# Setup Pivot - Setup `ligolo proxy` on Kali ![[images/Pasted image 20260617193849.png]] - Setup agent ![[images/Pasted image 20260617193710.png]] - Confirm ![[images/Pasted image 20260617193837.png]] # Ping Sweep - `fping` ![[images/Pasted image 20260617193901.png]] - confirm with for loop ```bash for i in {1..254} ;do (ping -c 1 172.16.1.$i | grep "bytes from" &) ;done ``` ![[images/Pasted image 20260617194134.png]] - create `hosts.txt` ```bash for i in {1..254} ;do (ping -c 1 172.16.1.$i | grep "bytes from" &) ;done | awk '{print $4}' | cut -d':' -f1 > hosts.txt ``` ![[images/Pasted image 20260617194614.png]] ## Internal `nxc smb` scans - Use current creds > nothing ![[images/Pasted image 20260617201006.png]] - null and guest ![[images/Pasted image 20260617201041.png]] # Start Responder - Setup on proper tunnel interface associated with pivot ![[images/Pasted image 20260617203047.png]] - not getting anything - notice that `autrorote` only assigned an IPv6 address to the iface so `responder` shows an IPv4 that is off ![[images/Pasted image 20260617210044.png]]![[images/Pasted image 20260617210049.png]] - tear-down the `ligolo` iface and tunnel and create our own w/o `autoroute` ```bash sudo ip tuntap add user jacob mode tun ligolo sudo ip link set ligolo up sudo ./proxy -selfcert ./agent -connect10.10.14.42:11601 -ignore-cert #target machine sudo ip route add 172.16.1.0/24 dev ligolo ``` - try with `-wFv` poisoning mode - May be worthwhile to also setup on NIX01 # Internal Nmap Scans ## 172.16.1.5 (DANTE-SQL01) - light ![[images/Pasted image 20260617200504.png]] - detailed ![[images/Pasted image 20260617200557.png]] - FTP and NFS look tasty - `flag.txt` in FTP - grab flag with `nxc ftp` ![[images/Pasted image 20260617201912.png]] - MSSQL on 1433 and 49673 - current creds don't work ![[images/Pasted image 20260617202118.png]] - SMB - guest and null dont work ![[images/Pasted image 20260617202221.png]] ## 172.16.1.12 - light ![[images/Pasted image 20260617200833.png]] - detailed ![[images/Pasted image 20260617201208.png]] - FTP, HTTP, HTTPS, MYSQL ## 172.16.1.19 - light![[images/Pasted image 20260617201354.png]] - detailed ![[images/Pasted image 20260617201444.png]] ## 172.16.1.20 (DANTE-DC01) - light ![[images/Pasted image 20260617201628.png]] - this is the DC - detailed ![[images/Pasted image 20260617202319.png]] - domain: `dante.local` - forest: `dante.local` - HTTP, HTTPS, SMB, RDP, WINRM ## 172.16.1.13 (DANTE-WS01) - light ![[images/Pasted image 20260617202623.png]] - detailed ![[images/Pasted image 20260617202927.png]] - HTTP, HTTPS, SMB ## 172.16.1.101 (DANTE-WS02) - light ![[images/Pasted image 20260617204356.png]] - detailed ## 172.16.1.102 (DANTE-WS03) - light ![[images/Pasted image 20260617205556.png]] - detailed ![[images/Pasted image 20260617205657.png]] ## 172.16.1.10 (DANTE-NIX02) - light![[images/Pasted image 20260617210122.png]] - detailed ![[images/Pasted image 20260617210227.png]] - SSH, HTTP, SMB - NOTE: first HTTP server with a non-standard title ## 172.16.1.17 (DANTE-NIX03) - light ![[images/Pasted image 20260617210447.png]] - detailed ![[images/Pasted image 20260617210727.png]] - NOTE: very spicy goodies on ports 80 and 10000 - HTTP, SMB, WEBMIN, MYSQLX