Add kubernetes testing resources

[adfoster-r7]

Add an initial set of charts which can be used to verify Kubernetes enumeration/exploit modules:

• secrets - Create multiple Kubernetes Secrets to verify Metasploit's enumeration and loot storing capabilities
• thinkphp - Vulnerable thinkphp application with full cluster access
• lucee - Vulnerable lucee application with minimal cluster access

I've added a useful docker setup for running helm/kubectl from docker, which could be used with CI in the future. I've also added a makefile with useful utilities in it, for installing the charts, port forwarding, creating service tokens, etc:

make
usage: make [target]

install:
  install              Install all charts
  thinkphp             Install vulnerable thinkphp application with full cluster access
  lucee                Install vulnerable lucee application with minimal cluster access
  dashboard            Install the Kubernetes dashboard
  secrets              Install enumerable secrets

forward:
  forward-thinkphp     Forward thinkphp to the host machine on port 9001
  forward-lucee        Forward lucee to the host machine on port 9002
  forward-dashboard    Forward Kubernetes dashboard to the host machine on port 8443

tokens:
  admin-token          Create an admin token which will have full access to the cluster, also useful for the Kubernetes Dashboard
  service-token        Create a Kubernetes service token for the default service account

create:
  secret-files         Create all secret files

miscellaneous:
  help                 Show this help.

Verification

Ensure each of the readme steps work:

• Installing thinkphp/lucee/dashboard/secrets
• Successfully exploit thinkphp on 9001 and attempt enumeration/exploitation
• Successfully exploit lucee on 9002 and attempt enumeration/exploitation
• Ensure the Kubernetes dashboard can be accessed, and the admin token works as expected

[adfoster-r7]

Most of the helm charts are the default helm chart boilerplate. I parameterised a few more values after that, and as a result the lucee and thinkphp charts are pretty similar, the values.yml only really differs at this point. I didn't want to introduce a reusable library chart until there's at least another app to test against, potentially with a database/volume claim setup.

[smcintyre-r7]

I used this pretty extensively while working on PRs #15786 and #15733.

smcintyre@kubernetes:~/msf-pr-15773/kubernetes$ make lucee
helm upgrade --install lucee ./lucee
Release "lucee" has been upgraded. Happy Helming!
NAME: lucee
LAST DEPLOYED: Thu Oct 21 15:20:51 2021
NAMESPACE: default
STATUS: deployed
REVISION: 3
NOTES:
1. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=lucee,app.kubernetes.io/instance=lucee" -o jsonpath="{.items[0].metadata.name}")
  export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:9002 to use your application"
  kubectl --namespace default port-forward $POD_NAME --address='0.0.0.0' 9002:$CONTAINER_PORT
smcintyre@kubernetes:~/msf-pr-15773/kubernetes$ make forward-lucee
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=lucee,app.kubernetes.io/instance=lucee" -o jsonpath="{.items[0].metadata.name}"); export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}"); echo; echo "Visit http://127.0.0.1:9002 to use your application"; kubectl --namespace default port-forward $POD_NAME --address='0.0.0.0' 9002:$CONTAINER_PORT

Visit http://127.0.0.1:9002 to use your application
Forwarding from 0.0.0.0:9002 -> 8888
^Cmake: *** [Makefile:34: forward-lucee] Interrupt

smcintyre@kubernetes:~/msf-pr-15773/kubernetes$ make admin-token
kubectl create -n default serviceaccount admin-sa --dry-run=client -o yaml | kubectl apply -f -
serviceaccount/admin-sa configured
kubectl create -n default clusterrolebinding admin-sa-binding --clusterrole=cluster-admin --serviceaccount=default:admin-sa --dry-run=client -o yaml | kubectl apply -f -
clusterrolebinding.rbac.authorization.k8s.io/admin-sa-binding configured
echo $(kubectl get secret -n default $(kubectl -n default get serviceaccount admin-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 -d)
eyJhbGciOiJSUzI1NiIsImtpZCI6IjhNUXp3a1NGVk1xQmV0ZGVTbzNxTTJhQ2Y4UHE4TVZlVjVQcVlkMlRPcTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFkbWluLXNhLXRva2VuLTdzOThsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMmNjMDM1MzktNjhhYS00Mjg2LWE4ZmMtYjdmMDI5NzMzOGM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWRtaW4tc2EifQ.rY4MMougu_xPsKsACXcbkJC7ueLzH3YMHlviEpR9o0rKHHAxjDLTK7sC9j1brBkV7oc2kFwbmrlvQ5LEleyeughXq_GfPm47CnUg2Orhv80a7gmJU_WP_mkLhD1xcb4d-7uzEk08V5lswxCTof7qQK7UQBaGI4k6d_6B15jkCBd8fFdl1XqMAN1rokM5YmIwq_i_Eu-hquZIEduqyW2p9V-JVMYC82mLFdffcsjvZeXfOLgr8yiFEvTUZUEnhqZFaLRiT4ioMWQ939fQvLoFVAcloSwk09GM_xS4_8oMCfJd4D5sSCtshN_cEMX_Ht-M2JwjK_tVLTCnbheOwTZPxw
smcintyre@kubernetes:~/msf-pr-15773/kubernetes$ 

[adfoster-r7]

Release Notes

Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.