TryHackMe | Frank and Herby Try Again…. Writeup

Introduction

Today I will be walking you through how I completed a recently added CTF on TryHackMe. This one is called “Frank and Herby Try Again….” (LINK). This is a continuation of another CTF from a while back, called “Frank and Herby Make an App” which I also made a writeup for. That first CTF involved exploiting a kubernetes misconfiguration in order to escalate privileges and read the root flag after gaining initial access. This second CTF is similar, in that you will need to exploit one vulnerability to gain your initial access, and then exploit a kubernetes misconfiguration to elevate privileges and read both the user and root flag. Lets get started.

Scans and Enumeration

Starting with nmap, we see that there are 7 ports open on the target, with most being related to kubernetes.

nmap output

Reading the nmap output, we see that many of the ports are HTTP or HTTPS, so lets try visiting them to see what we can find. Visiting port 30679, we see a website that is making very obvious hints to PHP and kubectl. You may remember the kubectl tool from the first Frank and Herby CTF if you have completed it. Essentially, kubectl is a command line tool which allows you to control kubernetes clusters. So we’ll take note of the hints we’re getting here. From here, I researched more about how to enumerate and exploit kubernetes clusters (LINK). With the knowledge that port an exposed port 10255 can allow unauthenticated users to read sensitive configuration info from the kubernetes API, we can visit http://<target IP>:10255/pods in our browser. This allows us to see a whole bunch of information pertaining to the kubernetes cluster, including pod names and configuration information.

Kubernetes cluster configuration information

As we continue looking through the configuration information, one of the containers has an interesting image name, “vulhub/php:8.1-backdoor”. That definitely sounds interesting, so let’s head over to google and see what we information we can find about a PHP 8.1 backdoor. Sure enough, this great github post by flast101 details a whole story of how PHP 8.1-dev was compromised with a backdoor that is extremely easy to exploit, and also provides a couple python scripts to exploit the vulnerability. Long story short, this vulnerability is exploited by an attacker when they modify the User-Agent parameter in an HTTP request to include a specific prefix (“zerodiumsystem”), followed by a command to execute. This will then cause the target to run the supplied command and return the output to the attacker. The python code snippet below shows how the reverse shell script from flast101 constructs the HTTP request to spawn a reverse shell on the target.

Code snippet from flast101’s python exploit. Note the “User-Agentt” field containing the “zerodiumsystem” prefix, followed by the payload.

Exploitation

The actual exploitation of this vulnerability is trivial considering the python scripts available. All we need to do is supply the URL that we want to attack, which is http://<targetIP&gt;:30679 in our case. Before actually firing off the exploit, I started up a pwncat listener. I initially used a netcat listener, but that didn’t work for reasons that I will mention later. Once we have our shell, we can enumerate around to see what we’re able to find, but there really isn’t much.

Privilege Escalation

After not finding any obvious privilege escalation routes, I researched how kubernetes misconfigurations could be exploited to escalate privileges and came across a tweet by Duffie Cooley (LINK). Basically, what’s happening here is that the command is creating a docker container which is mounted to the host operating system’s PID 1, which is the init process in Linux. Doing this will allow us to the spawn a shell (/bin/bash). The command also specifies that the container will be granted privileged access, meaning we will have root access in our bash shell. But first, we will need to get the kubectl tool onto the target, as it isn’t installed for us already. This is where pwncat becomes handy. Pwncat will actually allow for the easy upload of files from your machine to the target. All you have to do is use the upload command in the pwncat shell and specify which file it is that you want to upload. Once kubectl is uploaded, run the command from the previous link, and you’ll have root access on the host machine. Now you can read both the user and root flags.

Root access!

Conclusion and Takeaways

I felt that this CTF was really well put together and useful for teaching kubernetes hacking. I learned more about some of the common ports used in kubernetes deployments, the possible vulnerabilities associated with those ports, and some of the mitigations to prevent the possibility of privileged containers being mounted to the host OS and spawned.

In order to prevent the exploitation of the privilege escalation vulnerability that we exploited, administrators of systems using kubernetes should use the PodSecurityPolicy admission controller to prevent containers from running with root access and ensure that the container’s root filesystem remains read-only. More information on these mitigations, and many other best practices pertaining to the use of kubernetes admission controllers can be found HERE.

I hope you enjoyed this writeup and got some value from it, and I hope you come back to read some more writeups/blog posts in the future as well. Feel free to share this post and other posts from my blog if you think others would also like it. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: