#146 | pen18 – Tunneling a linux server (victim) through a bounce.

Hi, today I’ll write a quick article on how to tunnel a linux server through a bounce you don’t want to give access easily.

The steps are pretty easy to do:

Creating a virtual machine

The virtual machine will act as the server the victim will connect to. Because we don’t want to give an easy access if a key gets compromised, I’ll create a new VM.

I will create a SSH key on this server without a passphrase. The VM will have to be connected using a bridge network.


Creating a tunnel to the bounce

First, the bounce will have to listen to a specific address. To do so, I will, from my server, use “ssh -R” to send my ssh listen address to another address on my bounce.

Because I can’t listen on low ports, I’ll take a random port over 1000.


Using SSH in local on the bounce to move the port to a privileged port (80)

Because the victim has a firewall, I’ll move the port to another one (80) using sudo ssh -L. This will allow me to bind two ports to the same service (SSH of my VM)


Connect to the bounce from the victim server

On the victim server, you’ll then be able to ssh directly to the port 80 of your bounce, which will connect you to the VM.

Leave a Reply

Your email address will not be published.