Attack | Defense — Pivoting II Walkthrough

Network Topology

We have a switch between us and the first target. Followed by another switch between target A and target B.


We start with our nmap scan to get an idea of what might be open on this subnet.

nmap -p-

Our results:

Using curl command we identified the version of V-CMS

The V-CMS 1.0 is vulnerable to unauthenticated file upload and code execution vulnerability, The Metasploit exploit/linux/http/vcms_upload module can be used to exploit this vulnerability.

The flag.txt file was located on the root directory.

The IP address of the network adapter eth1 is

We used the autoroute to route the traffic through

We used the portscan module to identify the open ports in

We used the vsftp backdoor exploit to access the machine and captured the flag from root directory