Skip to main content

Reverse SSH shell to WSL2

By

Reverse SSH shell to WSL2

WLS2 is configured by default in a NAT network.That means we can't generally reach it from the outside. 

To connect to it externally, let us configure WSL 2 for reverse shell

Prerequisite

  • Another SSH server that acts as gateway. This server should be accessible from the outside. For this exercise we will be using 192.168.2.30 as the gateway IP.

Step 1: Enable SSH on WSL2

$: sudo ssh-keygen -A
Then start SSH: 
$: sudo service ssh start

Step 2: Verify connection from WSL2 to the gateway SSH server

$: ssh -R 2222:localhost:22 u1@192.168.2.30
Below is an example connection to Kali SSH server
From Kali gateway server, verify that we can connect to port 2222, like: 
$: ssh u2@localhost -p 2222
By default WSL2 does not allow SSH connection using password, you will get an error like below.
u2@localhost: Permission denied (publickey).

To fix this, change /etc/ssh/sshd_config on WSL2, ensure that: 

  • PasswordAuthentication is set to yes
  • ChallengeResponseAuthentication is set to no
And restart SSH, like so: 
$: sudo service ssh restart
Let us try to open the tunnel again, on WSL2 run: 
$: ssh -R 2222:localhost:22 u1@192.168.2.30
Now go back to the gateway server and do: 
$: ssh u2@localhost -p 2222
You should now be able to connect to the WSL2 from the gateway like below

Step 3: Use public/private key to connect

Providing the password everytime we establish a connection gets really tiring, so let us use public/private key for the connection.
Let us start from WSL2 to the gateway, generate private/public key pair on WSL2: 
$: ssh-keygen -t rsa -b 2048
Then copy id_rsa.pub to the gateway, like: 
$: cat ~/.ssh/id_rsa.pub | ssh u1@192.168.2.30 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Now, if you re-run the command to create a tunnel, it should just connect without asking for password, like: 
$: ssh -R 2222:localhost:22 u1@192.168.2.30
Next up is connection from the gateway to WSL2. Let us generate private/public key on the gateway, like: 
$: ssh-keygen -t rsa -b 2048
Then copy id_rsa.pub to the WSL2, like: 
$: cat ~/.ssh/id_rsa.pub | ssh u2@localhost -p 2222 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Now we are making progress.

Step 4: Create the tunnel when WSL2 is started

It is probably best for the tunnel that was created to require no interaction, so we run it like: 
$: ssh -R 2222:localhost:22 u1@192.168.2.30 -N
Or better yet, run it in a background 
$: ssh -R 2222:localhost:22 u1@192.168.2.30 -N &
Now to invoke this on WSL start, we need to ensure that SSH server is started and then create the tunnel. We don't want sudo to ask for the password when starting the service, so let us allow running sudo without password for the default account (u2). 
$: sudo visudo
Then add the following: 
u2 ALL=(ALL) NOPASSWD: ALL
Do save and exit in Nano (Ctrl+S followed by Ctrl+X).
Then add the following to ~/.bashrc, do this towards the end of the file: 
sudo service ssh status
if [ $? -ne 0 ]; then
  echo "Starting"
  sudo service ssh start
  echo "tunnel"
  nohup ssh -R 2222:localhost:22 u1@192.168.2.30 -N >/dev/null 2>&1 &
fi

Step 5: Connect to WSL2 via the gateway

Now for the fun stuff, to connect to WSL2 from getaway, we need to create another tunnel!!! This time ssh client will listen on port 2222 locally, any connection to that port will be tunneled to the gateway (192.168.2.30) on port 2222. Remember that port 2222 on the gateway was reverse tunnelled to port 22 on WSL2: 
c:\> ssh -L 2222:localhost:2222 u1@192.168.2.30
So to finally connect to WSL2, do: 
c:\> ssh u2@localhost -p 2222
Labels:

Comments

Post a Comment

Popular posts from this blog

The following add-ins could not be started MonoDevelop.GnomePlatform

By
Installing MonoDevelop in OpenSUSE 12.2 from its repository was very easy. When running it for the first time though I got the message: The following add-ins could not be started: The root of the trace shows MonoDevelop.GnomePlatform,2.8 A quick search shows that MonoDevelop depends on libgnomeui . This should have been part of dependencies when installing the application but well.... Below is the screen shot of the error message. References: http://software.1713.n2.nabble.com/MonoDevelop-and-openSUSE-12-1-td7462957.html [2013/04/09] - Same issue observed in OpenSUSE 12.3 and also the same fix. [2014/11/02] - Same issue observed in OpenSUSE 13.3, mondevelop 3.0.6 and the same fix.
21 comments
Read more

Error! Could not locate dkms.conf file install VirtualBox 4.1.8 on Ubuntu 11.10

By
Tried to update my Ubuntu host today and it did pickup that new version of VirtualBox is available (4.1.8). All other packages installed properly except that VirtualBox installation was complaining about missing dkms.conf file, see error message below. $: sudo /etc/init.d/vboxdrv setup * Stopping VirtualBox kernel modules [ OK ] * Uninstalling old VirtualBox DKMS kernel modules Error! Could not locate dkms.conf file. File: does not exist. [ OK ] * Trying to register the VirtualBox kernel modules using DKMS [ OK ] * Starting VirtualBox kernel modules [ OK ] Though it looks like installation was fine but I am concerned about its effects to VirtualBox functionality. To fix this, do: $: cd /var/lib/dkms/vboxhost $: sudo rm -r 4.1.4 $: sudo /etc/init.d/vboxdrv setup Of course you have to re
11 comments
Read more