{"id":163,"date":"2025-12-11T08:55:17","date_gmt":"2025-12-11T08:55:17","guid":{"rendered":"https:\/\/jasveermaan.com\/?p=163"},"modified":"2026-03-13T10:06:43","modified_gmt":"2026-03-13T10:06:43","slug":"using-proxychains-with-mythic-c2","status":"publish","type":"post","link":"https:\/\/jasveermaan.com\/index.php\/2025\/12\/11\/using-proxychains-with-mythic-c2\/","title":{"rendered":"Using Proxychains With Mythic C2 to Pivot From Kali \u2192 C2 \u2192 Assume Breach \u2192 Internal Network"},"content":{"rendered":"\n
Hi readers,<\/p>\n\n\n\n
Recently, I was speaking with a friend who shared an interesting challenge he faced during a Red Team engagement. The Assume Breach machine he received had extremely limited disk space, meaning he couldn’t install many tools directly on it. To work around this, he used proxychains to route all his Kali Linux tools, running locally on his MacBook, through the C2 and then into the Assume Breach machine.<\/p>\n\n\n\n
This allowed him to keep his tooling on Kali while still operating inside the compromised environment. The flow looked like this:<\/p>\n\n\n\n
Kali Linux \u2192 C2 \u2192 AssumeBreach \u2192 Internal Network<\/pre>\n\n\n\n
During my previous Red Team engagements, the client usually allowed us to connect to the network directly using our own laptops, so I never had to deal with this limitation. Since I had time, I decided to replicate the same scenario in my GOAD lab to prepare for future operations.<\/p>\n\n\n\n
For this blogpost, I am using Mythic C2, mainly because it is free, easy to deploy, and well-documented.<\/p>\n\n\n\n
Setting Up Mythic C2 on AWS<\/h2>\n\n\n\n
My Mythic server is hosted on AWS EC2, and I expose the UI locally via SSH port forwarding using the following command:<\/p>\n\n\n\n
Once the tunnel is active, I can visit:<\/p>\n\n\n\n
https:\/\/localhost:7443<\/pre>\n\n\n\n
From there, I generated a payload to receive a callback. Mythic immediately showed that the payload was created successfully:<\/p>\n\n\n\n<\/figure>\n\n\n\n
Receiving the Callback From the Assume Breach Machine<\/h2>\n\n\n\n
Next, on my GOAD lab\u2019s attack path, I executed the payload on SRV01 (10.8.10.22). The callback appeared in Mythic under user Samwell.Tarly.<\/p>\n\n\n\n
This machine now represents the Assume Breach endpoint\u2014a restricted Windows host with limited disk space.<\/p>\n\n\n\n<\/figure>\n\n\n\n
Enabling SOCKS Proxy in Mythic<\/h2>\n\n\n\n
Once I received the beacon, I executed the following command inside Mythic\u2019s UI:<\/p>\n\n\n\n
socks<\/pre>\n\n\n\n
I specified port 7000, which instructs the agent to create a SOCKS proxy listener.<\/p>\n\n\n\n
This enables Mythic to forward network traffic from Kali \u2192 Mythic \u2192 SRV01 \u2192 internal domain (DC01, other servers, etc.). The screenshot below shows the SOCKS proxy successfully started on port 7000:<\/p>\n\n\n\n<\/figure>\n\n\n\n
This confirms the SOCKS listener is operational and ready for proxying.<\/p>\n\n\n\n
Routing Kali Traffic Through Mythic \u2192 SRV01<\/h2>\n\n\n\n
To achieve this, I extend the SSH tunnel with an additional port forward:<\/p>\n\n\n\n
The screenshot below shows successful communication from Kali to DC01 using the SOCKS proxy path:<\/p>\n\n\n\n<\/figure>\n\n\n\n
This confirms that the pivot works end-to-end.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
This technique is incredibly useful for Red Team scenarios where:<\/p>\n\n\n\n
\n
The Assume Breach machine has limited resources<\/li>\n\n\n\n
Installing tools poses OPSEC risks<\/li>\n\n\n\n
You prefer running tools from your own environment<\/li>\n\n\n\n
You need to pivot deeper into internal networks from a single foothold<\/li>\n<\/ul>\n\n\n\n
By combining:<\/p>\n\n\n\n
\n
Mythic C2<\/li>\n\n\n\n
SSH tunneling<\/li>\n\n\n\n
SOCKS proxy<\/li>\n\n\n\n
proxychains<\/li>\n<\/ul>\n\n\n\n
You gain a flexible and stealthy multi-hop environment where your Kali tools execute as if they were inside the victim network, without ever touching the compromised host\u2019s disk.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hi readers, Recently, I was speaking with a friend who shared an interesting challenge he faced during a Red Team engagement. The Assume Breach machine he received had extremely limited disk space, meaning he couldn’t install many tools directly on it. To work around this, he used proxychains to route all his Kali Linux tools, … <\/p>\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n