Red Teaming: Fast TCP tunnel, transported over HTTP, secured via SSH! What else do we need?!

Let’s Connect | LinkedIn | Twitter

Imagine we get access to a machine during our red team exercise and identify a few exploitable services running on that machine that may allow us to escalate our privilege.

But they are all listening to the local host only!

Case Study:

I have installed the CloudMe Sync application on a windows box, and the app is listening on local port 8888, as shown in the figure below:

The process to Port Mapping

A simple port tp process mapping using windows native commands Tasklist and Netstat shows the installed application is listening to 127.0.0.1:8888, which is only accessible locally! It simply means I can’t access the application remotely from my kali box, for instance.

What to Do!

Chisel works perfectly for me in this case by forwarding the local port to my kali box.

Where to find the chisel

you can find the latest version at the link below:

Releases · jpillora/chisel

I have downloaded chisel_1.7.2_linux_amd64.gz and chisel_1.7.2_windows_386.gz to be used for my kali and windows boxes accordingly.

Chisel Server on Kali

Run the chisel server on kali [I used port 8000]

Chisel Server on port 8000

Chisel Client on Windows method 1:

In this method the port 8888 of my windows box will be forwarded to the same port number [8888] of the kali box:

chisel.exe client 192.168.177.140:8000 R:127.0.0.1:8888

*192.168.177.140 is my kali box IP address

Chisel Client on Windows method 2:

In this method the port 8888 of my windows box will be forwarded to any port as you wish on the kali box [I used port 4444 as an example]:

chisel.exe client 192.168.177.140:8000 R:4444:127.0.0.1:8888

*192.168.177.140 is my kali box IP address