{"id":1765,"date":"2025-08-09T06:53:27","date_gmt":"2025-08-09T06:53:27","guid":{"rendered":"https:\/\/hackmybox.com\/?p=1765"},"modified":"2025-09-08T13:40:18","modified_gmt":"2025-09-08T13:40:18","slug":"basics-of-pivoting","status":"publish","type":"post","link":"https:\/\/hackmybox.com\/index.php\/2025\/08\/09\/basics-of-pivoting\/","title":{"rendered":"Basics of Pivoting"},"content":{"rendered":"<div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-14e5e11c\" data-vce-do-apply=\"all el-14e5e11c\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-ba39aaab\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-ba39aaab\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-ba39aaab\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-b88e3ad1\" data-vce-do-apply=\"all el-b88e3ad1\"><p>In this post, we\u2019ll walk through how to pivot from a compromised Metasploitable VM into a private network and use Metasploit to brute-force SSH access to an Ubuntu VM that sits behind it.<\/p><h2 data-start=\"438\" data-end=\"453\">\ud83e\uddea Lab Setup<\/h2><p>For this demonstration, the lab consists of:<\/p><ul><li>Attacker Machine: Parrot (HTB)<\/li><li>Compromised Host: Metasploitable 2 (Accessible from Parrot)<\/li><li>Internal Target: Ubuntu-02 (Only accessible from Metasploitable 2)<\/li><\/ul><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-5eb5a35f\" data-vce-do-apply=\"all el-5eb5a35f\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 79.0039%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"809\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/07\/Lab-2-1024x810.jpg 1024w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/07\/Lab-2-320x253.jpg 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/07\/Lab-2-480x380.jpg 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/07\/Lab-2-800x633.jpg 800w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/07\/Lab-2-1024x810.jpg\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/07\/Lab-2.jpg\" data-attachment-id=\"1708\"  alt=\"\" title=\"Lab\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-01281b16\" data-vce-do-apply=\"all el-01281b16\"><h2 data-start=\"680\" data-end=\"695\">\ud83c\udfaf Objective<\/h2><p>Gain access to Ubuntu-02, which resides in a private internal network (10.0.0.0\/24) unreachable directly from the attacker machine.<\/p><p>To simulate a real-world scenario, we\u2019ve created a test user on Ubuntu-02:<\/p><ul><li>Username: <span style=\"color: #ffff00;\">Student<\/span><\/li><li>Password: S<span style=\"color: #ffff00;\">ecure@1234<\/span> (for validation after brute-force success)<\/li><\/ul><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-a1db2915\" data-vce-do-apply=\"all el-a1db2915\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 803px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 59.1532%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"803\" height=\"475\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/Ubuntu02-320x189.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/Ubuntu02-480x284.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/Ubuntu02-800x473.png 800w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Ubuntu02-803x475.png 803w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/Ubuntu02-803x475.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/Ubuntu02.png\" data-attachment-id=\"1768\"  alt=\"\" title=\"Ubuntu02\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-89c6c3c0\" data-vce-do-apply=\"all el-89c6c3c0\"><h2 data-start=\"1021\" data-end=\"1061\">\ud83d\udea9 Step 1: Compromise Metasploitable2<\/h2><p data-start=\"1063\" data-end=\"1173\">We start by exploiting Metasploitable2 using a known Postgres vulnerability and gaining a Meterpreter session.<\/p><div class=\"contain-inline-size rounded-2xl relative bg-token-sidebar-surface-primary\"><div class=\"overflow-y-auto p-4\" dir=\"ltr\">&nbsp;<\/div><\/div><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-2230d3fa\" data-vce-do-apply=\"all el-2230d3fa\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 864px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 97.338%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"864\" height=\"841\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/meta1-1-320x311.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/meta1-1-480x467.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/meta1-1-800x779.png 800w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/meta1-1-864x841.png 864w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/meta1-1-864x841.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/meta1-1.png\" data-attachment-id=\"1771\"  alt=\"\" title=\"meta1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-77854452\" data-vce-do-apply=\"all el-77854452\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-dc8e4d31\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-dc8e4d31\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-dc8e4d31\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-0c3a45f7\" data-vce-do-apply=\"all el-0c3a45f7\"><h2>\ud83e\udded Step 2: Pivoting with autoroute<\/h2><p>Now that we have a Meterpreter session, we\u2019ll add a route to the internal network 10.0.0.0\/24 via this compromised host.<\/p><p>\ud83d\udc49 What is autoroute?<\/p><p><span style=\"color: #ffff00;\">autoroute<\/span> is a post-exploitation script in Meterpreter that tells Metasploit to route traffic to an internal subnet through the current session.<\/p><p>\ud83d\udccc Command:<\/p><p><span style=\"color: #ffff00;\">meterpreter &gt; run autoroute -s 10.0.0.0\/24<\/span><\/p><p data-start=\"1695\" data-end=\"1800\">\u2705 <strong data-start=\"1697\" data-end=\"1708\">Effect:<\/strong><\/p><p data-start=\"1695\" data-end=\"1800\">Tells Metasploit: \u201cAny traffic to 10.0.0.x should go through this Meterpreter session.\u201d<\/p><p data-start=\"1802\" data-end=\"1821\">\ud83d\udd0d <strong data-start=\"1805\" data-end=\"1821\">Verify with:<\/strong><\/p><div class=\"contain-inline-size rounded-2xl relative bg-token-sidebar-surface-primary\"><div class=\"overflow-y-auto p-4\" dir=\"ltr\">meterpreter &gt; <span style=\"color: #ffff00;\">run autoroute -p<\/span><\/div><\/div><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-c1a530eb\" data-vce-do-apply=\"all el-c1a530eb\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 794px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 22.4181%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"794\" height=\"178\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/route-320x72.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/route-480x108.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/route-794x178.png 794w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/route-794x178.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/route.png\" data-attachment-id=\"1774\"  alt=\"\" title=\"route\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-raw-html\"><div class=\"vce-raw-html-wrapper\" id=\"el-b7dcf7ce\" data-vce-do-apply=\"all el-b7dcf7ce\"><script async=\"\" src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1499161372675368\" crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\" style=\"display:block\" data-ad-format=\"fluid\" data-ad-layout-key=\"-c2+73+2h-1m-4u\" data-ad-client=\"ca-pub-1499161372675368\" data-ad-slot=\"8728040126\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-725648b2\" data-vce-do-apply=\"all el-725648b2\"><h2>\ud83d\udd0c Step 3: SSH Brute-Force Ubuntu Box<\/h2><p>Next, we\u2019ll attempt to gain access to Ubuntu-02 (10.0.0.5) by brute-forcing its SSH credentials using Metasploit.<\/p><p>We have created a simple wordlist<span style=\"color: #ffff00;\"> passwords.txt<\/span> that includes the correct password for testing purposes.<\/p><p>\ud83d\udcc2 Sample passwords.txt:<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-1f3da4e7\" data-vce-do-apply=\"all el-1f3da4e7\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 735px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 33.7415%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"735\" height=\"248\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/password-320x108.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/password-480x162.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/password-735x248.png 735w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/password-735x248.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/password.png\" data-attachment-id=\"1790\"  alt=\"\" title=\"password\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-3cd2de93\" data-vce-do-apply=\"all el-3cd2de93\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 50%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"512\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh-1-1024x512.png 1024w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh-1-320x160.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh-1-480x240.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh-1-800x400.png 800w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh-1-1024x512.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh-1.png\" data-attachment-id=\"1777\"  alt=\"\" title=\"ssh\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-0ca5f0e5\" data-vce-do-apply=\"all el-0ca5f0e5\"><h2>\ud83d\udda5\ufe0f Step 4: Interact with the Target<\/h2><p>Once the SSH login is successful, you can open a session:<\/p><p><span style=\"color: #ffff00;\">sessions -i<\/span><br>From here, you're inside the internal Ubuntu system and can start post-exploitation tasks or further enumeration.<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-37bf8dd0\" data-vce-do-apply=\"all el-37bf8dd0\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 38.5742%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"395\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh2-1024x396.png 1024w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh2-320x124.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh2-480x186.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh2-800x309.png 800w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh2-1024x396.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/08\/ssh2.png\" data-attachment-id=\"1781\"  alt=\"\" title=\"ssh2\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-ce90a693\" data-vce-do-apply=\"all el-ce90a693\"><h2 data-start=\"2725\" data-end=\"2741\">\ud83d\udd1a Conclusion<\/h2><p data-start=\"2743\" data-end=\"2934\">Using <span style=\"color: #ffff00;\">autoroute<\/span>, we successfully pivoted through a compromised system to reach an otherwise inaccessible internal host. This technique is crucial for simulating real-world lateral movement.<\/p><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this post, we\u2019ll walk through how to pivot from a compromised Metasploitable VM into a private network and use Metasploit to brute-force SSH access to an Ubuntu VM that sits behind it.\ud83e\uddea Lab SetupFor this demonstration, the lab consists of:Attacker Machine: Parrot (HTB)Compromised Host: Metasploitable 2 (Accessible from Parrot)Internal Target: Ubuntu-02 (Only accessible from [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2028,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","prose-style":"enable","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[12],"tags":[],"class_list":["post-1765","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1765","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/comments?post=1765"}],"version-history":[{"count":28,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1765\/revisions"}],"predecessor-version":[{"id":2060,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1765\/revisions\/2060"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media\/2028"}],"wp:attachment":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media?parent=1765"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/categories?post=1765"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/tags?post=1765"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}