2021-10-20 01:20:19 +01:00
.PHONY : install thinkphp forward -thinkphp lucee forward -lucee dashboard forward -dashboard admin -token service -token secrets secret -files patch -docker -desktop -admin -service -accounts help
2021-10-12 11:14:49 +01:00
.DEFAULT_GOAL : help
2021-10-20 01:20:19 +01:00
RED := $( shell tput -Txterm setaf 1)
RESET := $( shell tput -Txterm sgr0)
# Detect if docker-desktop is defaulting service accounts to have full admin cluster privileges by default
# https://github.com/docker/for-mac/issues/4774#issuecomment-6622851890
HAS_CLUSTER_ADMIN_SERVICE_ACCOUNT = $( shell kubectl get clusterrolebinding docker-for-desktop-binding -o yaml 2>/dev/null | grep -c 'name: system:serviceaccounts$$' )
2021-10-12 11:14:49 +01:00
2021-10-20 01:20:19 +01:00
default : help
2021-10-21 14:20:28 +01:00
all : run ##@install Install all charts
2021-10-15 01:50:11 +01:00
install : secret -files thinkphp lucee secrets dashboard ##@install Install all charts
2021-10-12 11:14:49 +01:00
2021-10-15 01:50:11 +01:00
thinkphp : ##@install Install vulnerable thinkphp application with full cluster access
2021-10-12 11:14:49 +01:00
helm upgrade --install thinkphp ./thinkphp
2021-10-15 01:50:11 +01:00
lucee : ##@install Install vulnerable lucee application with minimal cluster access
helm upgrade --install lucee ./lucee
2021-10-20 01:20:19 +01:00
i f e q ( $( HAS_CLUSTER_ADMIN_SERVICE_ACCOUNT ) , 1 )
@ e c h o "${RED}[!] docker-desktop detected. Additionally run 'make patch-docker-desktop-admin-service-accounts' to ensure lucee does not have full cluster access by default${RESET}" 2 > & 2
e n d i f
2021-10-15 01:50:11 +01:00
dashboard : ##@install Install the Kubernetes dashboard
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard
secrets : secret -files ##@install Install enumerable secrets
2021-10-12 11:14:49 +01:00
helm upgrade --install secrets ./secrets
2021-10-15 01:50:11 +01:00
forward-thinkphp : ##@forward Forward thinkphp to the host machine on port 9001
$( call forward,thinkphp,9001)
forward-lucee : ##@forward Forward lucee to the host machine on port 9002
$( call forward,lucee,9002)
forward-dashboard : ##@forward Forward Kubernetes dashboard to the host machine on port 8443
$( call forward,kubernetes-dashboard,8443)
admin-token : ##@tokens Create an admin token which will have full access to the cluster, also useful for the Kubernetes Dashboard
kubectl create -n default serviceaccount admin-sa --dry-run= client -o yaml | kubectl apply -f -
kubectl create -n default clusterrolebinding admin-sa-binding --clusterrole= cluster-admin --serviceaccount= default:admin-sa --dry-run= client -o yaml | kubectl apply -f -
echo $$ ( kubectl get secret -n default $$ ( kubectl -n default get serviceaccount admin-sa -o jsonpath = "{.secrets[0].name}" ) -o jsonpath = "{.data.token}" | base64 -d)
service-token : ##@tokens Create a Kubernetes service token for the default service account
echo $$ ( kubectl get secret -n default $$ ( kubectl -n default get serviceaccount default -o jsonpath = "{.secrets[0].name}" ) -o jsonpath = "{.data.token}" | base64 -d)
2021-10-20 01:20:19 +01:00
patch-docker-desktop-admin-service-accounts : ##@miscellaneous Patch service accounts to not have full cluster access by default on docker-desktop - https://github.com/docker/for-mac/issues/4774
# https://github.com/docker/for-mac/issues/4774#issuecomment-6622851890
kubectl patch clusterrolebinding docker-for-desktop-binding --type= json --patch $$ '[{"op":"replace", "path":"/subjects/0/name", "value":"system:serviceaccounts:kube-system"}]'
# forward a running pod on the given port
2021-10-15 01:50:11 +01:00
# ${1}=podname
# ${2}=port
d e f i n e f o r w a r d
export POD_NAME = $$ ( kubectl get pods --namespace default -l " app.kubernetes.io/name= ${ 1 } ,app.kubernetes.io/instance= ${ 1 } " -o jsonpath = "{.items[0].metadata.name}" ) ; \
export CONTAINER_PORT = $$ ( kubectl get pod --namespace default $$ POD_NAME -o jsonpath = "{.spec.containers[0].ports[0].containerPort}" ) ; \
echo; \
echo " Visit http://127.0.0.1: ${ 2 } to use your application " ; \
kubectl --namespace default port-forward $$ POD_NAME --address= '0.0.0.0' ${ 2 } :$$ CONTAINER_PORT
e n d e f
2021-10-12 11:14:49 +01:00
### Creating a sample collection of extractable secret files to ensure Metasploit can correctly extract/parse them all
SECRETS_DIR = ./secrets/files
ALL_SECRETS = $( addprefix $( SECRETS_DIR) /, \
ssh-auth/ \
ssh-auth/id-rsa-without-passphrase \
ssh-auth/id-rsa-with-passphrase \
ssh-auth/id-ed25519-with-passphrase \
ssh-auth/id-ed25519-without-passphrase \
tls/ \
tls/ca.key \
tls/ca.crt \
)
2021-10-15 01:50:11 +01:00
secret-files : $( ALL_SECRETS ) ##@create Create all secret files
$(SECRETS_DIR)/ssh-auth/ :
2021-10-12 11:14:49 +01:00
mkdir $@
$(SECRETS_DIR)/ssh-auth/id-rsa-without-passphrase :
ssh-keygen -t rsa -f $@ -N 'helloworld'
$(SECRETS_DIR)/ssh-auth/id-rsa-with-passphrase :
ssh-keygen -t rsa -f $@ -N ''
$(SECRETS_DIR)/ssh-auth/id-ed25519-with-passphrase :
ssh-keygen -t ed25519 -f $@ -N 'helloworld'
$(SECRETS_DIR)/ssh-auth/id-ed25519-without-passphrase :
ssh-keygen -t ed25519 -f $@ -N ''
2021-10-15 01:50:11 +01:00
$(SECRETS_DIR)/tls/ :
2021-10-12 11:14:49 +01:00
mkdir $@
$(SECRETS_DIR)/tls/ca.key :
openssl genrsa -out $@ 2048
$(SECRETS_DIR)/tls/ca.crt : $( SECRETS_DIR ) /tls /ca .key
openssl req -x509 -new -nodes -days 365 -key $< -out $@ -subj "/CN=example.com"
HELP_FUN = \
2021-10-15 01:50:11 +01:00
%help, @order; \
while ( <>) { \
if ( /^( [ a-z0-9_-] +) :.*\# \# ( ?:@( \w +) ) ?\s ( .*) $$ /) { \
push( @{ $$ help{ $$ 2} } , [ $$ 1, $$ 3] ) ; \
push @order, $$ 2 unless $$ count{ $$ 2} ++; \
} \
} ; \
2021-10-12 11:14:49 +01:00
print "usage: make [target]\n\n" ; \
2021-10-15 01:50:11 +01:00
for ( @order ) { \
print " $$ _:\n " ; \
printf( " %-20s %s\n" , $$ _->[ 0] , $$ _->[ 1] ) for @{ $$ help{ $$ _} } ; \
2021-10-12 11:14:49 +01:00
print "\n" ; \
}
help : ##@miscellaneous Show this help.
@perl -e '$(HELP_FUN)' $( MAKEFILE_LIST)
