Skip to content

Latest commit

 

History

History
105 lines (86 loc) · 3.52 KB

Redirector.MD

File metadata and controls

105 lines (86 loc) · 3.52 KB
Raw

Redirector

  1. SSH into Redirector with user redirector and password havoc.
┌──(havoc@havoc):~/Desktop
└─$ ssh redirector@192.168.231.129
redirector@192.168.231.129's password: havoc
  1. Initialize Apache service on Redirector.
redirector@redirector:~$ sudo systemctl restart apache2
[sudo] password for redirector: havoc
  1. Generate SSL keypair on Attacker Linux.
┌──(havoc@havoc):~/Desktop
└─$ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out public.crt -keyout private.key
Generating a RSA private key
................................................++++
....................++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MY
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:KL
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Asia Pacific University
Organizational Unit Name (eg, section) []:APU
Common Name (e.g. server FQDN or YOUR name) []:apu.edu.my
Email Address []:
  1. Copy and paste private.key file to Redirector.
redirector@redirector:~$ sudo vim /etc/ssl/private/private.key

Use :wq to save and quit; :qa to cancel save and quit in Vim

  1. Copy and paste public.crt file to Redirector.
redirector@redirector:~$ sudo vim /etc/ssl/certs/public.crt
  1. Navigate to https://192.168.231.129 and inspect self-signed SSL certificate.

  1. Create HTTPS Listener for Traffic Redirection.

  1. Generate SSH keypair for SSH tunneling.
redirector@redirector:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/redirector/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/redirector/.ssh/id_rsa
Your public key has been saved in /home/redirector/.ssh/id_rsa.pub

Copy contents of /home/redirector/.ssh/id_rsa.pub and save as redirector (identity file) in Attacker Linux

  1. On Attacker Linux VM, setup a SSH tunnel to Redirector.
┌──(havoc@havoc):~/Desktop
└─$ ssh -N -R 8443:localhost:443 -i redirector redirector@192.168.231.129
  1. Verify SSH tunneling from Redirector.
redirector@redirector:~$ sudo ss -ltnp
State           Recv-Q          Send-Q                     Local Address:Port                     Peer Address:Port          Process                                   
LISTEN          0               128                            127.0.0.1:8443                          0.0.0.0:*              users:(("sshd",pid=1769,fd=9))
  1. Customize .htaccess file under /var/www/html.
redirector@redirector:~$ sudo vim /var/www/html/.htaccess

RewriteEngine on

RewriteCond %{HTTP_USER_AGENT} "Slack/415620 CFNetwork/1240.0.4 Darwin/20.5.0" [NC]
RewriteRule ^.*$ "https://localhost:8443%{REQUEST_URI}" [P]

RewriteRule ^.*$ "https://www.slack.com" [L,R=302]
  1. Restart Apache service.
redirector@redirector:~$ sudo systemctl restart apache2
  1. Revisiting https://192.168.231.129 will redirect you to slack.com.