Attack | Defense — Pivoting II Walkthrough

Network Topology

We have a switch between us and the first target. Followed by another switch between target A and target B.

Enumeration

We start with our nmap scan to get an idea of what might be open on this subnet.

Command:
nmap -p- 192.141.250.2

Our results:

Using curl command we identified the version of V-CMS

The V-CMS 1.0 is vulnerable to unauthenticated file upload and code execution vulnerability, The Metasploit exploit/linux/http/vcms_upload module can be used to exploit this vulnerability.

The flag.txt file was located on the root directory.

The IP address of the network adapter eth1 is 192.39.151.2

We used the autoroute to route the traffic through 192.39.151.2

We used the portscan module to identify the open ports in 192.39.151.3

We used the vsftp backdoor exploit to access the machine 192.39.151.3 and captured the flag from root directory