jpillora
commented
2 years ago Constraints I can only access the Jump Server via rdp on port 3389 I only have user level access to the jump server.
If you can kill/move the RDP server, then you could run chisel on 3389 in its place - though without root access, outside of using RDP itself, or finding a vuln in RDP, i dont think there is anything you can do
Goal To route traffic from a remote network (172.10.10.x) to my local Linux box. The windows 10 mahcine has a vpn established that gains access to the 172 network.
Constraints I can only access the Jump Server via rdp on port 3389 I only have user level access to the jump server.
Setup Debian Linux ( Full Access) -> 192.168.1.122 Windows 10 (Full Access) -> 192.168.1.94 -> Jump Server 172.10.10.1 (user only access, no local admin) -> 172.10.10.x Network Connecting using SOCKS5
Linux Box ./chisel_1.7.7_linux_amd64 server -p 8080 --reverse ./chisel_1.7.7_linux_amd64 client 127.0.0.1:8081 socks (proxychains.conf) socks5 127.0.0.1 1080
Win10 chisel.exe client 192.168.1.122:8080 R:8081:127.0.0.1:9001 chisel.exe server -p 9001 --socks5
So currently If i test if i can see port 3389 open from the Linux box to the windows 10 machine this works, if i use a full TCP and no ping scan - which is a great start.
proxychains4 nmap 172.10.10.1 -sT -p 3389 -Pn [proxychains] Strict chain ... 127.0.0.1:1080 ... 172.10.10.1:3389 ... OK
Host is up (0.017s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server?
So my question is, can chisel let me see the network behind the Jump Server and if so what would i need to run on the jump server to chain or link the connection back? Presumably i can do this over tcp as i have port 3389 open?
Im new so a spoon fed command would be appreciated if possible :-)