►
From YouTube: Capture the Flag Wrap Up & Summary, Andrew Martin, Control Plane & Magno Logan, Trend Micro
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Capture the Flag Wrap Up & Summary, Andrew Martin, Control Plane & Magno Logan, Trend Micro
A
A
So
let's
explain
why
that
was
and
what
has
happened.
Hopefully,
my
screen
should
be
sharing.
We
shall
see
okay,
so
yes,
we
we
had
a
ctf
today,
hello
and
welcome
thanks
for
your
attendance,
and
hopefully
this
will
leave
you
mildly
entertained.
So
what
were
we
doing
today?
Today
was
a
day
of
ambition.
A
Okay,
so
today
was
hopefully
an
exercise
in
preparing
for
the
unexpected
thinking
a
little
bit
outside
of
the
box
and
an
encouragement
that
nothing
is
entirely
secure
and
we
should
we
should
pay
attention
to
these
things,
so
we
are
in
the
uk
time
zone
on
this
end.
So
please
bear
with
us.
It's
been
five
o'clock
for
quite
some
time.
A
So
there
are
many
places
to
look
for
vulnerable
clusters,
but
we
believe
the
only
way
to
up
skill
people
is
to
give
them
a
safe
place
to
practice
in
so,
instead
of
going
on
cluster
safari,
we
prefer
to
run
ctf-based
training
but
capture.
The
flags
can
often
be
daunting.
Big
challenging
filled
with
the
kind
of
people
who
we
we
look
up
to
and
we
want
to
break
those
barriers
down
and
give
everybody
the
opportunity
to
be
involved.
A
So
we
hope
there's
been
a
strong
first
user
experience,
there's
attentive
moderators
in
the
channels
and
teaching
assistants
and
yeah.
We
just
want
to
give
people
a
boost
on
their
cloud
native
journey,
so
spoiler
alert.
If
anybody
is
still
playing
your
time
is
up
and
we
will
not
be
validating
any
flags
after
this
point.
So
let's
go
through
the
scenarios
and
find
all
the
flags
now
excuse
me,
while
I
shuffle
my.
A
A
A
A
A
A
Let's
have
a
look
around
well.
This
is
what
we
expect
right.
We've
got
a
process
namespace,
so
we
can
only
see
the
processes
that
we
have
available
to
us.
What
else
might
we
do?
We
might
have
a
look
around
and
see
what
else
is
mounted.
This
is
kind
of
noisy
there's
not
really
much
here.
That's
that's
useful.
There
are
a
few
things
anytime.
A
We
see
a
docker,
or
perhaps
one
of
these
mounts
they
could
be
interesting,
so
df
the
disk
free
tool
is
a
little
bit
of
a
quicker
way
to
get
a
view
on
this.
In
my
opinion,
and
of
course
we
see
a
service
account
there,
service
accounts
are
juicy
and
we
are
people
that
love
messing
around
with
service
accounts.
A
On
this
occasion,
though,
this
was
not
a
service
account
based
challenge
and
okay.
So
we've
had
a
look.
What's
running.
Sorry,
we've
had
a
look
what's
mounted
within
the
container
there's
a
lot
here,
but
some
of
the
things,
notably
a
device
from
the
host
other
stuff
that
doesn't
look
like
it's
inside
the
container.
A
Okay.
But
enough
of
this
there's
a
lot
of
noise
here
we
want
to
get
some
signal,
let's
think
about
what
we
can
do
with
the
service
counts
right,
so
we
can
see
that
dev
is
here.
So
what
does
this
mean?
So
docker
will
mount
in
etsy
hosts
using
the
mount
point
from
the
host
that
it's
on.
So
wherever
you
store
your
container
images,
those
read
write
layers,
that's
where
this
is
so
already.
The
abstraction
has
leaked
with
the
file
system.
Here.
A
What
do
we
do
next
then?
Well,
I
guess
it's
probably
worth
checking
our
privilege.
Now
there
is
a
canonical
way
of
doing
this,
which
is
jesse
frazil's
am
I
contained,
of
course
it's
not
doing
anything
magic.
It's
checking
states
and
files
that
are
available
to
us
inside
a
container,
but
it
makes
it
very
easy
for
us
to
do
and
gives
us
a
unified
view.
So
let's
try
and
do
that.
A
One
thing
to
bear
in
mind
is
that
we
are
roots,
and
that
means
that
we
have
the
ability
to
run
package
manager
commands.
We
need
to
be
able
to
write
to
any
location
on
the
file
system,
so
we
have
to
be
root
to
do
this
generally
and
yeah
there.
We
are
so
just
installed
curl,
because
without
curl,
I'm
gonna
have
trouble
pulling
in
stuff
from
remote
endpoints,
although
of
course
any
programming
language
is
an
interpreter
and
most
can
be
used
to
replicate
curl
in
some
way.
A
So,
let's
pull
am
I
contained
from
github
chamod
it
and
run
it
happy
days?
Okay,
so
we've
got
some
stuff
here.
What
does
this
say
we're
in
kubernetes?
Does
it
have
namespaces
pid
namespace
generally?
That
is
always
true
anyway.
Username
space
is
generally
always
false,
because
username
spaces
are
not
enabled,
I
suppose,
by
default
in
run
c
or
in
kubernetes.
A
This
is
interesting,
though,
we're
unconfined
in
app
armor.
Now,
if
we
were
running
in
docker,
that
would
always
have
a
profile
kubernetes,
of
course,
disables
this,
and
so
it's
just
reinforcing
the
fact
that
we're
in
kubernetes,
but
it
doesn't
tell
us
anything
too
drastic
this.
However,
what
is
this?
A
This
is
a
a
wide
bounding
set
of
capabilities
so
stuff
in
here
this
means
we
can
change
ownerships
override
discretionary
access
control,
which
is
basically
writing
on
other
people's
files
and
all
sorts
of
things
in
here
that
we
recognize
processes
being
killed,
raw
input
and
outputs
access
to
the
network
adapters.
This
is
pretty
likely
to
be
a
privileged
container
okay,
so
we
know
what
that
means.
A
That
means
that
actually,
what
is
in
dev
is
a
reflection
of
what's
on
the
host,
so
as
a
reminder,
the
privileged
flag,
the
most
dangerous
flag
in
the
history
of
computing,
as
I
will
off
to
repeat
disables
most
namespaces,
it
turns
off
app
armor
and
setcomp.
If
they're
enabled
it
grants
all
capabilities
and
it
mounts
all
of
the
hosts
devices
into
the
container,
this
is
a
bad
day
for
a
system
administrator.
Why?
A
Okay.
So
this
is
probably
not
what
we
were
hoping
to
see,
because
if
we
were
blue
team
because
that's
what
the
root
of
the
containers
file
system
partition
looks
like,
whereas
what
we've
mounted
in
from
the
roots,
let's
go
back
to
there,
we've
mounted
it
from
the
host
contains
extra
stuff,
and
lo
and
behold
it
contains
a
directory
called
node
secrets.
A
A
The
disadvantages
of
running
privileged
containers
are
that
they
are
equivalent
to
running
the
process
on
the
host.
There
is
essentially
no
containerization
going
on
when
we
run
privilege
and
yes
run
for
the
hills.
If
that's
the
kind
of
thing
you
are
trying
to
defend,
because
it's
more
or
less
indefensible,
okay,
that
was
the
first
one.
A
Okay,
let's
spend
a
bit
more
time,
looking
at
what's
happening
here,
so
we're
in
the
attack
container
and
escalate
and
cover
secret
sre
has
deployed
a
postgres
demon
set
and
a
new
pod
for
monitoring
the
processes
in
your
cluster
following
a
routine
audit
of
an
application,
it
is
believed
that
the
deployment
setup
allows
a
compromised
process.
Audit
pod
container
a
mouthful
to
escalate
its
attack
to
other
containers
on
the
host.
A
This
doesn't
sound
like
it
makes
sense,
there's
obviously
something
a
little
bit
askew
here,
okay,
so
the
the
question,
then,
is
verify
this
by
uncovering
both
the
postgres
database
password
and
the
secret
key.
We
will
start
in
the
process:
audit,
pod,
okay.
So,
first
of
all,
we
know
that
it's
possible
to
provision
secrets
via
environment
variables.
A
So
I
mean
the
first
place
to
start
here,
then,
is
probably
just
looking
at
the
environment.
Let's
just
see
what
is
in
here:
okay,
well,
there's,
actually
nothing
particularly
juicy
in
here
and
because
we
know
I'll
just
go
up
and
because
we
know
that
the
the
flag
has
a
specific
format.
At
this
point,
we
can
use
that
string
to
to
just
grab
through
the
end.
A
We
haven't
missed
anything,
there's,
nothing
there,
okay,
so
we're
supposed
to
be,
let's
just
remind
ourselves,
this
audit,
this
process,
audit,
pod
and
we're
looking
to
understand
what
the
database
adjacent
to
us
is
doing.
So,
let's
just
see
what
we've
got
running.
Okay,
this
is
a
red
flag
for
a
catalonian
festival.
A
Excuse
me
it's
further
than
I
thought
the
process
table
here
for
the
container,
which
is
isolated
to
itself,
we're
only
seeing
a
very
small
number
of
processors,
and
notably,
we
see
pid
1,
which
is
not
systemd
or
an
init
system.
It's
just
a
sleep
command,
so
that's
what
we
would
expect
to
see,
but
actually
we
can
see
all
sorts
of
things
we
can
see
stuff
on
the
host,
so
this
is
again
a
remarkably
bad
day.
A
The
question
here,
though,
is
not
how
we
we
take
over
the
hosts,
although
from
from
here
it's
not
especially
difficult.
We
still
want
to
exfiltrate
those
those
crucial
bits
of
data,
the
secret
and
the
key
okay.
So
this
is
probably
how
we
traversed
containers,
because
we
shouldn't
be
able
to
see
the
process
list
as
soon
as
we
can.
Let's
list
it
in
its
fullest
extent
and
have
a
look
for
postgres
okay,
so
we
found
postgres
and
just
to
be
clear.
A
A
Okay,
so
a
foible
of
proc
is
that
everything
is.
Is
null
terminated
so
in
order
to
just
get
a
bit
of
visibility
into
what's
actually
happening
here,
let's
replace
knoll
with
just
space
this
time.
Okay,
so
we
can
see
that
it's
just
been
invoked
as
postgres
all
right.
No
problem-
that's
that's
sound
enough,
but
what
else
is
in
proc
I'll
give
you
a
clue
the
environment?
A
And
at
this
point,
even
though
that
looks
like
a
massive
junk,
let's
see
if
we've
got
there's
our
flag
so
again
using
the
flag,
ctf
grep
when
there's
a
well-known
flag
string
can
help,
because
otherwise
it's
a
kind
of
indeterminate
mess
of
of
black
and
white.
That's
a
little
bit
difficult
to
pick
things
out
of
okay,
one
down,
so
that
is,
that
is
a
flag.
A
A
A
A
A
A
A
We
should
be
cognizant
and,
of
course
everything
should
be
threat
modeled,
and
then
we
can
balance
the
impact
of
that
thing
actually
being
breached
or
negatively
affected
or
or
exfiltrated,
with
the
benefit
that
we
get
from
using
it
in
the
way
that
it's
intended.
Okay
on
we
go
and
we're
into
a
ci
server,
vulnerability.
A
Right,
so
what
are
we
doing
here?
We're
pen
testing
a
cluster.
We
found
the
vulnerability.
The
pod
is
part
of
the
build
infrastructure.
As
we
know,
build
infrastructure
is
a
juicy
target
supply
chain.
Security
is
a
a
particular
interest
of
of
of
security
and
the
cloud
native
security
day
of
which
we
are
apart
and
so
build
infrastructure.
Yeah,
that's!
Okay!
That's
of
interest
to
me
all
right
what's
happening,
then
we're
concerned
that
a
compromise
may
lead
to
leaked
secrets.
A
Okay,
so
we
want
to
extract
the
secret
key
and
look
suspiciously
like
we
are
in
a
jenkins,
flavored,
pod,
okay,
so
so
again,
we
kind
of
just
want
to
do
a
bit
of
recon.
Let's
just
figure
out.
What's
what's
going
on,
process
table
is
okay,
the
amount
name
space
so
again,
there's
a
couple
of
things
here
that
jump
straight
out.
One
is
the
service
count.
A
A
A
socket
is
an
inter-process
communication
mechanism,
amongst
other
things,
and
in
this
case
it
means
that
we
can
probably
talk
to
the
docker
demon
whose
socket
is
mounted
into
the
pod,
which
we're
probably
safe
to
assume
belongs
to
the
jenkins
host.
Now,
at
this
point,
we
would
hope
the
docker
is
installed.
A
A
So
let's
just
pull
the
official
docker
installer,
maybe
we'll
we'll
free
ourselves
from
bugs
in
docker
itself,
although
those
days
are
much
further
behind
us,
but
it's
nice
to
be
on
the
latest
version.
Isn't
it
even
if
we're
going
to
break
stuff?
Let's
do
it
with
correct
operator
practices
all
right
so
we're
installing
the
docker
client
in
the
expectation
that
we
can
use
it
to
abuse
the
docker
socket.
We
could
just
send
restful
commands
over
the
docker
socket,
but
it's
a
bit
more
long-winded
and
right.
A
A
A
He
says
so:
let's,
let's
have
a
look
in
here.
If
we
do
a
docker
inspect,
in
fact,
we
can
do
it
more
elegantly
with
the
containers.
Sure,
okay,
again,
there's
a
lot
of
information
here
we
can
kind
of
spool
through
it,
but
because
we're
volume
hunting
and
we
or
flag
hunting.
I
suppose-
and
we
know
the
flag
again
sweet
there.
We
go,
there's
our
secret
access
key.
A
Okay,
so
what's
happened.
The
environment
of
the
container
has
specified
this
environment
variable,
so
we're
back
into
environment
variables.
Again,
not
only
do
they
leak
on
the
host
on
which
they
are
running,
but
also
they
leak
from
metadata
about
the
thing.
As
you
see
in
this
case
it
is
an
insecure
provisioning
method
because
it's
either
set
at
runtime
or
set
in
the
image
itself,
ideally
not,
of
course,
so
really.
A
Right
at
this
point,
we
had
pretty
good,
I
would
say,
turnout.
We
had.
We
had
a
lot
of
people
we'll
we'll
get
to
those
numbers
at
the
end,
but
also
a
lot
of
people
got
through
these
scenarios
and
and
at
this
point
most
people
were
still
still
with
us.
So
let's
persist.
Next,
we
have
a
non-user
compromise.
A
A
Do
we
have
anything
spare
or
extraneous
mounted
in
here
we'll
go
to
the
map
points
for
the
whole
system
we
can
install.
Am
I
contained
and
see
what
our
bounding
set
is,
but
in
the
interest
of
time
this
is
this
is
slightly
different.
So
at
this
point
we
are
attacking
things
that
are
outside
our
domain
as
sorry
outside
our
namespace,
let's
say,
and
we
have
got
the
ip
addresses
of
the
nodes.
A
A
The
cubelet
has
some
configurations
that
are
less
than
optimal.
Let's
say
such
as
the
the
read
only
port,
so
let's
just
see
if
we
can
find
anything.
Excuse
me
if
my
mouse
constantly
doing
that
in
and
around
here.
So
again
I
know
what
I
need
to
use
in
advance,
so
I
will
just
install
it.
I
don't
need
to
do
an
app
update.
A
Let's
just
see
if
we
can
access
these
host
nodes,
so
let's
go
up
in
here
and
as
a
reminder,
this
is
a
network
route
from
the
pod
onto
the
public
interface
of
the
host
and
really
there's
not
a
great
deal
of
rationale
for
for
running
like
this.
We
should
be
using
network
network
policy
and
yeah,
frankly
constraining
our
outbound
traffic
so
that
we
can't
hit
anything
at
all
start
with
the
default
deny
and
and
then
upgrade
okay.
That
was
smooth.
Let's
just
install
that
too.
A
So,
as
you
can
see
I'm
having
to
install
a
lot
of
software
as
I
go
along
that's
kind
of
standard,
there
is
generally
we
don't
ship
curl
and
that
kind
of
thing
to
production,
because
why
would
we
unless
we
needed
it
for
our
application,
but
as
an
attacker,
I
am
able
to
install
stuff
inside
the
container,
really
just
by
setting
a
non-root
user,
maybe
even
removing
the
package
manager
if
needs
be.
That
makes
for
a
much
safer
day,
let's
say
the
jq
and
curl.
If
I
installed
those,
what
did
I
get
wrong
there?
A
A
A
Happy
days
that
is
the
pod
that
we
are
looking
for.
Okay,
so
now
we
have
more
information
about
what
we're
looking
to
attack.
So
what
should
we
do
with
that?
Well,
let's
see
if
we
can
dump
the
end
of
this
this
pod,
so
the
pod
is
what
is
it
going
to
be
the
workload
pod
there
and
then,
if
you
will
just
excuse
my
copy
pasta,
one
second.
A
A
A
B
B
C
B
C
Verify
your
suspicion
by
breaking
to
the
pod
and
extract
the
value
of
user
credits,
password
right
so
and
and
your
starting
point
here,
you're
starting
on
a
visual
machine
external
to
the
cluster
right.
So
so,
how
do
you
get
access
to
to
the
cluster
to
the
pods
of
the
cluster
itself
right,
so
basic
things
here
in
the
interest
of
time.
C
B
B
C
C
Yeah
so,
as
I
was
saying
sorry
about
technical
discords
here,
so
as
I
was
saying,
we
installed
nmap
there
and
another.
One
of
the
things
that
we
can
do
is
to
run
any
map
on
this
specific
node
id
that
was
provided
to
us
for
this
challenge.
Right:
okay
and
I've
selected
a
few
ports
here,
so
the
scan
doesn't
take
forever
right.
So
specifically
for
just
the
demonstration
here,
and
we
can
see
that
there
is
a
port
open
on
on
this
higher
port
here,
three:
zero,
zero,
two
two
right.
C
So
one
of
the
things
and
it's
very
famous
on
on
on
pen,
testing
and
and
like
application
security
scenarios
is
brute
forcing
right.
So
one
of
the
attacks
that
you
can
run,
you
can
get
a
list
of
username
and
passwords
and
try
to
just
brute
force
the
system
to
guess
those
credentials
right
and
one
of
the
tools
that
you
can
use
here
or
for
brute,
forcing
at
this
the
sport
and
and
access
the
service
right.
So
I
don't
know
exactly
from
the
end
map
there.
C
C
Okay,
so
we
can
see
that
this
service
right
so
it
was
showing
on
the
first
scan,
was
showing
as
unknown
right.
So
I
run
I
added
the
flag
dash
a
here
so
to
scan
the
services
and
the
versions
as
well.
So
we
know
that
this
port
is
running
an
open,
ssh
server
there
and
and
then-
and
now
I
can
try
to
to
brute
force
it
right
passing
a
list
of
username
and
passwords
right.
So
one
of
the
tools
that
you
can
easily
do
that
is
called
hydra
and
the
way
to
install
it.
B
C
Okay,
so
I
have
right
hydra
installed
already
just
to
show
you
guys
here
and
now
what
I
need
to
run
this
brute
force
right.
I
need
a
list
of
username
and
passwords
right.
One
one
of
the
the
very
common
list
of
passwords
is
the
roku
list,
so
you
could
have
download
that
and
use
it,
but
this
server
this
this
server
here
is
not
very
protected.
So
the
the
password
is
not
the
username
and
the
password
are
not
very
hard.
C
C
C
C
B
C
You
should
copy
and
paste
here,
and
so
the
the
user's
admin
and
the
passwords
password
very,
very
easy
for
you
guys.
You
know.
Even
if
you
don't
have
like
a
tool,
you
could
try
guessing
and
access
that
okay,
so
I'm
inside
this
called
jump
box
right.
So
what
I'm
gonna
do
here
is
try
to
connect
to
the
api
server
and
make
some
requests
so
base
base.
The
the
base
request
here
that
I
can
make
is
check
the
version
of
the
the
kubernetes
api
server.
C
This
is
one
of
the
ways
to
do
that
right,
so
I
can
see
that's
running
our
version.
119.4
stuff
like
that
right,
so
just
to
wrap
up
here.
One
of
the
things
that
I
can
do
is
wha,
as
andy
mentioned
before.
There
is
some
secrets
and
tokens
inside
the
pods
right,
so
I
can
grab
that
and
and
use
to
impersonate
the
policy
talk
to
the
api
server
right.
C
So
basically,
here
what
I'm
gonna
do
is
just
create
two
variables:
the
namespace
telling
that's
located
at
var,
run
secrets,
kubernetes.io
service
account,
namespace
and
I'll.
Do
the
same
thing
for
the
token
here:
cubetoken,
okay,
almost
done
and
then
now
I
can
make
if
I
have
permissions
to
do
that,
I
can
make
a
request
to
this
namespace
and
through
via
the
api
server
and
ask
for
the
secrets,
and
since
this
is
a
misconfigured
cluster,
I
have
the
permissions
so
here
just
just
making
this
api.
C
A
Awesome,
thank
you
very
much.
Okay,
let's
zoom,
through
the
ends
of
the
slides,
there
was
one
more
scenario
which
people
didn't
quite
get
to.
So
if
you
would
like
a
go
at
that,
then
do
feel
free
to
dm
right,
let's
get
through
to
the
end.
So
this
was
this.
Was
the
control
plane
team
at
seven
o'clock
this
morning
we
are
just
about
through
the
other
end
of
it.
A
So
honorable
mentions
thank
you
to
these
individuals
for
being
with
us
through
most
of
the
journey
today,
and
we
had
a
great
time
on
dms,
it's
fair
to
say,
there's
some
really
people
show
some
real
grit
and
persistence
and
that's
what
it's
all
about
so
good
job.
Those
people
we
have
some
honorable
mentions
as
well.
A
Dilshan
mathias,
michael
matthew,
walid,
steve
mohammed
and
noel,
were
all
there
for
the
whole
journey
and
thank
you
very
much
for
your
efforts
in
parting,
the
container
defenses
various
people
enjoyed
themselves
slightly,
and
I
hope
this
has
been
a
beneficial
learning
experience.
I'm
sorry
there
was
no
cake
and
thank
you
very
much
to
the
control
plane
people
at
this
end
for
manning
everything
and
to
magno
for
all
his
assistants
and
helping
us
out
and
testing
etc.
A
This
is
a
public
service
announcement.
We
don't
run
administrative
endpoints
on
the
public
internet.
The
kubernetes
api
server
is
one
of
them.
If
you
like
what
you
saw
today,
control
plane
do
this
for
a
living
and
we'd
be
happy
to
stand
up
a
ctf
for
you.
Thank
you
very
much
for
your
attention
and
thank
you
to
everybody
who
contributed.
Today.
We
had
a
total
of
327
clusters
spun
up,
that
is
about
15
000
nodes.