<-- home

CTF Pivoting Cheat Sheet

post by:

SSH cheatsheet

This is a collection of notes that I will update with tips and tricks that I have seen CTF players use in various hacking competitions. I am asking those players for permission to paste these things here and I hope to pass along some knowledge.

SSH Multiplexing

This was something that I used to use quite frequently in my short time as a linux system administrator. Many times we will want to forward socket connections from one system into another. In some games you will want excessive pivoting from system to system.

ssh pivoting

In order to successfully route from one system to another you may have to consider how to forward through local loopback connections from one system to another. A friend use to call this a software router. Thats probably a complicated way to think of it, consider it a socket bridge because there will not be a gateway (.1) between your packets more like a bridge that allows packets to flow.

Multiplexing will allow the following:

.-----.     .-----.     .---------.
| You |---->| GW  |---->| Target1 |
`-----'     `-----'     `---------'
Initial Multiplexing
SSH through the command channel

How to setup Multiplexing

In your hosts config file set the following replacing the following items:

  • bastion: This should be the name you want to use from command line
  • ip: This can be an IP or DNS name it’s up to you.
  • username: username
  • port
  • ssh key
  • ~/.ssh/file
  • target

    Host bastion hostname ip user username port port IdentityFile ~/.ssh/file ForwardAgent yes ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10m

    Host target Hostname ip
    User root IdentityFile ~/.ssh/file Port port ProxyCommand ssh username@bastion -W %h:%p

Using this new capability

To establish the control connection:

-> ~ ssh bastion -f -N

  • This will not give you a shell, thats ok.

Checking the master channel:

-> ~ ssh -O check bastion

SSHing to the target:

-> ~ ssh target

Forwarding a local port to the target in the background:

-> ~ ssh -f -N -L:10000:localhost:10000 target

comments powered by Disqus

© . All rights reserved.