I am not sure whether I accurately captured this question with the title, so let me explain it.
I have a penetration testing scenario where I am on the network with two machines, Machine A and Machine B. I have complete control over Machine B and am trying to leverage that to get access to Machine A. Machine A appears to be some variant of Linux (I pinged it and the response had a TTL value of 64, but I know this could be spoofed which is why it is only my guess), and Machine B is Ubuntu Linux.
An nmap scan of Machine A found that port 443 was open and port 22 was filtered. I have drawn the conclusion that Machine A accepts SSH connections via port 22, but behind some rule or firewall.
Machine A acts as a bastion, so the web application on port 443 (which I have already tested for vulnerabilities and found none) lets authenticated users have an interactive RDP or SSH session with machines on the network, from the context of Machine A. So I can log into the web application that Machine A is hosting and connect via a browser over to Machine B via RDP or SSH.
Because I have full control over Machine B and can get Machine A to connect to it, what RDP or SSH attacks are there that I can leverage? I am thinking primarily of whether or not there’s a way to have Machine B make Machine A redirect the session to
localhost, which would mean Machine A would connect back to itself over SSH in a session I can interact with.
Note: I am aware of SSH reverse tunneling, but that requires special configuration on Machine A’s side when the connection is established, and I don’t have access to that.