CTF Pivoting Cheat Sheet
post by: mosesrenegade
This is a collection of notes that I will update with tips and tricks that I have seen CTF players use in various hacking competitions. I am asking those players for permission to paste these things here and I hope to pass along some knowledge.
This was something that I used to use quite frequently in my short time as a linux system administrator. Many times we will want to forward socket connections from one system into another. In some games you will want excessive pivoting from system to system.
In order to successfully route from one system to another you may have to consider how to forward through local loopback connections from one system to another. A friend use to call this a software router. Thats probably a complicated way to think of it, consider it a socket bridge because there will not be a gateway (.1) between your packets more like a bridge that allows packets to flow.
Multiplexing will allow the following:
.-----. .-----. .---------. | You |---->| GW |---->| Target1 | `-----' `-----' `---------' -----------------> Initial Multiplexing -------------------------> SSH through the command channel
How to setup Multiplexing
In your hosts config file set the following replacing the following items:
- bastion: This should be the name you want to use from command line
- ip: This can be an IP or DNS name it’s up to you.
- username: username
- ssh key
Host bastion hostname ip user username port port IdentityFile ~/.ssh/file ForwardAgent yes ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10m
Host target Hostname ip
User root IdentityFile ~/.ssh/file Port port ProxyCommand ssh username@bastion -W %h:%p
Using this new capability
To establish the control connection:
-> ~ ssh bastion -f -N
- This will not give you a shell, thats ok.
Checking the master channel:
-> ~ ssh -O check bastion
SSHing to the target:
-> ~ ssh target
Forwarding a local port to the target in the background:
-> ~ ssh -f -N -L:10000:localhost:10000 target