PwnKata
Start drilling free
Home Network Services SSH Tunneling and Redirection
medium Live now Network

SSH Tunneling and Redirection

A service is listening on the box's loopback interface, invisible to your external scan, so you tunnel through SSH to reach it.

You hold SSH access to the box, but an external scan shows the interesting service port filtered or closed. That is because the simulated service is bound to the loopback interface (127.0.0.1) inside the box and never exposed to the network. Your job is to enumerate it exactly as you would a real internal service that only listens locally.

Start by logging in and listing loopback listeners with ss -tlnp, then build a local port forward: ssh -L 9000:127.0.0.1:3306 user@target. The host:port after the second colon is resolved on the target, so it points at the box's own loopback, not yours. Now connect to 127.0.0.1:9000 on your machine and the traffic emerges on the target's loopback.

When several internal ports matter, swap the single forward for a dynamic SOCKS proxy (ssh -D 1080) and route tools through proxychains. No real external host is contacted, everything stays inside the isolated box, but the forwarding mechanics are identical to pivoting through a compromised jump host on a real engagement.

How the attack works

  1. Scan the box and note the target service port shows filtered or closed from outside. nmap -p- -sV target
  2. Authenticate over SSH and list services bound to loopback. ss -tlnp | grep 127.0.0.1
  3. Forward a local port to the loopback-bound service on the target. ssh -L 9000:127.0.0.1:3306 user@target
  4. Enumerate the service through the local end of the tunnel. mysql -h 127.0.0.1 -P 9000 -u root -p
  5. For several internal ports, open a SOCKS proxy and route tools through proxychains. ssh -fN -D 1080 user@target

On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.

Common mistakes & rabbit holes

  • In ssh -L local:host:port, the host:port is resolved on the target, so point it at 127.0.0.1:<svc>, not your own attacker IP.
  • Calling the service dead because the external scan shows the port filtered; it is bound to 127.0.0.1, so check ss -tlnp and tunnel in.
  • Using ssh -D SOCKS without proxy_dns in proxychains, so DNS resolves outside the tunnel and internal name lookups fail.

What you'll practice

SSH tunnelingport forwardingpivoting

Sourced from

Offensive-security practitioners · OSCP

Written by the PwnKata team — OSCP-certified practitioners who build the drills and the technique guides published here, focused on turning exam-level offensive-security skills into repeatable, verifiable reps.

drill workspace · session live
medium

SSH Tunneling and Redirection

A service is listening on the box's loopback interface, invisible to your external scan, so you tunnel through SSH to reach it.

Objective

Recover the flag at /root/flag.txt and submit it.

Drill this now

Spin up a live isolated target and start practicing in seconds — free.

Start drilling

Related network services techniques

Network Live

SNMP Community Strings

An open SNMP agent with a guessable community string hands you the device's whole MIB, including whatever an admin wired into a NET-SNMP extend.

easy
Network Live

SMB Share Enumeration and Loot

A null session that lists shares is only the start — the win is the readable share someone forgot to lock down.

easy
Network Live

FTP Anonymous Enumeration

Anonymous FTP is the fastest read into a host you have not authenticated to: if the server accepts the anonymous account, the filesystem starts talking.

easy