This lab is a small Docker setup that demonstrates a scenario where hackers have breached the DMZ of a corporate company. Your job is to use the hacker’s exploit to gain further access to the internal networks and retrieve the final flag located on the last machine in the internal network, successfully breaching both the DMZ and internal network.
Lab Source Code : Github.com/LegionOffsec
Note.txt After using SSH to log in to the attacker machine:
Checked the IP configurations and was able to see the IP range for the network configuration.
Used a simple ping sweep command in Linux and found another host.
for i in {1..254} ;do (ping -c 1 192.168.101.$i | grep "bytes from" &) ;done
Ran a port scan using Linux commands to identify open ports and was able to see that port 4444 is open.
for port in {1..65535}; do (echo > /dev/tcp/192.168.101.5/$port) >/dev/null 2>&1 && echo "Port $port is open"; done
We used Netcat to connect to port 4444 and were able to access the backdoor left by the hackers to execute system commands. We used the ipconfig command to check the network configuration again and were able to see another network interface attached to a different IP address range.
Ran another ping sweep and port scan, and identified that port 1337 is open on the 192.168.150.10 host.
for i in $(seq 1 254); do (ping -c 1 192.168.150.$i | grep "bytes from" &) ; donebash -c 'for port in $(seq 1 65535); do (echo > /dev/tcp/192.168.150.10/$port) >/dev/null 2>&1 && echo "Port $port is open"; done'
We were able to use Netcat to connect to the port and access a program that was vulnerable to command injection. By bypassing and exploiting the vulnerability, we were able to read the flag.
Made with ♡ for Legion by destiny 12/01/2025