As I continue to prepare for the OSCP, and continue to look for ways to improve my pivoting and network pentesting skills, I approached the Wreath network with two things in mind:
- Try to use as little tooling and automation as possible and force myself to think outside the box
- Try to "live off the land" and use only binaries on the host that are at my disposal and avoid transferring tools to any extent possible
Keeping Details Brief
This is not a full write-up of the Wreath network, just a summary of the targets and the steps I took to pivot through the network.
A Linux host running a vulnerable web server. Once the vulnerability is identified, it's incredibly trivial to get a reverse shell. Once obtained, you can find an SSH key to maintain persistence. This is the SSH key I use to create SSH forward and reverse proxies.
The next target on the network. To reach this host, I'll need to "jump" through
10.200.96.200. I create a forward proxy from Kali using SSH.
ssh -i id_rsa -fND 50001 firstname.lastname@example.org
Now, I can reach
10.200.96.150 is a Windows Server box running a vulnerable webserver with an unauthenticated RCE bug. I know that
10.200.96.150 can talk to
10.200.96.200, so I transfer a bind shell payload to the target and connect to it.
Now, that I have a shell, I add a user account for persistence and RDP to the host.
3. Create a Reverse Proxy via 10.200.96.200
I used this command to RDP to
xfreerdp /proxy:socks5://127.0.0.1:50001 /u:tempuser /p:T3mp_Adm1n! /v:10.200.96.150 /drive:.,kali-share +clipboard
- Connect via my original SOCKS proxy
- Map a local directory as a UNC share on the target
With the share mapped to the target, I can put files in the local folder and they can be easily transferred to the target. I transfer the SSH key to the target and create a SSH reverse proxy.
ssh -i id_rsa -fNR 50002 email@example.com
Now from Kali, I can proxy through
10.200.96.200:50002 to reach
10.200.96.150 allows us to do static code analysis on the development server running on
10.200.96.100. We find a file upload vulnerability and create a web pseudo-shell.
10.200.96.100 can call back to Kali, so we can easily transfer files to this target using the pseudo-shell. I run a Python web server and transfer a statically compiled version
I start a listener on Kali and use the pseudo-shell to connect back to my listener and get a foothold on the target and escalate privileges.