From 198a70ae8983084db7a1ed9973e86214bcff9cf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Faisal=20Fs=20=E2=9A=94=EF=B8=8F?=
 <51811615+faisalfs10x@users.noreply.github.com>
Date: Thu, 13 Apr 2023 04:14:51 +0800
Subject: [PATCH 1/3] Update README.md

SSH pivoting via ProxyJump
---
 README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 6283674..5237be0 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
    1. [SSH tunnel](#ssh-tunnel)
    1. [SSH socks5 tunnel](#ssh-socks-tunnel)
    1. [SSH to NATed host](#ssh-j) 
+   1. [SSH pivot via ProxyJump](#ssh-pj)
 1. [Network](#network)
    1. [Discover hosts](#discover)
    1. [Tcpdump](#tcpdump)
@@ -301,6 +302,28 @@ ssh -J 5dmxf27tl4kx@ssh-j.com root@5dmxf27tl4kx
 ```
 The ssh connection goes via ssh-j.com into the reverse tunnel to the host behind NAT. The traffic is end-2-end encrypted and ssh-j.com can not see the content.
 
+<a id="ssh-pj"></a>
+**2.v SSH pivoting to multiple servers**
+
+SSH ProxyJump trick can save you a lot of time and hassle when working with remote servers. Let's assume the scenario as below.
+We have $local-kali behind NAT, we want to ssh into $target-host without interactively login to each intermediary servers. 
+The route is; we can SSH to C2, the C2 can SSH to internal-jumphost via internal IP(eth1) and internal-jumphost can SSH to target-host via eth2.
+```
+          $local-kali       -> $C2            -> $internal-jumphost    -> $target-host
+eth0      192.168.8.160     10.25.237.119             
+eth1                        192.168.5.130       192.168.5.135
+eth2                                            172.16.2.120              172.16.2.121
+```
+``` 
+# if we want to SSH to $target-host:
+kali@local-kali$ ssh -J c2@10.25.237.119:22,jumpuser@192.168.5.135:22 target@172.16.2.121
+
+# if we want to SSH to $internal-jumphost:
+kali@local-kali$ ssh -J c2@10.25.237.119:22 jumpuser@192.168.5.135:22
+```
+
+
+
 ---
 <a id="network"></a>
 ## 3. Network

From 95969dea53f2462a358af687fdc9efe1b03441de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Faisal=20Fs=20=E2=9A=94=EF=B8=8F?=
 <51811615+faisalfs10x@users.noreply.github.com>
Date: Thu, 13 Apr 2023 04:16:37 +0800
Subject: [PATCH 2/3] Update README.md

SSH pivot via ProxyJump
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5237be0..4f5f29d 100644
--- a/README.md
+++ b/README.md
@@ -310,9 +310,9 @@ We have $local-kali behind NAT, we want to ssh into $target-host without interac
 The route is; we can SSH to C2, the C2 can SSH to internal-jumphost via internal IP(eth1) and internal-jumphost can SSH to target-host via eth2.
 ```
           $local-kali       -> $C2            -> $internal-jumphost    -> $target-host
-eth0      192.168.8.160     10.25.237.119             
-eth1                        192.168.5.130       192.168.5.135
-eth2                                            172.16.2.120              172.16.2.121
+eth0      192.168.8.160      10.25.237.119             
+eth1                         192.168.5.130       192.168.5.135
+eth2                                             172.16.2.120             172.16.2.121
 ```
 ``` 
 # if we want to SSH to $target-host:

From 19c4d5f1dc5e3897b53fccae64250d721ff3610d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Faisal=20Fs=20=E2=9A=94=EF=B8=8F?=
 <51811615+faisalfs10x@users.noreply.github.com>
Date: Thu, 13 Apr 2023 04:23:38 +0800
Subject: [PATCH 3/3] Update README.md

fix formatting
---
 README.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 4f5f29d..969b314 100644
--- a/README.md
+++ b/README.md
@@ -308,22 +308,20 @@ The ssh connection goes via ssh-j.com into the reverse tunnel to the host behind
 SSH ProxyJump trick can save you a lot of time and hassle when working with remote servers. Let's assume the scenario as below.
 We have $local-kali behind NAT, we want to ssh into $target-host without interactively login to each intermediary servers. 
 The route is; we can SSH to C2, the C2 can SSH to internal-jumphost via internal IP(eth1) and internal-jumphost can SSH to target-host via eth2.
-```
+```sh
           $local-kali       -> $C2            -> $internal-jumphost    -> $target-host
 eth0      192.168.8.160      10.25.237.119             
 eth1                         192.168.5.130       192.168.5.135
 eth2                                             172.16.2.120             172.16.2.121
 ```
-``` 
-# if we want to SSH to $target-host:
+```sh 
+## if we want to SSH to $target-host:
 kali@local-kali$ ssh -J c2@10.25.237.119:22,jumpuser@192.168.5.135:22 target@172.16.2.121
 
-# if we want to SSH to $internal-jumphost:
+## if we want to SSH to $internal-jumphost:
 kali@local-kali$ ssh -J c2@10.25.237.119:22 jumpuser@192.168.5.135:22
 ```
 
-
-
 ---
 <a id="network"></a>
 ## 3. Network