Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
Pivoting internally over DMZs using weevely + ngrok + CobaltStrike COMBO via a Linux machine
Last updated
Was this helpful?
Pivoting internally over DMZs using weevely + ngrok + CobaltStrike COMBO via a Linux machine
Last updated
Was this helpful?
In this laboratory, we will understand how to use a simple webshell to deploy a CobaltStrike beacon on a Linux target system mainly available and placed on a DMZ and use it for pivoting through this machine into the internal network. This is a common scenario many times used during my red teaming assessments, for instance, when I find a flaw that permits the uploading of a webshell into the web-server. Let's do it.
I use weevely many times to deploy my webshell remotely. More information about this tool .
Example how to access the target machine:
At this moment, we got a remote connection with the target server. It's time to prepare ngrok + CobaltStrike beacon to pivot into the internal network from our localhost connection.
We can use a configuration file as described on the link above, or simply by using the following command to start a new server on port: 8083:
Now, it's time to create the CobaltStrike stager.
CrossC2 framework allows us to generate CobaltStrike's cross-platform payloads, e.g., Linux x64 and x86 beacons.
We can create an x64 or x86 payload depending on the target system architecture.
Tip: use the uname -a command to check the target version.
ngrok_ip: The resolved IP address from the ngrok address. ngrok_port: The assigned port to the ngrok address.
The x64 payload was generated, and we can check it using the file command:
Now, it's time to upload it into the target Linux webserver using weevely:
The next step is to create the CS listener. We need to add our internal IP address on:
HTTPS HOSTS
HTTPS HOST (STAGER)
and the local port (8083) where the ngrok connection is mapped - HTTPS PORT (C2).
After that, the payload can be executed on the weevely webshell:
In the next phase, we will:
Create a socks4
Use Metasploit to pivot internally; or
By interacting with the new machine, you have the following options:
We can create the new socket using the CS console, or by clicking on the target machine.
Clicking on "Launch" button, the socket is created on the local machine (attacker machine). We can confirm it by using the following command:
Accessing the "Proxy Pivots" menu, we can get the command to pivot through MSF.
After getting the command above, we can start msfconsole and paste the command to set up the new tunnel and scan hosts available on the internal network.
To use proxychains, first, we need to configure the new socks by accessing the /etc/proxychains.conf file.
After that, we can use a lot of tools, such as crackmapexec, nmap, impacket-tools, and so on, by using the following combination:
Creating CobaltStrike random C2 profile
CobaltStrike C2 malleable profiles
In this step, you can use a trustable machine (e.g., EC2 instance from AWS) or simply ngrok. ngrok is a very useful tool that allows us to expose our localhost server through any NAT or firewall - and masquerading our public IP address - of course
And yeah, we got it
Take advantage of proxychains tool (my favorite approach)
