From 2f416aa5994fe7afb416c4726fdaf57a4bee6ce7 Mon Sep 17 00:00:00 2001 From: Sean Rickerd Date: Mon, 5 Aug 2024 11:38:49 -0400 Subject: [PATCH 1/2] Image links updates --- .../ROOT/pages/misc-log-4-shell-lab.adoc | 12 ++++++------ .../modules/ROOT/pages/misc-reverse-shell.adoc | 17 ++++++++++++----- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/content/modules/ROOT/pages/misc-log-4-shell-lab.adoc b/content/modules/ROOT/pages/misc-log-4-shell-lab.adoc index 0edfe65..4cb7835 100644 --- a/content/modules/ROOT/pages/misc-log-4-shell-lab.adoc +++ b/content/modules/ROOT/pages/misc-log-4-shell-lab.adoc @@ -158,12 +158,12 @@ Red Hat Advanced Cluster Security for Kubernetes is a Kubernetes-native security . Log into the RHACS console at `{acs_route}` . Click the "Advanced" button in your browser -image::../assets/images/01-rhacs-advanced.png[RHACS login not private] +image::01-rhacs-advanced.png[RHACS login not private] [start=3] . Click "Proceed to {acs_route}" -image::../assets/images/01-rhacs-proceed.png[RHACS login proceed] +image::01-rhacs-proceed.png[RHACS login proceed] [start=4] . Enter the RHACS credentials @@ -174,9 +174,9 @@ image::../assets/images/01-rhacs-proceed.png[RHACS login proceed] *RHACS Console Password:* | {acs_portal_password} | |=== -image::../assets/images/01-rhacs-login.png[RHACS console] +image::01-rhacs-login.png[RHACS console] -image::../assets/images/01-rhacs-console-dashboard.png[RHACS console] +image::01-rhacs-console-dashboard.png[RHACS console] === Find the log4shell vulnerability in RHACS dashboard. @@ -184,7 +184,7 @@ The next step is to use the ACS dashboard to locate the Log4shell vulnerability. NOTE: CVE-2021-44228 & CVE-2021-45046 can both be used to find the log4shell vulnerabiulity in the dashboard. -image:../assets/images/misc-log-1.gif[] +image:misc-log-1.gif[] . Procedure @@ -206,7 +206,7 @@ TIP: To find the policy quickly, type `Policy` followed by `Log4Shell` into the . Click *Review Policy* on the left and *Save*. -image::../assets/images/policy-1.gif[] +image::policy-1.gif[] + . Redeploy the vulnerable image diff --git a/content/modules/ROOT/pages/misc-reverse-shell.adoc b/content/modules/ROOT/pages/misc-reverse-shell.adoc index becf78c..0015308 100644 --- a/content/modules/ROOT/pages/misc-reverse-shell.adoc +++ b/content/modules/ROOT/pages/misc-reverse-shell.adoc @@ -42,6 +42,13 @@ to build a new example application in Ruby. Or use kubectl to deploy a simple Ku ---- [start=2] +. Apply a policy to allow privileged containers: +[source,sh,subs="+macros,role=execute"] +---- +oc adm policy add-scc-to-group anyuid system:authenticated +---- + +[start=3] . Next, deploy the vulnerable application by creating and applying the following deployment YAML file: [source,sh,subs="attributes",role=execute] @@ -177,7 +184,7 @@ type: kubernetes.io/service-account-token EOF ---- -[start=3] +[start=4] . Deploy the struts deployment into your new projecct by using the 'oc' CLI [source,bash,role="execute"] @@ -192,7 +199,7 @@ oc create -f ./vuln-dep.yaml deployment.apps/web created ---- -[start=4] +[start=5] . Ensure that the application was deployed without issues. [source,bash,role="execute"] @@ -210,7 +217,7 @@ web-95f4544df-9s9n5 1/1 Running 0 56s IMPORTANT: For the last part of this section, check to make sure that the struts vulnerability is in the container with a quick CLI scan using the roxctl CLI -[start=5] +[start=6] . Execute the following command in the terminal to ensure the struts vulnerability is present. [source,bash,role="execute"] @@ -261,7 +268,7 @@ WARN: A total of 14 unique vulnerabilities were found in 5 components NOTE: You can see that a number of CVE's, including CVE-2023-50164 and can be found in the quay.io/rh_ee_srickerd/apache-struts2-cve-2017-5638:latest container image that your just deployed. === Leverage the remote code execution in the struts vulnerability -[start=6] +[start=7] Create the attack script: [source,sh,subs="attributes",role=execute] ---- @@ -292,7 +299,7 @@ def exploit(url, cmd): EOF ---- -[start=7] +[start=8] And launch the attack! [source,sh,subs="attributes",role=execute] ---- From 9db83cbd15d3ae6c92480fbf739fafe7eb1fad3f Mon Sep 17 00:00:00 2001 From: Sean Rickerd Date: Mon, 5 Aug 2024 12:55:40 -0400 Subject: [PATCH 2/2] Commented out unfinished module --- content/modules/ROOT/pages/misc-reverse-shell.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/modules/ROOT/pages/misc-reverse-shell.adoc b/content/modules/ROOT/pages/misc-reverse-shell.adoc index 0015308..973a8ed 100644 --- a/content/modules/ROOT/pages/misc-reverse-shell.adoc +++ b/content/modules/ROOT/pages/misc-reverse-shell.adoc @@ -1,5 +1,6 @@ == Black Hat - RHACS Struts RCE Vulnerability Demonstration - +//// + //// In this lab, you demonstrate how to quickly stop shells being spawned from the `struts` vulnerabilities Red Hat^(R)^ Advanced Cluster Security for Kubernetes (RHACS). .Goals @@ -455,3 +456,4 @@ A complete record of the event can be found on the *Violations* page. == Summary You enabled Log4Shell deploy-time policy enforcement, and verified that the policy prevented the `log4shell` container from running. +////