Proxying like a RockStar!

6 min readMay 25, 2021

in this article i will be demonstrating how you can connect to your favorite CTF platform OpenVPN server or pretty much any server without any problems even if you are behind a firewall that blocks inbound/outbound traffic, many CTF’s players face problems accessing OpenVPN servers when they are at work,Library, or any network that filters inbound and outbound traffic. in this article we are going to see how we can setup a server on AWS running ssh service on a port that is not blocked by the firewall and then we gonna use that server as a pivot to access the VPN network from our local network!.

However keep in mind that this trick is going to make the enumeration a little harder.

to recap let’s imagine the following scenario:

we are connected to a network and behind a Firewall that block all the TCP/UDP inbound traffic and allow outbound traffic only to port 443,80 which is the case in must corporates because network admins cannot block these ports as they are been used to surf the internet, our goal is to connect to the openvpn server that’s running on a port different than 443 and 80, let’s say 1194 for example.

let’s get start shall we?

if you can browse the internet then that means port 443 and 80 are allowed by your firewall, but just to make sure and see what other ports are allowed outbound, we will use the infamous service portquiz.net to check what ports are allowed, This server listens on all TCP ports, allowing you to test any outbound TCP port. meanwhile writing this i’m sitting in the public library, so let’s do a quick nmap scan to see what ports are allowed outbound.

Awesome! we found some ports that aren’t blocked outbound traffic by the firewall.

NOTE: we can use any of these ports to get the job done, but just for for the sake of simplicity we will stick with 443,80

first we need to create an AWS ec2 server, i’m not going to go through the setup process as it’s already been documented here: https://docs.aws.amazon.com/efs/latest/ug/gs-step-one-create-ec2-resources.html

by default AWS server allow only inbound traffic to ssh port 22. unfortunately you cannot change the port during the setup process, if the port is blocked by the firewall you won’t be able to complete the setup from the same network, in this case i advice you to complete the setup from your home network. while setting up your server make sure to add Inbound rule to allow port 443 and 80 or any of the ports allowed by your firewall.

now i’m assuming that you have your server up and running, ssh into your server from another network that allow outbound to port 22 , we will now change the ssh port to run on 443 which is allowed by the firewall at work,library etc..

we need to edit the ssh config file and change the port from 22 to 443

sudo nano /etc/ssh/sshd_config

uncomment the #port 22 and change it to 443 then press Ctrl+X and save the file.

now we need to restart the ssh server to make it listen on the new port

sudo service ssh restart

now that we have a server running ssh on port 443, we can go back to the network behind the firewall and do some nasty stuff!.

TryHackMe.org is one of my favorite CTF’s platforms out there, unfortunately TryHackMe only supports OpenVPN via UDP so if you are behind a firewall that blocks UDP traffic, you won’t be able to connect to their OpenVPN server.

but Hey! not anymore!

let’s see how we can use the AWS server as a pivot to access TryHackMe OpenVPN network,

first we need to download the vpn file form TryHackMe on our local machine and transfer it to the AWS server, we can do that using ncat

download the vpn file using your browser on your local machine. on the AWS server run the following command:

ncat -lv 80 < file.ovpn

now on your local machine run:

ncat -nv x.x.x.x 80 > file.ovpn

All right, now that we transferred our VPN file to the AWS server we simply connect to the OpenVPN server from our server on AWS!

great, now that our server has access to TryHackMe vpn’s network, and since we have ssh access to the server we can tunnel all of our traffic to go though the server and therefore we can access the OpenVPN network as well!

Dynamic Port Forwarding

Dynamic port forwarding allows you to create a socket on the local (ssh client) machine, which acts as a SOCKS proxy server. When a client connects to this port, the connection is forwarded to the remote ssh server (our AWS server ) which is then forwarded to a dynamic port on the destination machine.

This way, all the applications using the SOCKS proxy will connect to the SSH server, and the server will forward all the traffic to its actual destination.

to create a dynamic port forwarding on your local machine run the following command

ssh -D 443 -N -f -i my.pem ubuntu@AWSip -p 443

now we gonna need to use a tool called proxychains

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies.

we gonna edit the config file and tell it to pass all of our traffic to the socks proxy we just created

in your local machine run following command

sudo nano /etc/proxychains.conf

scroll down to the bottom of the file and add a line with the local socks proxy we just created

great, now we can actually access the OpenVPN network from our local machine, neat right?

go back to TryhackMe.org and pick a target and keep in mind that you will need to use proxychains with every tool you use, using namp to scan a target will be something like this

proxychains nmap -sT -T4 10.10.145.126 -Pn