But What About WebApps? - SSH to the Rescue

So, there I was, on a penetration test and needed to see some web apps that a client had in-house.

I had a PwnPro plugged in, however, the VPN proxy script provided was not working and my connection became wonky--and eventually FUBAR--when trying. In comes SSH to the rescue. As usual for these posts, this is really a personal instructional for later. That being said, you are more than welcome to use whatever you can.

The Setup

Just so there is an overview, I was recently on an internal penetration test. For this test, however, I was completely remote and a PwnPro was to be used for the assessment. To add to the mix, the PwnPro leveraged a jump box to my employer. AND, to further complicate things, I was away on a trip and had to VPN to my employer. This looked like this:

The Problem

Not every internal penetration test will have an entry point directly with a network service; sometimes it's a webapp. It's difficult--not impossible--to evaluate a webapp via terminal. I, however, needed to see some of the things going on for a web application when it was being rendered in the browser.

Naturally, the PwnPro came with a 'SSH VPN' script, however, for some weird reason it refused to work. I did not have a whole lot of time to sit and troubleshoot. So, I went out and did what any logical person does...Google that stuff.

I quickly realized that many security people seem to do borderline voodoo when requiring the use of a jump box that already has the necessary SSH reverse connection to it. Rather than chaining local port forwards and some other weird nonsense, the solution became clear.

The Solution

I needed something that could be done A, quickly and B, was not overly complicated. After all, I am going to have to explain this to my not-overly-technical minions. So, ProToxin, what did you opt to do? A local forward on my system to the jump box and a dynamic tunnel from the jump box to the reverse connection on the PwnPro. This looks like this:

ssh -L 8180:localhost:8180 [email protected]oyer

From there, a session would be opened on the jump box and I'd type this in:

ssh -D 8180 [email protected] -p 3180

This allows me to setup Firefox with a local proxy set to and access web applications on the intranet.

I'm aware that there are several solutions to my problem and that I can chain SSH commands together. Again, I needed something just real quick, that can be used by myself and minions, and was not overly complicated.

Even though this post is for preserving my own madness, I hope that it can help someone else. Thank you for stopping by and reading!


Join EFF!