I have a pivot setup on a compromised windows 10 box and am trying to get an SYSTEM shell on a separate machine in the target network. I have successfully done this abusing an unquoted service path via a meterpreter/reverse_named_pipe that connects to my pivot but can this be done using bind_named_pipe? I may be thinking of it wrong but I want my pivot meterpreter shell to connect to the bind_name_pipe that is now running as listener via the abused service. In this scenario I don't think I would be able to use a multi/handler because my attacking machine doesn't have direct access to the target machine unless through the pivot. Or am I thinking about this wrong? Is the multi/handler aware of the pivot and will use it to access the target network?
Asked
Active
Viewed 255 times
0
Nitro
- 189
- 1
- 8
-
It's possible to get the bind connection via HTTP tunnel – Anon Nov 08 '20 at 10:16
1 Answers
0
If you are using Meterpreter, you can set up port forwarding (or even routing) through your existing sessions. Then, when you want to connect to another host on that network, you can point your multi/handler at the tunnel entrance or route.
multithr3at3d
- 12,355
- 3
- 29
- 42