I don’t understand why I can’t get a reverse shell from my host to the windows internal host on another network.
the scenario is the following:
my attacking host, A: linux, 10.10.14.236
host B, reachable from the internet, linux: 10.129.251.159 has another network adapter, 172.16.5.15. I only have access through RSA file and user “webadmin”
host C, internal, windows: 172.16.5.35
I generate a payload from my attacking machine, reverse tcp for windows, ip 172.16.5.15 and port 10101. I choose that ip because I assume that putting the ip of my attacking machine is useless, they are not directly communicated. As I will later redirect the traffic that arrives to that port to my attacking machine, I consider putting the ip of the pivot machine.
I move my payload to host C by first using scp to send it to host B and then using python’s http.server module, I download the payload to the windows machine using powershell’s Invoke-WebRequest from the windows machine.
Now, with the payload on the target C machine, I must first create tunnels so that when it is executed, it reaches my attacking machine. For it:
- From my attacking machine, I convert the openssh RSA key file to a PEM file in order to create a reverse dynamic port-forward from machine C to machine B.
- I move this converted file following the system I used to move the payload.
- I use the command "ssh -i C:\Users\mlefay\Desktop\id -D 10101 webadmin@172.16.5.15" to create a tunnel from C to B, now I need to create one from B to my attacking machine.
From my attacking machine I ssh with the -R flag to make my local port 10101 available on B
With this configuration, I assume that connections arriving through port 10101 to machine B from machine C will be redirected to port 10101 of my attacking machine, having effectively connected machine C to machine A.
I start the handler in A, I execute the payload of machine C and I don’t get the connection.
I have also tried to define the ip of the payload as the one of my attacking machine, assuming that once the tunnel is done, I can establish a direct connection from C to A, but it hasn’t worked either.