Kubesploit v0.1.3 releases: cross-platform post-exploitation HTTP/2 Command & Control server

by do son · Published April 16, 2021 · Updated February 9, 2022

Kubesploit

Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent dedicated for containerized environments written in Golang and built on top of the Merlin project by Russel Van Tuyl (@Ne0nd0g).

Our Motivation

While researching Docker and Kubernetes, we noticed that most of the tools available today are aimed at passive scanning for vulnerabilities in the cluster, and there is a lack of more complex attack vector coverage.
They might allow you to see the problem but not exploit it. It is important to run the exploit to simulate a real-world attack that will be used to determine corporate resilience across the network.
When running an exploit, it will practice the organization’s cyber event management, which doesn’t happen when scanning for cluster issues.
It can help the organization learn how to operate when real attacks happen, see if its other detection system works as expected and what changes should be made.
We wanted to create an offensive tool that will meet these requirements.

But we had another reason to create such a tool. We already had two open-source tools (KubiScan and kubeletctl) related to Kubernetes, and we had an idea for more. Instead of creating a project for each one, we thought it could be better to make a new tool that will centralize the new tools, and this is when Kubesploit was created.

We searched for an open-source that provide that heavy lifting for a cross-platform system, and we found Merlin, written by Russel Van Tuyl (@Ne0nd0g), to be suitable for us.

Our main goal is to contribute to raising awareness about the security of containerized environments and improve the mitigations implemented in the various networks. All of this captured through a framework that provides the appropriate tools for the job of PT teams and Red Teamers during their activities in these environments. Using these tools will help you estimate these environments’ strengths and make the required changes to protect them.

What’s New

As the C&C and the agent infrastructure were done already by Merlin, we integrated the Go interpreter (“Yaegi”) to be able to run Golang code from the server to the agent.
It allowed us to write our modules in Golang, provide more flexibility on the modules, and dynamically load new modules. It is an ongoing project, and we are planning to add more modules related to Docker and Kubernetes in the future.

The currently available modules are:

Container breakout using mounting
Container breakout using docker.sock
Container breakout using CVE-2019-5736 exploit
Scan for Kubernetes cluster known CVEs
Port scanning with focus on Kubernetes services
Kubernetes service scan from within the container
Light kubeletctl containing the following options:
- Scan for containers with RCE
- Scan for Pods and containers
- Scan for tokens from all available containers
- Run command with multiple options

Changelog v0.1.3

Update Docker server usage (#4 @aviadhahami)
Fix bug with marshling: “Failed to print unexpected end of JSON input” (#5)
Adding golang version pre-reqs from traefik/yaegi (#7 by @elreydetoda)
Add colors to the vulnerability scan module (#9)
New modules and new modifications (#8 by @yanivyakobovich)):
- cGroup Breakout module (JSON and source code).
- Kernel Module Breakout module (JSON and source code).
- Deepce module (JSON and source code).
- Vulnerability test module (JSON and source code).
- CODE_OF_CONDUCT.md
- Option to add sh/bash modules as source code modules.
Adding features to kernel escape module and shellscript loading (#10)
Bugfix (exec.go) and kernel module improvement (#11 )
Remove log.Fatal from CVE scanner module