I‘m trying to demonstrate lateral movement to a windows machine that is not directly reachable and should connect back via named pipe:
- Windows machine w1 does reverse_tcp/reverse_https to attacker.
- w1 adds a named pipe listener.
- windows machine w2 executes stager that does reverse_pipe to w1
Everything is fine if I just walk to w2 and doubleclick the stager. But when I try to trigger the execution from w1, say via „at“ or „Invoke-WmiMethod -class win32_process“, it fails. The stager is not allowed to open the pipe. No matter if the stager runs as system or a user. I guess that this is because in all cases the stager runs in session 0.
Is this really the problem? If so, is there a lateral movement technique that does not have this problem? No exploit, I want to just use credentials to get on w2. Also I don‘t want to use something that will potentially take a very long time, like remote registry autostart. That would require us to keep the named pipe open for days on w1, which we don‘t want to do with a metasploit session.
