Today I wanted to do a blog post on pivoting with SSH tunnels and using Plink to forward connections to other computers, once you have a foothold in an environment. For this scenario, I used two Virtual Private Servers (VPS’s), my Kali VM, and my ESXi lab environment consisting of an Elastic Stack VM running Ubuntu, a Windows Server which was my Domain Controller and a Windows 10 machine which was my initial foothold. In addition, the Windows 10 machine has Elastic endpoint agent, Winlogbeat and Sysmon installed. Alright now let me explain the scenario…
First things first, I built out two Linode VPS’s.
Next I built out a local SSH tunnel out to my second VPS that would listen locally on my Kali VM on port 2222.
Next I connected to the second VPS over port 2222 in order to modify the sshd_config file. In this file you will need to change the GatewayPorts setting to yes and uncomment it. If you do not take this step the VPS will only listen on localhost instead of 0.0.0.0, which is important because you cannot catch the initial callback from the Windows 10 machine if the VPS is only listening on localhost.
After you make this settings change do not forget to restart the sshd service.
The next screenshot connects to the second VPS in order to build the remote tunnel back to my Kali machine. What it is doing is listening on all interfaces on port 8085. This will allow our reverse TCP callback to hit that port on our VPS and it will be forwarded back to our Metasploit listener.
Here I am double checking to ensure I am listening on 0.0.0.0 8085.
Next I will build an msfvenom payload with zero evasion, as the point of this scenario is to practice pivoting and see some of the artifacts that are left behind. The LHOST parameter is pointing to VPS2 and LPORT is 8085 which is the entrance of our remote tunnel. I then scp it over to VPS2.
I then host it with a Python web server that will be listening on port 51557.
Next I start my Metasploit listener on localhost on port 8085 on my Kali box and run the mshta.exe command to VPS2 to execute my payload.
Here I run the getuid command and see that I’m in my home lab domain DUNE running as the user latreides.
To escalate privileges I perform a recursive search in the C:\Users folder looking for password files, which I find on the Desktop of latreides and download to my Kali box.
This next screenshot is the alert from my Elastic VM that was triggered by the network connection from mshta.exe. You can see it reaching out to VPS2 on port 51557 to execute svpd.hta via the parent process of powershell.exe.
Next since this is my network and I already know the IP address of my domain controller and know that it has the Remote Desktop Protocol open, I go ahead and upload plink and use it to create a remote tunnel back to VPS2 on port 9051, so that connections that hit that port will be forwarded to my domain controller at 192.168.10.5 on port 3389. Discovery of this machine could have been performed using arp and then using the Metasploit portscan module.
Take note that the IP address of VPS2 above is different due to the fact that I built this out over two days and my IP addresses changed when I tore down my VPS’s and rebuilt them the following day.
Now all that is left to do is build out a local tunnel which I don’t have a screenshot for, but it is this command: ssh -CS /tmp/s2 -L9050:127.0.0.1:9051 root@127.0.0.1, this will connect up your Kali box to the plink tunnel.
Now I will connect from my Kali box through two VPS’s, hit that plink tunnel and get forwarded to the domain controller on port 3389.
If this sounds confusing don’t worry it is. The best way to wrap your head around it is through consistent practice. Pivoting and tunnels are definitely perishable skills if they are not used.
Here another detection that can be made is looking for evidence of plink executing in your environment. It has some commandline switches that can be used for hunting purposes such as -ssh, -pw, and -l. As with most things these could be bypassed but it still doesn’t hurt to have them.
Here is a screenshot of PowerShell kicking off some crazy base64 from the hta file as well.
Here are just a few triggers that could have been used to detect this attack:
- Mshta making network connections.
- Plink making weird network connections.
- PowerShell and Sysmon logs with encoded base64 commands in there command lines.
Well if you made it this far thank you for reading my post and hopefully there was some useful stuff in here you can use to help facilitate your learning process!
So until next time…
Happy Hunting,
Marcus
Marcus Edmondson | Offensive Security | Information Security 