forked from Ne0nd0g/merlin
-
Notifications
You must be signed in to change notification settings - Fork 115
Module Mechanism
yanivyakobovich edited this page Jan 17, 2022
·
1 revision
Kubesploit supports Sh, Bash, and GO modules. Sh and Bash source files are executed with the known binary and GO modules with YAEGI, a GO open-source interpreter.
Each module has to include a source file and a JSON file. You can think of the JSON file as the module's metadata. It works by parsing the info from the JSON file into relevant information, sent to the agent, and executing. Now, let's dig into some examples which will explain the JSON file. The first example will be the GO module JSON file
{
"base": {
"name": "ContainerBreakoutMounting",
"type": "standard",
"author": ["Eviatar Gerzi (@g3rzi)"],
"credits": [],
"path": ["linux", "go", "mountContainerBreakout.json"],
"platform": "linux",
"arch": "x64",
"lang": "Go",
"privilege": false,
"GoInterpreter": true,
"GoInterpreterProgress": false,
"notes": "",
"remote": "",
"local": [],
"options": [
{"name": "Device", "value": "none", "required": false, "flag": "", "description": "Use known device name (i.e \"/dev/sda1\", \"/dev/xvda1\")"},
{"name": "UseBruteforce", "value": "false", "required": false, "flag": "", "description": "Use the \"true\" value to use brute force on known devices: \"/dev/sda1\" and \"/dev/xvda1\")"},
{"name": "DeviceType", "value": "ext4", "required": false, "flag": "", "description": "Searching by device type. The default is \"ext4\", and to disable, set an empty string \"\"."}
],
"description": "Break out from the container to the host using mounting. It will create a mounted host folder named /mnt<number>",
"commands": [
"data/modules/go/mountBreakout/main.go",
"mainfunc(\"{{Device}}\", \"{{UseBruteforce}}\", \"{{DeviceType}}\")"
]
}
}Important info:
-
GoInterpreter: set to true points to the agent to use YAEGI and also points the server to replace the path of the source code with the source code itself, which will send to the agent -
GoInterpreterProgress: -
options: these are the parameters for the modules- name: Name of the parameter, for example, in this JSON file Device is the name of the parameter
- value: The value which will be set instead of the parameter name
- required: do this parameter is a must
- description: the description of the parameter
-
commands: These are the commands which will run on the agent- The first command is always the path for the module source code
- The second in GO modules will be the function's name (our convention is
mainfunc) with the names of the relevant parameters. Each parameter name must be with the convention below for example, Device will be\"{{Device}}\"Kubesploit has a mechanism that replaces the parameter name with value. Thus, the user can set any value he wishes.
Now let's dig into some sh/bash JSON module.
{
"base": {
"name": "kernelModuleBreakout",
"type": "standard",
"author": ["Yaniv Yakobovich"],
"credits": ["Nishant Sharma - https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd , @willrushi - https://github.com/stealthcopter/deepce, "],
"path": ["linux", "shell", "kernelModuleBreakout.json"],
"platform": "linux",
"arch": "x64",
"lang": "Shell",
"privilege": false,
"GoInterpreter": false,
"GoInterpreterProgress": false,
"LoadScriptFromPath": true,
"notes": "Commands are run with /bin/bash -c . Use quotes if you want to run multiple commands or shell features such as redirection or pipeline",
"remote": "",
"local": [],
"options": [
{"name": "ip", "value": "127.0.0.1", "required": true, "flag": "", "description": "ip for the reverse shell"},
{"name": "port", "value": "8000", "required": true, "flag": "", "description": "port for the reverse shell"}
],
"description": "Abusing SYS_MODULE Capability to create a reverse shell with the host",
"commands": [
"data/modules/sourcecode/sh/kernelModuleBreakout/kernelModuleBreakout.sh",
"sh",
"-c",
"\"{{ip}} {{port}}\""
]
}
}Important info:
-
LoadScriptFromPath: set to true points the server to replace the path of the source code with the source code itself which will be sent to the agent -
options: same as the GO JSON module -
commands: These is the commands which will run on the agent- The first command is always the path for the module source code
- the next commands will be
sh/bashand-c - The last command will be the parameters between
\"and each parameter name is in 2 curly brackets{{parameter name}}
Another reminder is that Kubesploit has a mechanism that replaces the parameter name with value, the user can set any value he wishes for the parameter.
Here is the tree of the data folder. Our JSON files are under Linux, and the relevant interpreter and the source files are under source code.
├── Linux
│ ├── go
│ │ ├── clusterCVEScan.json
│ │ ├── cve2019_5736.json
│ │ ├── dockerBreakout.json
│ │ ├── kubeletAttack.json
│ │ ├── mountContainerBreakout.json
│ │ ├── portScan.json
│ │ ├── servicesScan.json
│ │ ├── var-log-escape.json
│ │ └── vulnerabilityTest.json
│ └── x64
│ ├── Bash
│ │ └── exec
│ │ └── bash.json
│ └── sh
│ ├── cGroupBreakout.json
│ ├── deepce.json
│ └── kernelModuleBreakout.json
├── [README.MD](http://readme.md/)
├── sourcecode
│ ├── go
│ │ ├── CVE-2019-5736
│ │ │ └── main.go
│ │ ├── dockerSockBreakout
│ │ │ └── main.go
│ │ ├── kubelet
│ │ │ └── main.go
│ │ ├── mountBreakout
│ │ │ └── main.go
│ │ ├── mountBreakoutWithBlkid
│ │ │ └── main.go
│ │ ├── scan
│ │ │ ├── clusterCVEs
│ │ │ │ └── main.go
│ │ │ ├── portScan
│ │ │ │ └── main.go
│ │ │ └── services
│ │ │ └── main.go
│ │ ├── var-log-escape
│ │ │ └── main.go
│ │ └── vulnerabilityTest
│ │ └── main.go
│ └── sh
│ ├── cGroupBreakout
│ │ └── [cGroupBreakout.sh](http://cgroupbreakout.sh/)
│ ├── deepce
│ │ └── [deepce.sh](http://deepce.sh/)
│ └── kernelModuleBreakout
│ └── [kernelModuleBreakout.sh](http://kernelmodulebreakout.sh/)
└── templates
├── base.json
└── powershell.jsonWish to contribute module?
Exploit Module Guide
- cGroup Breakout
- Mount Breakout
- DockerSock Breakout
- Kubelet Attack
- Var Log Escape
- Kernel Module Breakout
Other Modules