Our Scenarios

SSH tunnelling #2


Network tunnelling is a technique that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

This is very important for Penetration Testers because very often you will be attacking systems that are accessible from the Internet (example of a public network). However, if you manage to compromise one of these systems, you will then have access to one or more private networks; these private networks would only be reachable from your compromised target, so you have to use tunnelling techniques to access them from your own machine.

Continuing from SSH tunnelling #1, this time the vulnerable application does not return the output of the file executed, so in order to get the flag we need to establish a reverse connection. However, reverse connections in CyberRange are blocked by default, so we will learn how to create a reverse port forward to allow this and establish a reverse connection from our target (that is running inside a container)

A very common way to create tunnels is to use the SSH protocol. In this scenario, we will explore ways to setup reverse port forwards as tunnels to achieve an objective.

What you will learn

This scenario introduces the concept of tunneling using SSH and reverse port forwards. After completing it you should learn: - how to setup a SSH reverse port forward. - use this to interact with a target that would otherwise be inaccessible.

Scenario Pre-requisites

It is recommended, but not necessary to be familiar with the following concepts: - Exploiting arbitrary file upload vulnerabilities - basic linux usage - SSH local port forwards

However, it is still possible to follow the mission and complete the assessment by learning as you go.

Technical Details

This scenario contains one virtual machine. The virtual machine is running a docker container that is running the vulnerable application.