The more difficult boxes I try to complete on TryHackMe or HackTheBox usually involve some form of port-forwarding or even pivoting onto a different machine. I always seem to forget the commands to get this to work properly, so I thought I would have a go at writing about them here, in the hope that it either helps me to remember better, or at the very least I end up with a place I can go to find out what I need.
Chisel is a fantastic tool which makes this process a lot easier. The github page describes chisel as "a fast TCP/UDP tunnel, transported over HTTP, secured via SSH."
Chisel works with a client/server model. Where you install the client or where you install the server depends on the type of routing you want to achieve.
Example: I have a foothold on a machine and it has a service that is only accessible from
127.0.0.1. I want to be able to access this service from my attack box.
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN - tcp6 0 0 :::139 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::445 :::* LISTEN -
Let's say I want to access the service on port 8080 from my own machine. I can do this using the chisel binary by executing the following commands:
What this is doing is saying, route the remote port 9000, remote in this case because it's referring to port 9000 on my local attacking machine, to the internal service hosted on port 8080. Using the chisel server I have setup on my attacking machine's ip address on port 8888.
Even though the result is a 400 error, this is actually good news because this 400 error is being returned from the web server running on port 8080 of the victim machine. The route is established.
SSH Port Forwarding
The same result can be achieved using SSH which most machines already have installed. In order for this to work though, we need to have some credentials we can use on the server to connect via SSH.
Let's say I have the private key for the john user on the remote machine, and I want to set up the same routing as before. Using ssh and the private key, I can do the following:
gareth@enso:~/Desktop/Files/Writer$ ssh -L 9000:127.0.0.1:8080 firstname.lastname@example.org -i id_rsa -fN
In this instance I'm telling SSH to connect local port 9000 to the
localhost address on port 8080 of the machine at 10.129.249.94, using the key file
id_rsa to authenticate with.
For individual port forwards like this, it's easier to use SSH to achieve port forwarding however you must have the ability to connect to the victim machine over normal SSH, which is not always the case.
Pivoting is leveraging the access you have on one machine, to gain access to another. For example let's say you have compromised a public facing web server and you now want to connect to another machine inside the internal network, which is not exposed to the public. You can pivot from the compromised web server onto the machine in this internal network.
Example: My machine has the ip address 10.10.14.75. I have managed to gain access to a public facing web server at 172.16.0.5. I have ran a port scan and determined that there is another server in the network, at 172.16.0.10 with a web server running on port 80.
The first thing I do is generate a throw-away SSH keys on the compromised machine. I would then add the public key to the
authorized_hosts file on my own machine. This key will be used temporarily to allow a connection back to my attacking machine, from the compromised web server. Let's say the private key is stored in a file called
id_rsa_throw_away on the web server. The command I would run on the web server at 172.16.0.5 to gain access to the internal server at 172.16.0.10 would be:
ssh -R 8000:172.16.0.10:80 email@example.com -i id_rsa_throw_away -fN
I can then access the web server running on the internal machine from port 8000 on my local machine. It is crucial to remove the public key from your local
authorized_hosts file when you are finished with the engagement, and preferably also delete the private key on the compromised web server as well.
This barely scratches the surface of what's possible with
ssh. There are a number of other useful tools for both Windows and Linux that are definitely good to have in your toolbox.
This HackTrickz page is a great place to learn more about what's possible.