It would be nice to be able to use compromised targets as proxies to allow pivoting into a target's network. This feature would greatly improve the utility of the tool and enable it to be used as a flexible and powerful C2 framework for pentesting engagements.

Great idea, I am working on designing the protocol and the architecture.

Released in v1.4.3.

Tunnel Create Pull 192.168.0.1 22 127.0.0.1 4444 is equalivalent to ssh -L 4444:192.168.0.1:22.

Can you please provide an example also for push, dynamic and internet modes?
Also, to create a tunnel the upgrade command is mandatory, but what about if the established connection is already TLS?
I mean:

TLS client -> TLS server -> Platypus

There is no need in upgrading the session, and creating a tunnel is not possible.
Would be really nice so to create a tunnel even with a not upgraded session, like a simple netcat for example could do.
Or even better, would be nice to encrypt just the new tunnel rather than the entire session of the victim to create a new one ( If I understood correctly how the upgrade/ tunnel commands work ). Something like that:

TLS client -> TLS server -> Platypus -> Tunnel [Create|Delete] [Pull|Push|Dynamic|Internet] [Src Host] [Src Port] [Dst Host] [Dst Port] [TLS|NOT ENCRYPTED] [TCP|UDP]

If you can explain how the upgrade and tunnel commands work I can give a more accurate idea and point you to a correct suggestion(: