP, we can use an exploit that runs a port scanner (auxiliary/scanner/portscan/tcp).

Though this scanner isn't as good as Nmap, it can nonetheless provide us with plenty of good information.

d) Exploitation

In her book and class, Georgia Weidman exploits XP VM through the well-known ms_08_67_netapi vulnerability, but my XP machine results not to be vulnerable to this exploit, though SMB runs on port 445.

In fact, Windows XP SP 3 isn't listed among the targets for it.

I've been trying to find other exploits against the vulnerable software I installed for this machine for a while, but none worked so far.

This situation is much trickier than other contexts where I successfully exploited XP,  as we can't use a reverse payload.

In fact, even if I used a Veil or msfvenom payload, our Kali machine would be unreachable, as there would be no way for our XP connection to bounce back to Kali.

We need to find a local exploit for it.

You guys know me, I'm not a quitter, so I'll try it harder.

Episode 48

Episode 46