For folks having a hard time, I highly, highly recommend trying to use ligolo-ng, it was so much easier than using anything else. here is a short guide too that would be useful for this particular scenario. It won’t be 1:1, you’ll need to add another tunnel and such, but if you’ve made it this far, I think figuring this out is trivial in comparison.
2 Likes
YES! Thank you so much! Chisel Double pivot FTW
Amazing 
Hi everybody . Currently I’m stuck on ATTACKING ENTERPRISE NETWORKS section. When I set up chisel as instructed or ligo-lo to be able to browse the web to: http://172.16.8.20/Login?returnurl=%2Fadmin the page appears but I can’t log in with Admi**:D0tn31Nuk3R0ck* * is star, this is similar to chisel. Thanks for help
Hello,
Could you give me a help here.
I was able to establish the double pivot and I can ping 172.16.9.3 (other interface of DC01).
When I try to ping 172.16.9.25, the connection does not go through. Eventually I used chisel, but I would like to know how to set up it properly with ligolo.
My ligolo configuration is the following once the first tunnel is set:
# The end infrastructure looks like that:
Attacker --> 10.229.x.x DMZ01 172.16.8.120 -->172.16.8.3 DC01 172.16.9.3
# Upload agent to DC01
## Run agent in DC01
agent.exe -connect 172.16.8.120:11601 -ignore-cert
172.16.8.120 = other IP of dmz01
# Attacker: Add the interface for the double-pivoting
sudo ip route add IP_NEW_NETWORK(172.16.9.3) dev ligolo-double
# Attacker: where proxy runs
listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
# Attacker: Once the message "Agent joined" appears I start this session
session # => start
# Attacker: I start also the tunneling
tunnel_start --tun ligolo-double
As I mentioned, I can ping 172.16.9.3, but cannot ping hosts that are inside this new network (172.16.9.25).
What have I done wrong here?
Kind Regards,
Pat
PS: Another question regarding lingolo.
Sometimes by doing the same steps, it commes to the following error message:
ERRO[0864] could not register agent, error: connection write timeout
Is there a solution for that?
2 years later and you’re still helping, THANK YOU! This helped immensely on the Pivoting, Tunneling, and Port Forwarding module.
Hello, I am not sure where was I wrong but when I do the nmap, I get filtered instead of open
After much much pain with metasploit, this is what worked for me (I could get to the ssh login with proxychains but it wouldn’t send the private key). In fact, it seems this link is set up for this box exactly so you can follow the steps almost exactly and get in. May both sides of your pillow be cool forever
Hello friends,
Thank you all for the positive feedback!
I am so happy that many found my post helpful and could directly apply this technique.
Maybe these instructions will also find their way into the teaching material at some point.
Best,
Rapunzel3000