1 00:00:00,240 --> 00:00:02,720 hello everybody and welcome to the 2 00:00:02,720 --> 00:00:04,319 capture the flag 3 00:00:04,319 --> 00:00:06,879 shakedown uh we will go through what has 4 00:00:06,879 --> 00:00:08,559 occurred today 5 00:00:08,559 --> 00:00:10,800 and uh we'll actually replay the 6 00:00:10,800 --> 00:00:11,759 scenarios 7 00:00:11,759 --> 00:00:15,280 and look at uh what you could have won 8 00:00:15,280 --> 00:00:17,520 now notably we didn't actually have any 9 00:00:17,520 --> 00:00:19,199 prizes today and that was uh 10 00:00:19,199 --> 00:00:22,560 intentional so let's 11 00:00:22,560 --> 00:00:25,439 explain why that was and what has 12 00:00:25,439 --> 00:00:27,119 happened 13 00:00:27,119 --> 00:00:28,960 uh hopefully my screen should be sharing 14 00:00:28,960 --> 00:00:31,519 we shall see 15 00:00:31,519 --> 00:00:34,559 okay so yes we 16 00:00:34,559 --> 00:00:38,559 we had a ctf today hello and welcome 17 00:00:38,559 --> 00:00:41,360 thanks for your attendance and hopefully 18 00:00:41,360 --> 00:00:42,559 this will leave you 19 00:00:42,559 --> 00:00:45,120 mildly entertained so what were we doing 20 00:00:45,120 --> 00:00:45,760 today 21 00:00:45,760 --> 00:00:48,160 uh today was a day of ambition we aimed 22 00:00:48,160 --> 00:00:48,800 to 23 00:00:48,800 --> 00:00:52,000 educate amuse beguile and everything in 24 00:00:52,000 --> 00:00:52,960 between 25 00:00:52,960 --> 00:00:56,480 in a safe and happy environment 26 00:00:56,480 --> 00:00:58,239 and we had the absolute pleasure of 27 00:00:58,239 --> 00:00:59,680 introducing people to 28 00:00:59,680 --> 00:01:03,359 the joys of container hacking 29 00:01:03,440 --> 00:01:06,080 scenarios are each built with a learning 30 00:01:06,080 --> 00:01:07,200 outcome in mind 31 00:01:07,200 --> 00:01:09,920 and our capable task masters also 32 00:01:09,920 --> 00:01:11,439 constructed the scenarios 33 00:01:11,439 --> 00:01:15,280 which gave us a little bit more closure 34 00:01:15,280 --> 00:01:18,400 on actually helping and 35 00:01:18,400 --> 00:01:19,600 giving hints to people as they went 36 00:01:19,600 --> 00:01:22,479 through notably absent from the list of 37 00:01:22,479 --> 00:01:25,040 goals is ranking 38 00:01:25,040 --> 00:01:27,280 uh this is because there's no official 39 00:01:27,280 --> 00:01:29,119 scores there's no prizes 40 00:01:29,119 --> 00:01:30,400 and the idea here is just to take the 41 00:01:30,400 --> 00:01:32,799 pressure off and to encourage people 42 00:01:32,799 --> 00:01:35,360 to go and hack stuff and to learn and to 43 00:01:35,360 --> 00:01:36,880 enjoy themselves 44 00:01:36,880 --> 00:01:38,880 breaking things in a safe and 45 00:01:38,880 --> 00:01:40,240 importantly legal 46 00:01:40,240 --> 00:01:42,798 environment 47 00:01:44,320 --> 00:01:45,920 although saying that if you have 48 00:01:45,920 --> 00:01:47,520 captured a flag 49 00:01:47,520 --> 00:01:50,399 or more and you'd like some some secret 50 00:01:50,399 --> 00:01:50,960 swag 51 00:01:50,960 --> 00:01:53,840 then do dm a physical address to the 52 00:01:53,840 --> 00:01:55,280 nice task master 53 00:01:55,280 --> 00:01:58,320 and they will ship you something worthy 54 00:01:58,320 --> 00:02:01,199 of your efforts 55 00:02:01,759 --> 00:02:04,799 okay so today was hopefully an exercise 56 00:02:04,799 --> 00:02:07,439 in preparing for the unexpected thinking 57 00:02:07,439 --> 00:02:09,199 a little bit outside of the box 58 00:02:09,199 --> 00:02:12,480 and uh an encouragement that uh nothing 59 00:02:12,480 --> 00:02:14,640 is entirely secure and we should we 60 00:02:14,640 --> 00:02:16,879 should pay attention to these things 61 00:02:16,879 --> 00:02:19,920 so we are in the uk time zone on this 62 00:02:19,920 --> 00:02:20,560 end so 63 00:02:20,560 --> 00:02:22,400 please bear with us um it's been five 64 00:02:22,400 --> 00:02:24,640 o'clock for quite some time 65 00:02:24,640 --> 00:02:28,080 we had six scenarios one scenario per 66 00:02:28,080 --> 00:02:28,560 talk 67 00:02:28,560 --> 00:02:30,720 so if you did the first scenario it was 68 00:02:30,720 --> 00:02:32,160 concurrently running with the first talk 69 00:02:32,160 --> 00:02:32,959 and then 70 00:02:32,959 --> 00:02:36,080 detectively throughout the day um and 71 00:02:36,080 --> 00:02:39,280 lots of talking but nefarious small and 72 00:02:39,280 --> 00:02:42,720 potentially mild vulnerabilities 73 00:02:42,720 --> 00:02:44,720 unless of course uh someone did better 74 00:02:44,720 --> 00:02:46,080 than we bargained for 75 00:02:46,080 --> 00:02:48,319 and uh the aws build will be 76 00:02:48,319 --> 00:02:49,440 significantly higher 77 00:02:49,440 --> 00:02:53,120 than we thought so there are many places 78 00:02:53,120 --> 00:02:54,879 to look for vulnerable clusters 79 00:02:54,879 --> 00:02:56,560 but we believe the only way to up skill 80 00:02:56,560 --> 00:02:58,480 people is to give them a safe place 81 00:02:58,480 --> 00:03:01,680 to practice in so instead of going on 82 00:03:01,680 --> 00:03:04,720 uh cluster safari we prefer to run 83 00:03:04,720 --> 00:03:06,959 ctf-based training 84 00:03:06,959 --> 00:03:09,280 but capture the flags can often be 85 00:03:09,280 --> 00:03:10,000 daunting 86 00:03:10,000 --> 00:03:12,080 big challenging filled with the kind of 87 00:03:12,080 --> 00:03:13,280 people who we 88 00:03:13,280 --> 00:03:16,159 we look up to and we want to break those 89 00:03:16,159 --> 00:03:17,360 barriers down and give everybody the 90 00:03:17,360 --> 00:03:19,519 opportunity to be involved 91 00:03:19,519 --> 00:03:21,680 so we hope there's been a strong first 92 00:03:21,680 --> 00:03:23,040 user experience 93 00:03:23,040 --> 00:03:26,799 um there's attentive moderators in the 94 00:03:26,799 --> 00:03:27,680 channels 95 00:03:27,680 --> 00:03:30,400 and teaching assistants and uh yeah we 96 00:03:30,400 --> 00:03:31,680 just want to give people a boost on 97 00:03:31,680 --> 00:03:32,080 their 98 00:03:32,080 --> 00:03:35,360 cloud native journey so uh 99 00:03:35,360 --> 00:03:37,360 spoiler alert um if anybody is still 100 00:03:37,360 --> 00:03:38,879 playing your time is up 101 00:03:38,879 --> 00:03:42,239 and we will uh not be 102 00:03:42,239 --> 00:03:44,720 validating any flags after this point uh 103 00:03:44,720 --> 00:03:46,319 so let's go through the scenarios and 104 00:03:46,319 --> 00:03:46,799 find 105 00:03:46,799 --> 00:03:49,920 all the flags now 106 00:03:49,920 --> 00:04:01,839 um excuse me while i shuffle my screens 107 00:04:06,000 --> 00:04:09,040 okay so the first scenario 108 00:04:09,040 --> 00:04:12,400 um was uh called node 109 00:04:12,400 --> 00:04:15,920 secret breach so 110 00:04:15,920 --> 00:04:19,358 back to the screen share hopefully 111 00:04:22,240 --> 00:04:26,000 okay so uh what happened 112 00:04:26,000 --> 00:04:30,400 here well first of all 113 00:04:30,400 --> 00:04:32,160 we start we're starting as the root user 114 00:04:32,160 --> 00:04:33,759 and this is uh 115 00:04:33,759 --> 00:04:36,800 this is mixed of course root has a 116 00:04:36,800 --> 00:04:38,479 special set of privileges 117 00:04:38,479 --> 00:04:41,120 in linux the root user is a specific and 118 00:04:41,120 --> 00:04:42,800 special user 119 00:04:42,800 --> 00:04:45,440 that means it has capabilities and those 120 00:04:45,440 --> 00:04:46,320 capabilities 121 00:04:46,320 --> 00:04:49,520 may include things like changing other 122 00:04:49,520 --> 00:04:50,800 people's files 123 00:04:50,800 --> 00:04:54,400 or opening a network adapter in 124 00:04:54,400 --> 00:04:57,199 a low level mode so we can just either 125 00:04:57,199 --> 00:04:57,600 send 126 00:04:57,600 --> 00:05:00,000 custom packets or turn it set it into a 127 00:05:00,000 --> 00:05:01,360 different mode so we can sniff stuff on 128 00:05:01,360 --> 00:05:03,280 the network 129 00:05:03,280 --> 00:05:04,880 these are not things we'd want an 130 00:05:04,880 --> 00:05:06,639 average user to do 131 00:05:06,639 --> 00:05:08,320 and so the distinction of running in a 132 00:05:08,320 --> 00:05:10,800 container without username spaces 133 00:05:10,800 --> 00:05:14,800 is important at this point so 134 00:05:14,800 --> 00:05:18,160 let's see what else is in this container 135 00:05:18,160 --> 00:05:19,280 let's have a look around well this is 136 00:05:19,280 --> 00:05:21,039 what we expect right we've got a process 137 00:05:21,039 --> 00:05:22,400 namespace so we can only see the 138 00:05:22,400 --> 00:05:23,199 processes 139 00:05:23,199 --> 00:05:26,400 that we have available to us 140 00:05:26,400 --> 00:05:28,160 what else might we do we might have a 141 00:05:28,160 --> 00:05:30,880 look around and see what else is mounted 142 00:05:30,880 --> 00:05:33,440 um this is kind of noisy there's not 143 00:05:33,440 --> 00:05:34,560 really much here that's 144 00:05:34,560 --> 00:05:36,639 that's useful there are a few things 145 00:05:36,639 --> 00:05:39,120 anytime we see 146 00:05:39,120 --> 00:05:42,320 a docker uh or perhaps one of these 147 00:05:42,320 --> 00:05:43,280 mounts 148 00:05:43,280 --> 00:05:46,240 they could be interesting so uh df the 149 00:05:46,240 --> 00:05:47,120 disk free tool 150 00:05:47,120 --> 00:05:48,720 is a little bit of a quicker way to get 151 00:05:48,720 --> 00:05:51,280 a view on this in my opinion 152 00:05:51,280 --> 00:05:54,720 and of course we see a service account 153 00:05:54,720 --> 00:05:55,440 there 154 00:05:55,440 --> 00:05:58,720 service accounts are juicy and uh 155 00:05:58,720 --> 00:06:00,880 we are people that love messing around 156 00:06:00,880 --> 00:06:02,479 with service accounts 157 00:06:02,479 --> 00:06:04,319 on this occasion though um this was not 158 00:06:04,319 --> 00:06:06,639 a service account based challenge 159 00:06:06,639 --> 00:06:10,080 and uh okay so we've had a look what's 160 00:06:10,080 --> 00:06:11,039 running 161 00:06:11,039 --> 00:06:12,800 uh sorry we've had a look what's mounted 162 00:06:12,800 --> 00:06:14,800 within the container 163 00:06:14,800 --> 00:06:17,840 um there's a lot here but some of the 164 00:06:17,840 --> 00:06:18,560 things 165 00:06:18,560 --> 00:06:22,319 notably a device from the host 166 00:06:22,319 --> 00:06:23,759 other stuff that doesn't look like it's 167 00:06:23,759 --> 00:06:25,520 inside the container well 168 00:06:25,520 --> 00:06:28,560 that's because containers are wonderful 169 00:06:28,560 --> 00:06:30,720 but they're not a perfect abstraction 170 00:06:30,720 --> 00:06:32,880 and that concretely means that 171 00:06:32,880 --> 00:06:35,680 container runtimes have to put effort in 172 00:06:35,680 --> 00:06:37,440 to hide certain things from us 173 00:06:37,440 --> 00:06:40,080 and those things may include parts of 174 00:06:40,080 --> 00:06:41,520 the proc file system 175 00:06:41,520 --> 00:06:44,160 bits of cis the way that we interact 176 00:06:44,160 --> 00:06:44,560 with 177 00:06:44,560 --> 00:06:47,600 the process table and also the way that 178 00:06:47,600 --> 00:06:48,639 things are mounted 179 00:06:48,639 --> 00:06:51,759 in so uh okay 180 00:06:51,759 --> 00:06:55,280 um containers are a child of evolution 181 00:06:55,280 --> 00:06:58,000 um rather than intelligent design and 182 00:06:58,000 --> 00:06:59,919 like everything else on the internet our 183 00:06:59,919 --> 00:07:02,319 gaffer tape together uh no disrespect to 184 00:07:02,319 --> 00:07:03,680 people who've done an excellent job 185 00:07:03,680 --> 00:07:05,759 making them available to us 186 00:07:05,759 --> 00:07:07,599 um okay but enough of this there's a lot 187 00:07:07,599 --> 00:07:09,840 of noise here we want to get some signal 188 00:07:09,840 --> 00:07:11,520 uh let's think about what we can do with 189 00:07:11,520 --> 00:07:14,319 the service counts 190 00:07:14,319 --> 00:07:17,520 right so we can see that 191 00:07:17,520 --> 00:07:20,720 dev is here so what does this mean so 192 00:07:20,720 --> 00:07:21,919 docker will mount in 193 00:07:21,919 --> 00:07:26,319 etsy hosts using the 194 00:07:26,319 --> 00:07:28,319 mount point from the host that it's on 195 00:07:28,319 --> 00:07:29,680 so wherever you store your container 196 00:07:29,680 --> 00:07:31,360 images those read write layers 197 00:07:31,360 --> 00:07:34,400 that's where this is so already the 198 00:07:34,400 --> 00:07:35,199 abstraction has 199 00:07:35,199 --> 00:07:39,360 leaked with the file system here 200 00:07:39,440 --> 00:07:42,880 what do we do next then well 201 00:07:43,039 --> 00:07:44,960 i guess it's probably worth uh checking 202 00:07:44,960 --> 00:07:46,080 our privilege 203 00:07:46,080 --> 00:07:48,319 now there is a canonical way of doing 204 00:07:48,319 --> 00:07:49,120 this 205 00:07:49,120 --> 00:07:50,560 uh which is jesse frazil's am i 206 00:07:50,560 --> 00:07:52,479 contained of course 207 00:07:52,479 --> 00:07:53,919 it's not doing anything magic it's 208 00:07:53,919 --> 00:07:55,599 checking 209 00:07:55,599 --> 00:07:58,160 states and files that are available to 210 00:07:58,160 --> 00:07:59,039 us 211 00:07:59,039 --> 00:08:01,520 inside a container but it makes it very 212 00:08:01,520 --> 00:08:03,039 easy for us to do and gives us a unified 213 00:08:03,039 --> 00:08:04,000 view so 214 00:08:04,000 --> 00:08:07,599 let's try and do that one thing to bear 215 00:08:07,599 --> 00:08:08,080 in mind 216 00:08:08,080 --> 00:08:11,120 is that we are roots and that means that 217 00:08:11,120 --> 00:08:12,319 we have the ability 218 00:08:12,319 --> 00:08:15,599 to run package manager commands we need 219 00:08:15,599 --> 00:08:17,360 to be able to write to any location on 220 00:08:17,360 --> 00:08:18,960 the file system so we have to be root to 221 00:08:18,960 --> 00:08:20,080 do this 222 00:08:20,080 --> 00:08:23,280 generally and uh yeah there we are so 223 00:08:23,280 --> 00:08:26,400 just installed curl because without curl 224 00:08:26,400 --> 00:08:27,680 i'm gonna have trouble 225 00:08:27,680 --> 00:08:30,160 pulling in stuff from remote endpoints 226 00:08:30,160 --> 00:08:31,360 although of course 227 00:08:31,360 --> 00:08:32,640 any programming language is an 228 00:08:32,640 --> 00:08:34,640 interpreter and most can be used to 229 00:08:34,640 --> 00:08:36,799 replicate curl in some way 230 00:08:36,799 --> 00:08:41,039 so let's pull am i contained from github 231 00:08:41,039 --> 00:08:44,159 chamod it and run it 232 00:08:44,159 --> 00:08:46,240 happy days okay so we've got some stuff 233 00:08:46,240 --> 00:08:47,600 here what does this say 234 00:08:47,600 --> 00:08:49,839 uh we're in kubernetes does it have 235 00:08:49,839 --> 00:08:51,839 namespaces pid namespace 236 00:08:51,839 --> 00:08:53,680 generally that is always true anyway 237 00:08:53,680 --> 00:08:55,600 username space is generally always false 238 00:08:55,600 --> 00:08:57,120 because 239 00:08:57,120 --> 00:09:00,160 username spaces are not enabled i 240 00:09:00,160 --> 00:09:01,360 suppose by default 241 00:09:01,360 --> 00:09:04,880 in run c or in kubernetes 242 00:09:04,880 --> 00:09:06,959 this is interesting though we're 243 00:09:06,959 --> 00:09:08,959 unconfined in app armor 244 00:09:08,959 --> 00:09:10,720 now if we were running in docker that 245 00:09:10,720 --> 00:09:12,800 would always have a profile 246 00:09:12,800 --> 00:09:15,839 kubernetes of course disables this 247 00:09:15,839 --> 00:09:19,040 and uh so it's just reinforcing the fact 248 00:09:19,040 --> 00:09:19,519 that we're 249 00:09:19,519 --> 00:09:21,120 in kubernetes but it doesn't tell us 250 00:09:21,120 --> 00:09:24,399 anything uh too drastic 251 00:09:24,399 --> 00:09:27,760 this however what is this this is 252 00:09:27,760 --> 00:09:31,440 a a wide bounding set of capabilities 253 00:09:31,440 --> 00:09:33,920 so stuff in here this means we can 254 00:09:33,920 --> 00:09:35,279 change ownerships 255 00:09:35,279 --> 00:09:37,279 override discretionary access control 256 00:09:37,279 --> 00:09:38,320 which is um 257 00:09:38,320 --> 00:09:39,519 basically writing on other people's 258 00:09:39,519 --> 00:09:41,920 files and all sorts of things in here 259 00:09:41,920 --> 00:09:43,600 that we recognize 260 00:09:43,600 --> 00:09:46,560 processes being killed raw input and 261 00:09:46,560 --> 00:09:47,760 outputs 262 00:09:47,760 --> 00:09:50,959 access to the network adapters this is 263 00:09:50,959 --> 00:09:53,200 pretty likely to be a privileged 264 00:09:53,200 --> 00:09:54,880 container 265 00:09:54,880 --> 00:09:57,360 okay so we know what that means that 266 00:09:57,360 --> 00:09:58,959 means that actually 267 00:09:58,959 --> 00:10:02,000 what is in dev is a reflection of what's 268 00:10:02,000 --> 00:10:03,200 on the host 269 00:10:03,200 --> 00:10:06,160 so as a reminder the privileged flag uh 270 00:10:06,160 --> 00:10:07,600 the most dangerous flag in the history 271 00:10:07,600 --> 00:10:08,320 of computing 272 00:10:08,320 --> 00:10:13,120 as i will off to repeat disables 273 00:10:13,120 --> 00:10:15,120 most namespaces it turns off app armor 274 00:10:15,120 --> 00:10:16,640 and setcomp if they're enabled 275 00:10:16,640 --> 00:10:19,120 it grants all capabilities and it mounts 276 00:10:19,120 --> 00:10:20,880 all of the hosts devices 277 00:10:20,880 --> 00:10:24,079 into the container this is a bad day 278 00:10:24,079 --> 00:10:27,120 for a system administrator why because 279 00:10:27,120 --> 00:10:29,839 we can say all right we know which disk 280 00:10:29,839 --> 00:10:31,519 is mounted from the host 281 00:10:31,519 --> 00:10:34,880 so let's mount 282 00:10:34,880 --> 00:10:39,760 that disk into an empty mount directory 283 00:10:39,920 --> 00:10:42,320 okay so this is probably not what we 284 00:10:42,320 --> 00:10:44,079 were hoping to see 285 00:10:44,079 --> 00:10:48,640 because if we were blue team um because 286 00:10:48,640 --> 00:10:51,839 that's what the root of the containers 287 00:10:51,839 --> 00:10:54,560 file system partition looks like whereas 288 00:10:54,560 --> 00:10:56,560 what we've mounted in from the roots 289 00:10:56,560 --> 00:10:58,720 uh let's go back to there we've mounted 290 00:10:58,720 --> 00:11:01,360 it from the host contains extra stuff 291 00:11:01,360 --> 00:11:04,480 and lo and behold it contains a 292 00:11:04,480 --> 00:11:06,640 directory called node secrets 293 00:11:06,640 --> 00:11:10,959 this may be obvious oops let's uh let's 294 00:11:10,959 --> 00:11:11,920 actually 295 00:11:11,920 --> 00:11:14,240 yep go in there uh and there we go so 296 00:11:14,240 --> 00:11:17,279 there is our first flag 297 00:11:17,519 --> 00:11:19,440 the disadvantages of running privileged 298 00:11:19,440 --> 00:11:21,680 containers are that they 299 00:11:21,680 --> 00:11:24,640 are equivalent to running the process on 300 00:11:24,640 --> 00:11:25,839 the host 301 00:11:25,839 --> 00:11:27,519 there is essentially no containerization 302 00:11:27,519 --> 00:11:29,680 going on when we run privilege 303 00:11:29,680 --> 00:11:32,800 and yes run for the hills 304 00:11:32,800 --> 00:11:34,399 if that's the kind of thing you are 305 00:11:34,399 --> 00:11:36,560 trying to defend because it's more or 306 00:11:36,560 --> 00:11:37,839 less indefensible 307 00:11:37,839 --> 00:11:41,360 okay that was the first one 308 00:11:41,360 --> 00:11:44,399 next we have uh escalate and cover 309 00:11:44,399 --> 00:11:48,399 secrets and 310 00:11:49,040 --> 00:11:51,279 let's jump in so this alias will just 311 00:11:51,279 --> 00:11:52,639 take me into the 312 00:11:52,639 --> 00:11:55,680 um into the next host 313 00:11:55,680 --> 00:11:57,200 okay let's spend a bit more time looking 314 00:11:57,200 --> 00:11:59,519 at what's happening here so um 315 00:11:59,519 --> 00:12:03,519 we're in the attack container 316 00:12:03,760 --> 00:12:07,279 and escalate and cover secret sre has 317 00:12:07,279 --> 00:12:09,360 deployed a postgres demon set 318 00:12:09,360 --> 00:12:10,880 and a new pod for monitoring the 319 00:12:10,880 --> 00:12:12,800 processes in your cluster 320 00:12:12,800 --> 00:12:15,040 following a routine audit of an 321 00:12:15,040 --> 00:12:16,800 application it is believed 322 00:12:16,800 --> 00:12:18,399 that the deployment setup allows a 323 00:12:18,399 --> 00:12:20,160 compromised process audit 324 00:12:20,160 --> 00:12:23,279 pod container a mouthful 325 00:12:23,279 --> 00:12:24,880 to escalate its attack to other 326 00:12:24,880 --> 00:12:27,360 containers on the host 327 00:12:27,360 --> 00:12:29,279 this doesn't sound like it makes sense 328 00:12:29,279 --> 00:12:31,279 there's obviously something a little bit 329 00:12:31,279 --> 00:12:31,920 askew 330 00:12:31,920 --> 00:12:35,200 here okay so the the question then is 331 00:12:35,200 --> 00:12:36,880 verify this by uncovering both the 332 00:12:36,880 --> 00:12:38,560 postgres database password and the 333 00:12:38,560 --> 00:12:39,760 secret key 334 00:12:39,760 --> 00:12:42,399 we will start in the process audit pod 335 00:12:42,399 --> 00:12:43,760 okay 336 00:12:43,760 --> 00:12:47,360 so um first of all we know that it's 337 00:12:47,360 --> 00:12:49,440 possible to provision secrets via 338 00:12:49,440 --> 00:12:53,200 environment variables this is um 339 00:12:53,200 --> 00:12:55,600 this is something that the 12 factor app 340 00:12:55,600 --> 00:12:57,360 has told us historically 341 00:12:57,360 --> 00:13:00,399 but as we know the environment of a 342 00:13:00,399 --> 00:13:01,519 process leaks 343 00:13:01,519 --> 00:13:04,880 to other users of the system and so we 344 00:13:04,880 --> 00:13:06,000 actually prefer to provision 345 00:13:06,000 --> 00:13:08,240 passwords with a with a file and an 346 00:13:08,240 --> 00:13:09,200 environment variable 347 00:13:09,200 --> 00:13:12,240 as a as a pointer containing the 348 00:13:12,240 --> 00:13:15,760 path of that file so i mean the first 349 00:13:15,760 --> 00:13:16,800 place to start here 350 00:13:16,800 --> 00:13:19,279 um then is probably just looking at the 351 00:13:19,279 --> 00:13:20,639 environment 352 00:13:20,639 --> 00:13:23,440 let's just see what is in here okay well 353 00:13:23,440 --> 00:13:25,040 there's actually nothing 354 00:13:25,040 --> 00:13:28,240 particularly juicy in here and uh 355 00:13:28,240 --> 00:13:30,959 because we know i'll just go up and 356 00:13:30,959 --> 00:13:31,839 because we know 357 00:13:31,839 --> 00:13:34,720 that the the flag has a specific format 358 00:13:34,720 --> 00:13:36,000 at this point 359 00:13:36,000 --> 00:13:39,040 um we can use that string to uh to just 360 00:13:39,040 --> 00:13:40,000 grab through the end 361 00:13:40,000 --> 00:13:41,519 we haven't missed anything there's 362 00:13:41,519 --> 00:13:44,000 nothing there okay 363 00:13:44,000 --> 00:13:47,279 um so we're supposed to be 364 00:13:47,279 --> 00:13:48,880 let's just remind ourselves this audit 365 00:13:48,880 --> 00:13:51,040 this process audit pod 366 00:13:51,040 --> 00:13:52,480 and we're looking to understand what the 367 00:13:52,480 --> 00:13:55,920 database adjacent to us is doing 368 00:13:55,920 --> 00:13:58,240 so let's just see what we've got running 369 00:13:58,240 --> 00:14:00,320 okay this is a red flag 370 00:14:00,320 --> 00:14:03,120 for a catalonian festival we should not 371 00:14:03,120 --> 00:14:03,920 be seeing 372 00:14:03,920 --> 00:14:06,480 this many processes because as we saw 373 00:14:06,480 --> 00:14:08,000 let's go back up to where we were 374 00:14:08,000 --> 00:14:11,440 earlier as we saw in the process table 375 00:14:11,440 --> 00:14:13,440 excuse me it's further than i thought 376 00:14:13,440 --> 00:14:15,120 the process table here 377 00:14:15,120 --> 00:14:18,000 for the container which is isolated to 378 00:14:18,000 --> 00:14:18,720 itself 379 00:14:18,720 --> 00:14:20,959 we're only seeing a very small number of 380 00:14:20,959 --> 00:14:22,000 processors 381 00:14:22,000 --> 00:14:24,240 and notably we see pid 1 which is not 382 00:14:24,240 --> 00:14:26,079 systemd or an init system 383 00:14:26,079 --> 00:14:28,560 it's just a sleep command so that's what 384 00:14:28,560 --> 00:14:30,000 we would expect to see 385 00:14:30,000 --> 00:14:32,720 but actually we can see all sorts of 386 00:14:32,720 --> 00:14:34,800 things we can see stuff on the host 387 00:14:34,800 --> 00:14:38,480 uh so this is again a remarkably 388 00:14:38,480 --> 00:14:41,199 bad day um the question here though is 389 00:14:41,199 --> 00:14:42,800 not how we uh 390 00:14:42,800 --> 00:14:45,199 we take over the hosts although from 391 00:14:45,199 --> 00:14:46,079 from here it's um 392 00:14:46,079 --> 00:14:48,560 not especially difficult we still want 393 00:14:48,560 --> 00:14:50,320 to exfiltrate those um 394 00:14:50,320 --> 00:14:53,279 those crucial bits of data the secret 395 00:14:53,279 --> 00:14:54,399 and the key 396 00:14:54,399 --> 00:14:58,240 uh okay so this is probably how 397 00:14:58,240 --> 00:15:00,720 we traversed containers because we 398 00:15:00,720 --> 00:15:01,839 shouldn't be able to see the process 399 00:15:01,839 --> 00:15:02,399 list 400 00:15:02,399 --> 00:15:04,880 as soon as we can let's list it uh in 401 00:15:04,880 --> 00:15:05,440 its 402 00:15:05,440 --> 00:15:07,760 fullest extent and have a look for 403 00:15:07,760 --> 00:15:09,279 postgres 404 00:15:09,279 --> 00:15:12,079 okay so we found postgres and just to be 405 00:15:12,079 --> 00:15:13,279 clear 406 00:15:13,279 --> 00:15:14,560 this is post squares running in a 407 00:15:14,560 --> 00:15:17,199 container on the same host 408 00:15:17,199 --> 00:15:20,399 what we're seeing here is a host 409 00:15:20,399 --> 00:15:23,519 pid namespace share and this again 410 00:15:23,519 --> 00:15:26,720 is um of questionable repute as a 411 00:15:26,720 --> 00:15:27,600 practice 412 00:15:27,600 --> 00:15:29,680 that there is some necessity for it but 413 00:15:29,680 --> 00:15:30,800 we should always be careful when 414 00:15:30,800 --> 00:15:32,079 disabling 415 00:15:32,079 --> 00:15:33,920 a container security feature or 416 00:15:33,920 --> 00:15:36,160 container primitive like host namespaces 417 00:15:36,160 --> 00:15:38,320 for networking or pids 418 00:15:38,320 --> 00:15:40,639 or even mounting stuff in that we're 419 00:15:40,639 --> 00:15:42,399 breaking the container abstraction 420 00:15:42,399 --> 00:15:45,199 by adding stuff or taking stuff away uh 421 00:15:45,199 --> 00:15:46,880 really we want to be locking it down 422 00:15:46,880 --> 00:15:50,560 and not sharing stuff further with other 423 00:15:50,560 --> 00:15:54,160 workloads on the system okay so um 424 00:15:54,160 --> 00:15:56,639 right we've got a pid for postgres and 425 00:15:56,639 --> 00:15:58,560 we can also see the postgres 426 00:15:58,560 --> 00:16:01,600 uh we can also see the pits so uh 427 00:16:01,600 --> 00:16:04,880 let's do some magic proc diving so if we 428 00:16:04,880 --> 00:16:05,600 go into proc 429 00:16:05,600 --> 00:16:08,720 and we put the pid in there then 430 00:16:08,720 --> 00:16:10,639 let's start off just looking at the 431 00:16:10,639 --> 00:16:12,639 command 432 00:16:12,639 --> 00:16:16,240 okay so a foible of proc 433 00:16:16,240 --> 00:16:18,880 is that everything is uh is null 434 00:16:18,880 --> 00:16:19,680 terminated 435 00:16:19,680 --> 00:16:20,880 so in order to just get a bit of 436 00:16:20,880 --> 00:16:21,920 visibility into what's actually 437 00:16:21,920 --> 00:16:23,600 happening here let's 438 00:16:23,600 --> 00:16:27,040 uh replace knoll with uh just space this 439 00:16:27,040 --> 00:16:27,519 time 440 00:16:27,519 --> 00:16:29,199 okay so we can see that it's just been 441 00:16:29,199 --> 00:16:30,959 invoked as postgres 442 00:16:30,959 --> 00:16:33,120 all right no problem that's that's sound 443 00:16:33,120 --> 00:16:34,480 enough 444 00:16:34,480 --> 00:16:36,800 but what else is in proc um i'll give 445 00:16:36,800 --> 00:16:38,480 you a clue 446 00:16:38,480 --> 00:16:41,759 the environment and at this point 447 00:16:41,759 --> 00:16:43,279 even though that looks like a massive 448 00:16:43,279 --> 00:16:45,759 junk let's see if we've got 449 00:16:45,759 --> 00:16:48,959 there's our flag so again using the flag 450 00:16:48,959 --> 00:16:50,399 ctf grep 451 00:16:50,399 --> 00:16:53,519 when there's a well-known flag string um 452 00:16:53,519 --> 00:16:55,440 can help because otherwise it's a kind 453 00:16:55,440 --> 00:16:58,800 of indeterminate mess of uh 454 00:16:58,800 --> 00:17:00,399 of black and white that's a little bit 455 00:17:00,399 --> 00:17:02,880 difficult to pick things out of 456 00:17:02,880 --> 00:17:06,160 okay one down so that is uh that is a 457 00:17:06,160 --> 00:17:07,599 flag 458 00:17:07,599 --> 00:17:09,439 but if we go back to the beginning of 459 00:17:09,439 --> 00:17:11,520 this scenario we were told 460 00:17:11,520 --> 00:17:14,000 uh there is more than one flag so i'm 461 00:17:14,000 --> 00:17:15,199 covering both 462 00:17:15,199 --> 00:17:17,679 the database password and the secret key 463 00:17:17,679 --> 00:17:19,520 okay so we know we've got the database 464 00:17:19,520 --> 00:17:20,240 password 465 00:17:20,240 --> 00:17:23,280 but there's a secret key 466 00:17:23,280 --> 00:17:26,799 we don't have any access to that 467 00:17:26,799 --> 00:17:30,080 adjacent postgres container except for 468 00:17:30,080 --> 00:17:34,000 through the the proc table 469 00:17:34,000 --> 00:17:38,640 okay so what else can we do with proc 470 00:17:40,799 --> 00:17:43,840 we can examine the root file system 471 00:17:43,840 --> 00:17:46,000 mounted into that container let's start 472 00:17:46,000 --> 00:17:49,360 with hello and studs 473 00:17:51,360 --> 00:17:54,400 okay so it's a sim link we don't mind 474 00:17:54,400 --> 00:17:55,840 too much about that 475 00:17:55,840 --> 00:17:58,480 here we go again we have got into the 476 00:17:58,480 --> 00:18:01,120 file system of a container 477 00:18:01,120 --> 00:18:03,600 running on the same machine as we are so 478 00:18:03,600 --> 00:18:05,200 we've got into the mount namespace 479 00:18:05,200 --> 00:18:06,559 essentially 480 00:18:06,559 --> 00:18:07,919 without having access to the container 481 00:18:07,919 --> 00:18:10,960 itself if we go into secrets we can see 482 00:18:10,960 --> 00:18:12,080 that there is something that looks like 483 00:18:12,080 --> 00:18:12,640 a key 484 00:18:12,640 --> 00:18:15,679 there and if i have readline 485 00:18:15,679 --> 00:18:20,000 there we go okay that is key number two 486 00:18:20,000 --> 00:18:22,240 i'm conscious of time and i will try and 487 00:18:22,240 --> 00:18:24,400 keep on clipping 488 00:18:24,400 --> 00:18:26,080 um so the point here is that there is a 489 00:18:26,080 --> 00:18:28,559 real risk with enabling 490 00:18:28,559 --> 00:18:32,080 using the um sorry process name spaces 491 00:18:32,080 --> 00:18:35,200 and uh yes while it's necessary 492 00:18:35,200 --> 00:18:36,880 obviously the feature was shipped 493 00:18:36,880 --> 00:18:40,240 for a reason we should be cognizant and 494 00:18:40,240 --> 00:18:41,360 of course everything should be threat 495 00:18:41,360 --> 00:18:43,039 modeled and then we can balance the 496 00:18:43,039 --> 00:18:44,640 impact of that thing 497 00:18:44,640 --> 00:18:46,080 actually being breached or negatively 498 00:18:46,080 --> 00:18:49,200 affected or or exfiltrated 499 00:18:49,200 --> 00:18:51,360 with the benefit that we get from using 500 00:18:51,360 --> 00:18:52,960 it in the way that it's intended 501 00:18:52,960 --> 00:18:56,080 okay on we go and we're 502 00:18:56,080 --> 00:19:01,039 into a ci server vulnerability 503 00:19:02,400 --> 00:19:04,400 right so what are we doing here uh we're 504 00:19:04,400 --> 00:19:06,080 pen testing a cluster we found the 505 00:19:06,080 --> 00:19:08,000 vulnerability 506 00:19:08,000 --> 00:19:09,360 uh the pod is part of the build 507 00:19:09,360 --> 00:19:11,760 infrastructure as we know 508 00:19:11,760 --> 00:19:13,280 uh build infrastructure is a juicy 509 00:19:13,280 --> 00:19:15,440 target uh supply chain security 510 00:19:15,440 --> 00:19:18,480 is a uh a particular interest of uh 511 00:19:18,480 --> 00:19:20,720 of of security and the cloud native 512 00:19:20,720 --> 00:19:21,600 security day 513 00:19:21,600 --> 00:19:24,640 of which we are apart and so build 514 00:19:24,640 --> 00:19:25,360 infrastructure 515 00:19:25,360 --> 00:19:26,720 yeah that's okay that's of interest to 516 00:19:26,720 --> 00:19:28,960 me uh all right what's happening then 517 00:19:28,960 --> 00:19:30,640 we're concerned that a compromise may 518 00:19:30,640 --> 00:19:32,880 lead to leaked secrets 519 00:19:32,880 --> 00:19:35,760 okay so we want to extract the secret 520 00:19:35,760 --> 00:19:36,400 key 521 00:19:36,400 --> 00:19:38,799 and look suspiciously like we are in a 522 00:19:38,799 --> 00:19:39,679 jenkins 523 00:19:39,679 --> 00:19:42,640 flavored pod 524 00:19:43,120 --> 00:19:44,880 okay so so again we kind of just want to 525 00:19:44,880 --> 00:19:46,480 do a bit of recon let's just figure out 526 00:19:46,480 --> 00:19:46,880 what's 527 00:19:46,880 --> 00:19:50,240 what's going on process table is okay uh 528 00:19:50,240 --> 00:19:52,799 the amount name space so again there's a 529 00:19:52,799 --> 00:19:54,000 couple of things here that 530 00:19:54,000 --> 00:19:55,919 jump straight out one is the service 531 00:19:55,919 --> 00:19:57,280 count um 532 00:19:57,280 --> 00:19:58,400 of course you can do the same thing 533 00:19:58,400 --> 00:20:00,640 again looking here but nothing really 534 00:20:00,640 --> 00:20:02,720 jumps out from there immediately 535 00:20:02,720 --> 00:20:04,880 uh that to me again is just a little bit 536 00:20:04,880 --> 00:20:06,559 of a mess 537 00:20:06,559 --> 00:20:08,000 the thing that jumps out for me here is 538 00:20:08,000 --> 00:20:10,400 not the service count it is the presence 539 00:20:10,400 --> 00:20:15,120 of the hallowed docker socket 540 00:20:15,120 --> 00:20:16,960 a socket is an inter-process 541 00:20:16,960 --> 00:20:19,200 communication mechanism 542 00:20:19,200 --> 00:20:22,400 amongst other things and in this case 543 00:20:22,400 --> 00:20:24,320 it means that we can probably talk to 544 00:20:24,320 --> 00:20:26,480 the docker demon whose socket is mounted 545 00:20:26,480 --> 00:20:27,440 into the pod 546 00:20:27,440 --> 00:20:30,000 which we're probably safe to assume 547 00:20:30,000 --> 00:20:31,039 belongs to 548 00:20:31,039 --> 00:20:34,640 the jenkins host um 549 00:20:34,640 --> 00:20:37,600 now at this point we would hope the 550 00:20:37,600 --> 00:20:39,120 docker is installed 551 00:20:39,120 --> 00:20:41,679 uh we would probably check uh see the 552 00:20:41,679 --> 00:20:43,360 kernel is nice and recent okay that's 553 00:20:43,360 --> 00:20:44,320 all good 554 00:20:44,320 --> 00:20:46,640 see what release we've got okay it's all 555 00:20:46,640 --> 00:20:49,039 relatively recent so we assume 556 00:20:49,039 --> 00:20:50,159 probably that we can install docker 557 00:20:50,159 --> 00:20:52,400 through the package manager but we can 558 00:20:52,400 --> 00:20:53,520 also do something 559 00:20:53,520 --> 00:20:58,159 via backdoor because we have curl 560 00:20:58,159 --> 00:20:59,600 so let's just pull the official docker 561 00:20:59,600 --> 00:21:01,440 installer 562 00:21:01,440 --> 00:21:02,880 maybe we'll we'll free ourselves from 563 00:21:02,880 --> 00:21:05,280 bugs in docker itself 564 00:21:05,280 --> 00:21:07,679 although those days are much further 565 00:21:07,679 --> 00:21:08,720 behind us 566 00:21:08,720 --> 00:21:10,240 um but it's nice to be on the latest 567 00:21:10,240 --> 00:21:11,600 version isn't it even if we're going to 568 00:21:11,600 --> 00:21:12,240 break stuff 569 00:21:12,240 --> 00:21:15,440 let's do it with uh correct operator 570 00:21:15,440 --> 00:21:17,200 practices 571 00:21:17,200 --> 00:21:19,840 all right so we're installing the docker 572 00:21:19,840 --> 00:21:20,480 client 573 00:21:20,480 --> 00:21:22,559 in the expectation that we can use it to 574 00:21:22,559 --> 00:21:24,159 abuse the docker socket 575 00:21:24,159 --> 00:21:25,679 we could just send restful commands over 576 00:21:25,679 --> 00:21:27,520 the docker socket but it's a bit more 577 00:21:27,520 --> 00:21:28,640 long-winded 578 00:21:28,640 --> 00:21:30,880 and right so what we see here is the 579 00:21:30,880 --> 00:21:32,480 docker version command 580 00:21:32,480 --> 00:21:35,200 has given us the client and the server 581 00:21:35,200 --> 00:21:36,400 happy days 582 00:21:36,400 --> 00:21:39,200 so let's see what's running here there 583 00:21:39,200 --> 00:21:39,919 is a lot 584 00:21:39,919 --> 00:21:43,600 and of course we see 585 00:21:43,679 --> 00:21:46,720 kubernetes oops uh let's do color 586 00:21:46,720 --> 00:21:49,200 in the us spelling always yeah and then 587 00:21:49,200 --> 00:21:51,919 we see cubenet is all over the place 588 00:21:51,919 --> 00:21:54,320 so it's probably again not a good day 589 00:21:54,320 --> 00:21:55,679 for somebody 590 00:21:55,679 --> 00:21:58,720 um in this case we probably want to look 591 00:21:58,720 --> 00:22:00,080 in the nginx 592 00:22:00,080 --> 00:22:02,799 container 593 00:22:03,600 --> 00:22:07,120 he says so let's um 594 00:22:07,120 --> 00:22:09,440 let's have a look in here if we do a 595 00:22:09,440 --> 00:22:10,480 docker inspect 596 00:22:10,480 --> 00:22:13,679 in fact we can do it more elegantly with 597 00:22:13,679 --> 00:22:14,480 the 598 00:22:14,480 --> 00:22:17,679 containers sure okay 599 00:22:17,679 --> 00:22:20,159 again there's a lot of information here 600 00:22:20,159 --> 00:22:22,080 we can kind of spool through it 601 00:22:22,080 --> 00:22:24,159 but because we're volume hunting and we 602 00:22:24,159 --> 00:22:26,559 uh or flag hunting i suppose and we know 603 00:22:26,559 --> 00:22:30,159 the flag again sweet there we go there's 604 00:22:30,159 --> 00:22:31,919 our secret access key 605 00:22:31,919 --> 00:22:33,520 that looks so let's have a look at some 606 00:22:33,520 --> 00:22:35,200 context around that 607 00:22:35,200 --> 00:22:41,840 um and colorization is always useful 608 00:22:41,840 --> 00:22:43,520 okay so what's happened the environment 609 00:22:43,520 --> 00:22:45,520 of the container has specified 610 00:22:45,520 --> 00:22:47,520 this environment variable so we're back 611 00:22:47,520 --> 00:22:49,600 into environment variables again 612 00:22:49,600 --> 00:22:52,799 not only do they leak on the host on 613 00:22:52,799 --> 00:22:53,520 which they 614 00:22:53,520 --> 00:22:57,360 are running but also they leak from 615 00:22:57,360 --> 00:22:59,679 uh metadata about the thing as you see 616 00:22:59,679 --> 00:23:01,120 in this case it is an insecure 617 00:23:01,120 --> 00:23:01,760 provisioning 618 00:23:01,760 --> 00:23:04,640 method because um it's either set at 619 00:23:04,640 --> 00:23:06,559 runtime or set in the image itself 620 00:23:06,559 --> 00:23:10,159 ideally not of course so 621 00:23:10,159 --> 00:23:13,360 really what we want here is um is to 622 00:23:13,360 --> 00:23:13,919 instead 623 00:23:13,919 --> 00:23:16,320 point that secret to a file and this is 624 00:23:16,320 --> 00:23:18,159 as kubernetes will do with a secret file 625 00:23:18,159 --> 00:23:19,840 map for us 626 00:23:19,840 --> 00:23:22,640 and that way we we need to have access 627 00:23:22,640 --> 00:23:23,440 not only to 628 00:23:23,440 --> 00:23:26,559 to the uh to the containers metadata 629 00:23:26,559 --> 00:23:27,120 like this 630 00:23:27,120 --> 00:23:29,120 but also the container itself or as we 631 00:23:29,120 --> 00:23:30,799 saw previously the process table 632 00:23:30,799 --> 00:23:35,039 um etc right at this point 633 00:23:35,039 --> 00:23:38,320 we had pretty good um 634 00:23:38,320 --> 00:23:40,400 i would say turnout we had we had a lot 635 00:23:40,400 --> 00:23:41,760 of people we'll uh we'll get to those 636 00:23:41,760 --> 00:23:42,960 numbers at the end 637 00:23:42,960 --> 00:23:44,480 but also a lot of people got through 638 00:23:44,480 --> 00:23:46,080 these scenarios and 639 00:23:46,080 --> 00:23:47,919 uh and at this point most people were 640 00:23:47,919 --> 00:23:50,559 still still with us 641 00:23:50,559 --> 00:23:54,159 so let's persist next we have 642 00:23:54,159 --> 00:23:58,159 a non-user compromise 643 00:24:00,320 --> 00:24:05,840 okay and out and back in again 644 00:24:08,799 --> 00:24:11,840 okay so what we'll be doing here um 645 00:24:11,840 --> 00:24:16,720 more uh escalation sideways and so 646 00:24:16,720 --> 00:24:19,360 just moving laterally through um through 647 00:24:19,360 --> 00:24:20,880 kubernetes or maybe actually 648 00:24:20,880 --> 00:24:24,720 on the yep on multiple nodes 649 00:24:24,720 --> 00:24:26,640 so okay so secrets have been extracted 650 00:24:26,640 --> 00:24:28,080 from the cluster 651 00:24:28,080 --> 00:24:30,960 we're in a post-mortem phase but it's 652 00:24:30,960 --> 00:24:32,559 not clear how the anonymous user managed 653 00:24:32,559 --> 00:24:33,360 to escalate 654 00:24:33,360 --> 00:24:36,240 sideways after the initial breach so 655 00:24:36,240 --> 00:24:38,000 let's try and replay the intrusion from 656 00:24:38,000 --> 00:24:40,000 inside the cluster 657 00:24:40,000 --> 00:24:41,520 okay so we're in the pod that was 658 00:24:41,520 --> 00:24:43,760 breached excuse me 659 00:24:43,760 --> 00:24:46,880 and we're going to replay what the 660 00:24:46,880 --> 00:24:50,240 what the what we expect the attacker did 661 00:24:50,240 --> 00:24:53,919 um now again we've got our 662 00:24:53,919 --> 00:24:56,080 our kind of basic recon which is just 663 00:24:56,080 --> 00:24:58,960 saying uh how's our process table 664 00:24:58,960 --> 00:25:02,159 do we have anything spare or extraneous 665 00:25:02,159 --> 00:25:03,440 mounted in here 666 00:25:03,440 --> 00:25:04,799 um we'll go to the map points for the 667 00:25:04,799 --> 00:25:06,559 whole system uh 668 00:25:06,559 --> 00:25:08,000 we can install am i contained and see 669 00:25:08,000 --> 00:25:09,600 what our bounding set is 670 00:25:09,600 --> 00:25:12,799 but in the interest of time this is 671 00:25:12,799 --> 00:25:14,559 this is slightly different so at this 672 00:25:14,559 --> 00:25:17,039 point we are attacking 673 00:25:17,039 --> 00:25:19,760 things that are outside our domain as 674 00:25:19,760 --> 00:25:22,240 sorry outside our namespace let's say 675 00:25:22,240 --> 00:25:25,520 and we have got the ip addresses of the 676 00:25:25,520 --> 00:25:27,679 nodes 677 00:25:27,679 --> 00:25:30,559 so what runs on the kubernetes worker 678 00:25:30,559 --> 00:25:31,360 node 679 00:25:31,360 --> 00:25:33,360 well there's the cubelet there's q proxy 680 00:25:33,360 --> 00:25:34,720 there may be 681 00:25:34,720 --> 00:25:38,159 things for the cni as well 682 00:25:38,240 --> 00:25:40,840 the cubelet has some configurations that 683 00:25:40,840 --> 00:25:42,240 um 684 00:25:42,240 --> 00:25:45,360 are less than optimal let's say uh 685 00:25:45,360 --> 00:25:49,279 such as the uh the read only port so 686 00:25:49,279 --> 00:25:52,080 let's just see if we can find anything 687 00:25:52,080 --> 00:25:53,440 excuse me if my mouse 688 00:25:53,440 --> 00:25:57,279 constantly doing that um 689 00:25:57,279 --> 00:26:00,400 in and around here so uh 690 00:26:00,400 --> 00:26:02,799 again i know what i need to use in 691 00:26:02,799 --> 00:26:04,080 advance so i will just 692 00:26:04,080 --> 00:26:06,320 install it i don't need to do an app 693 00:26:06,320 --> 00:26:07,360 update 694 00:26:07,360 --> 00:26:11,520 i get curl and jk so 695 00:26:11,520 --> 00:26:14,720 what are we actually doing here 696 00:26:15,600 --> 00:26:17,919 let's just see if we can access these 697 00:26:17,919 --> 00:26:19,279 host nodes 698 00:26:19,279 --> 00:26:25,840 so let's go up in here 699 00:26:25,840 --> 00:26:28,320 and as a reminder this is a network 700 00:26:28,320 --> 00:26:30,159 route from the pod 701 00:26:30,159 --> 00:26:34,080 onto the public interface of the host 702 00:26:34,080 --> 00:26:36,960 and really there's not a great deal of 703 00:26:36,960 --> 00:26:38,000 rationale for 704 00:26:38,000 --> 00:26:41,840 um for running like this 705 00:26:41,840 --> 00:26:44,640 uh we should be using network uh network 706 00:26:44,640 --> 00:26:45,840 policy 707 00:26:45,840 --> 00:26:48,799 and um yeah frankly constraining our 708 00:26:48,799 --> 00:26:50,320 outbound traffic so that we can't hit 709 00:26:50,320 --> 00:26:51,200 anything at all 710 00:26:51,200 --> 00:26:53,440 start with the default deny and uh and 711 00:26:53,440 --> 00:26:54,880 then upgrade 712 00:26:54,880 --> 00:26:57,760 okay that was smooth let's just install 713 00:26:57,760 --> 00:27:00,240 that too 714 00:27:03,520 --> 00:27:05,440 so as you can see i'm having to install 715 00:27:05,440 --> 00:27:07,679 a lot of software as i go along 716 00:27:07,679 --> 00:27:10,400 that's kind of standard there is uh 717 00:27:10,400 --> 00:27:11,440 generally we don't ship 718 00:27:11,440 --> 00:27:12,640 curl and that kind of thing to 719 00:27:12,640 --> 00:27:14,480 production because why would we unless 720 00:27:14,480 --> 00:27:16,880 we needed it for our application 721 00:27:16,880 --> 00:27:20,480 but as an attacker i am able to install 722 00:27:20,480 --> 00:27:23,200 stuff inside the container 723 00:27:23,200 --> 00:27:26,320 really just by setting a non-root user 724 00:27:26,320 --> 00:27:28,080 uh maybe even removing the package 725 00:27:28,080 --> 00:27:29,600 manager if needs be 726 00:27:29,600 --> 00:27:32,640 that makes for a much safer day let's 727 00:27:32,640 --> 00:27:34,080 say the jq and curl 728 00:27:34,080 --> 00:27:35,440 if i installed those what did i get 729 00:27:35,440 --> 00:27:37,840 wrong there nothing 730 00:27:37,840 --> 00:27:41,200 okay and let's um skip verifying the 731 00:27:41,200 --> 00:27:42,559 certificates 732 00:27:42,559 --> 00:27:45,360 okay that means that we can read from 733 00:27:45,360 --> 00:27:47,440 the cubelet 734 00:27:47,440 --> 00:27:49,360 and we can see lots of things that are 735 00:27:49,360 --> 00:27:52,159 running here 736 00:27:52,159 --> 00:27:55,760 and what we care about uh potentially is 737 00:27:55,760 --> 00:27:56,320 something 738 00:27:56,320 --> 00:28:02,480 um compromise ish so let's have a look 739 00:28:02,480 --> 00:28:05,760 uh nope there's nothing in there 740 00:28:05,760 --> 00:28:07,760 uh now that probably means that what 741 00:28:07,760 --> 00:28:09,919 we're looking for is on the other node 742 00:28:09,919 --> 00:28:12,080 so let's just remind ourselves which 743 00:28:12,080 --> 00:28:14,720 nodes were which 744 00:28:14,960 --> 00:28:17,840 and switch over 745 00:28:19,279 --> 00:28:21,520 happy days that is the pod that we are 746 00:28:21,520 --> 00:28:22,480 looking for 747 00:28:22,480 --> 00:28:24,880 okay so now we have more information 748 00:28:24,880 --> 00:28:25,760 about 749 00:28:25,760 --> 00:28:28,640 what we're looking to attack so what 750 00:28:28,640 --> 00:28:30,399 should we do with that well 751 00:28:30,399 --> 00:28:33,679 let's see if we can dump the end 752 00:28:33,679 --> 00:28:37,520 of this um this pod so the pod 753 00:28:37,520 --> 00:28:40,720 is um what is it going to be the 754 00:28:40,720 --> 00:28:44,399 workload pod there 755 00:28:44,399 --> 00:28:46,960 and then if you will just excuse my copy 756 00:28:46,960 --> 00:28:50,000 pasta one second 757 00:28:51,120 --> 00:28:52,559 and this won't quite work because of the 758 00:28:52,559 --> 00:28:56,399 node ip so let's just 759 00:28:56,840 --> 00:28:58,480 place 760 00:28:58,480 --> 00:29:00,640 llp is the one we've just used which is 761 00:29:00,640 --> 00:29:03,360 the second one 762 00:29:05,919 --> 00:29:09,919 okay so we're posting a command 763 00:29:09,919 --> 00:29:12,080 oops okay so we're posting to the note 764 00:29:12,080 --> 00:29:12,960 ip 765 00:29:12,960 --> 00:29:16,799 um force of habits uh on the insecure 766 00:29:16,799 --> 00:29:19,840 uh on the read only port rather 767 00:29:19,840 --> 00:29:21,600 and uh we want we want to go into this 768 00:29:21,600 --> 00:29:23,919 pods 769 00:29:23,919 --> 00:29:28,159 and then run the print end command 770 00:29:28,159 --> 00:29:31,360 okay um joyful joys 771 00:29:31,360 --> 00:29:33,039 that is not coming back with anything 772 00:29:33,039 --> 00:29:36,320 have i done something wrong 773 00:29:37,760 --> 00:29:41,360 um i guess the pod name should be 774 00:29:41,360 --> 00:29:45,199 pod name and not pods 775 00:29:47,039 --> 00:29:50,000 that was a great relief to me and as we 776 00:29:50,000 --> 00:29:50,480 go 777 00:29:50,480 --> 00:29:54,480 again there is our flag happy days 778 00:29:54,480 --> 00:29:57,279 okay let's uh steamroller on through the 779 00:29:57,279 --> 00:29:58,880 rest of these 780 00:29:58,880 --> 00:30:01,440 um we are on to pod breech extract and 781 00:30:01,440 --> 00:30:03,120 for this i will pass over to 782 00:30:03,120 --> 00:30:09,840 my worthy companion magno 783 00:30:11,760 --> 00:30:22,080 hey everyone 784 00:30:22,080 --> 00:30:26,000 think you need to stop sharing andy 785 00:30:29,840 --> 00:30:35,279 okay thank you okay 786 00:30:54,559 --> 00:30:57,600 the scenario here that we have for the 787 00:30:57,600 --> 00:31:00,720 for the ctf uh is the the 788 00:31:00,720 --> 00:31:04,080 pod uh pod breeders tract right 789 00:31:04,080 --> 00:31:07,840 so in this scenario let me just 790 00:31:07,840 --> 00:31:19,840 log in again here 791 00:31:39,679 --> 00:31:41,519 verify your suspicion by breaking to the 792 00:31:41,519 --> 00:31:42,960 pod and extract the value of 793 00:31:42,960 --> 00:31:45,840 user credits password right so and and 794 00:31:45,840 --> 00:31:47,600 your starting point here you're starting 795 00:31:47,600 --> 00:31:48,799 on a visual machine 796 00:31:48,799 --> 00:31:51,760 external to the cluster right so so how 797 00:31:51,760 --> 00:31:52,880 do you get access 798 00:31:52,880 --> 00:31:54,799 to to the cluster to the pods of the 799 00:31:54,799 --> 00:31:56,240 cluster itself right 800 00:31:56,240 --> 00:32:00,159 so um basic things here in the interest 801 00:32:00,159 --> 00:32:01,039 of time 802 00:32:01,039 --> 00:32:14,159 uh i'll 803 00:32:14,159 --> 00:32:16,480 okay 804 00:32:20,320 --> 00:32:24,320 good uh so first thing if if i need to 805 00:32:24,320 --> 00:32:27,679 access that uh that server or their 806 00:32:27,679 --> 00:32:28,640 service right 807 00:32:28,640 --> 00:32:31,440 i need to uh i don't have the 808 00:32:31,440 --> 00:32:32,799 credentials right so 809 00:32:32,799 --> 00:32:43,840 i need to uh first do like uh 810 00:32:52,159 --> 00:32:56,080 your your server make sure that 811 00:32:56,080 --> 00:32:58,159 everything's okay i ran this before just 812 00:32:58,159 --> 00:32:58,640 before 813 00:32:58,640 --> 00:33:01,440 uh the example just to make sure that uh 814 00:33:01,440 --> 00:33:03,279 everything is 815 00:33:03,279 --> 00:33:04,559 running smoothly and we don't need to 816 00:33:04,559 --> 00:33:07,039 download it again so 817 00:33:07,039 --> 00:33:09,519 uh and and here one of the tools that 818 00:33:09,519 --> 00:33:10,399 you can use 819 00:33:10,399 --> 00:33:13,360 to to do that to do the network uh 820 00:33:13,360 --> 00:33:13,840 mapping 821 00:33:13,840 --> 00:33:25,840 and scanning is nmap right 822 00:33:31,919 --> 00:33:39,840 thank you you will now be placed into 823 00:34:22,159 --> 00:34:24,399 okay 824 00:34:30,719 --> 00:34:34,159 okay uh can you guys hear me again 825 00:34:34,159 --> 00:34:38,399 uh my screen sharing 826 00:34:39,599 --> 00:34:42,399 i'm sharing it 827 00:34:46,839 --> 00:34:49,839 oh 828 00:34:57,040 --> 00:34:59,359 hi can you hear me can you guys give me 829 00:34:59,359 --> 00:35:03,839 some feedback on the chat 830 00:35:07,760 --> 00:35:10,880 yeah okay sounds good awesome uh 831 00:35:10,880 --> 00:35:12,800 yeah so as i was saying sorry about 832 00:35:12,800 --> 00:35:14,839 technical discords here 833 00:35:14,839 --> 00:35:18,240 um so as i was saying we installed nmap 834 00:35:18,240 --> 00:35:19,280 there 835 00:35:19,280 --> 00:35:22,240 and another uh one of the things that we 836 00:35:22,240 --> 00:35:22,960 can do 837 00:35:22,960 --> 00:35:26,320 is to run any map on this uh specific 838 00:35:26,320 --> 00:35:29,119 node id that was provided to us for this 839 00:35:29,119 --> 00:35:31,520 challenge right 840 00:35:31,520 --> 00:35:33,760 okay and i've selected a few ports here 841 00:35:33,760 --> 00:35:35,760 so the scan doesn't take forever 842 00:35:35,760 --> 00:35:38,640 right so specifically for uh just the 843 00:35:38,640 --> 00:35:40,079 demonstration here 844 00:35:40,079 --> 00:35:42,240 uh and we can see that there is a port 845 00:35:42,240 --> 00:35:43,440 open on 846 00:35:43,440 --> 00:35:46,400 on this higher port here uh three zero 847 00:35:46,400 --> 00:35:47,440 zero two two 848 00:35:47,440 --> 00:35:50,960 right so one of the things uh 849 00:35:50,960 --> 00:35:53,440 and it's very famous on on on pen 850 00:35:53,440 --> 00:35:54,079 testing 851 00:35:54,079 --> 00:35:56,400 and and like uh application security 852 00:35:56,400 --> 00:35:57,200 scenarios 853 00:35:57,200 --> 00:36:00,400 is uh brute forcing right so one of the 854 00:36:00,400 --> 00:36:01,920 attacks that you can run 855 00:36:01,920 --> 00:36:03,920 uh you can get a list of username and 856 00:36:03,920 --> 00:36:05,680 passwords and try to just 857 00:36:05,680 --> 00:36:08,000 brute force the system to guess those 858 00:36:08,000 --> 00:36:09,520 credentials right 859 00:36:09,520 --> 00:36:11,599 and one of the tools that you can use 860 00:36:11,599 --> 00:36:13,200 here or for 861 00:36:13,200 --> 00:36:16,640 brute forcing at this uh the sport 862 00:36:16,640 --> 00:36:19,839 and and access the service right so 863 00:36:19,839 --> 00:36:21,440 i don't know exactly from the end map 864 00:36:21,440 --> 00:36:23,119 there i don't know exactly which server 865 00:36:23,119 --> 00:36:26,960 it is but i can uh i think it can run 866 00:36:26,960 --> 00:36:28,640 this one let's see if it's gonna give us 867 00:36:28,640 --> 00:36:30,400 to us 868 00:36:30,400 --> 00:36:34,000 a little bit more information there 869 00:36:34,480 --> 00:36:37,359 if it takes too long then we can just 870 00:36:37,359 --> 00:36:41,680 move on 871 00:36:41,680 --> 00:36:44,319 see here 872 00:36:44,880 --> 00:36:49,040 okay yeah okay 873 00:36:49,040 --> 00:36:51,200 so we can see that this service right so 874 00:36:51,200 --> 00:36:53,040 it was showing on the first scan was 875 00:36:53,040 --> 00:36:55,200 showing as unknown right so i run 876 00:36:55,200 --> 00:36:58,240 uh i added the flag dash a here so to 877 00:36:58,240 --> 00:37:00,000 scan the services and the versions as 878 00:37:00,000 --> 00:37:00,640 well 879 00:37:00,640 --> 00:37:03,280 so we know that this port is running an 880 00:37:03,280 --> 00:37:04,800 open ssh server 881 00:37:04,800 --> 00:37:08,079 there and and then and now i can try to 882 00:37:08,079 --> 00:37:11,280 uh to brute force it right passing 883 00:37:11,280 --> 00:37:14,160 a list of username and passwords right 884 00:37:14,160 --> 00:37:15,920 so one of the tools that you can easily 885 00:37:15,920 --> 00:37:16,560 do that 886 00:37:16,560 --> 00:37:19,680 is called hydra 887 00:37:19,680 --> 00:37:23,680 and uh the way to install it just 888 00:37:23,680 --> 00:37:26,560 typing oops 889 00:37:28,960 --> 00:37:31,119 and 890 00:37:32,079 --> 00:37:37,839 type in this command here 891 00:37:39,119 --> 00:37:41,920 i have demos 892 00:37:43,520 --> 00:37:46,079 okay so i have right hydra installed 893 00:37:46,079 --> 00:37:47,200 already just to 894 00:37:47,200 --> 00:37:50,480 show you guys here and now what i need 895 00:37:50,480 --> 00:37:52,320 to run this brute force right i need a 896 00:37:52,320 --> 00:37:54,640 list of username and passwords right 897 00:37:54,640 --> 00:37:57,920 uh one one of the the very common uh 898 00:37:57,920 --> 00:38:00,640 list of passwords is the roku list so 899 00:38:00,640 --> 00:38:02,800 you could have download that and use it 900 00:38:02,800 --> 00:38:05,520 but this server this this server here is 901 00:38:05,520 --> 00:38:06,800 not very protected so 902 00:38:06,800 --> 00:38:10,240 the the password is not the username and 903 00:38:10,240 --> 00:38:12,240 the password are not very hard 904 00:38:12,240 --> 00:38:16,839 um so i created a list uh here already 905 00:38:16,839 --> 00:38:18,880 on on this 906 00:38:18,880 --> 00:38:22,240 server uh called the list of users so i 907 00:38:22,240 --> 00:38:23,119 have a 908 00:38:23,119 --> 00:38:26,480 list of usernames here and i have a list 909 00:38:26,480 --> 00:38:28,320 of passwords that i could try so it 910 00:38:28,320 --> 00:38:29,440 doesn't take forever 911 00:38:29,440 --> 00:38:32,880 when running right so here's the command 912 00:38:32,880 --> 00:38:34,720 that i'm gonna use for hydra 913 00:38:34,720 --> 00:38:38,000 to uh try to brute force this uh 914 00:38:38,000 --> 00:38:40,400 this username and password on this 915 00:38:40,400 --> 00:38:41,119 server 916 00:38:41,119 --> 00:38:47,839 location here thanks 917 00:39:12,839 --> 00:39:15,839 okay 918 00:39:24,640 --> 00:39:28,240 let me just show you guys so just moving 919 00:39:28,240 --> 00:39:29,839 on here so we don't lose 920 00:39:29,839 --> 00:39:31,839 a lot of time we're almost running out 921 00:39:31,839 --> 00:39:33,119 of time here 922 00:39:33,119 --> 00:39:35,680 uh basically if you run this command you 923 00:39:35,680 --> 00:39:36,240 should get 924 00:39:36,240 --> 00:39:39,520 the uh the results that had it 925 00:39:39,520 --> 00:39:43,359 here before i know i i 926 00:39:43,359 --> 00:39:48,720 really uh okay sounds good 927 00:39:49,520 --> 00:39:52,640 sure uh almost done uh 928 00:39:52,640 --> 00:39:56,160 so yeah basically just 929 00:39:56,160 --> 00:39:57,760 after i find out the username and 930 00:39:57,760 --> 00:40:00,240 password i can 931 00:40:00,240 --> 00:40:05,279 access this server oops 932 00:40:07,119 --> 00:40:10,160 yep you should copy and paste here 933 00:40:10,160 --> 00:40:13,440 and so the the user's admin and the 934 00:40:13,440 --> 00:40:14,880 passwords password very 935 00:40:14,880 --> 00:40:16,960 very easy for you guys you know even if 936 00:40:16,960 --> 00:40:18,960 you don't have like a tool you could 937 00:40:18,960 --> 00:40:22,480 uh try guessing and access that okay so 938 00:40:22,480 --> 00:40:25,520 i'm inside this called 939 00:40:25,520 --> 00:40:29,680 jump box right so what i'm gonna do here 940 00:40:29,680 --> 00:40:32,960 is try to uh connect to the 941 00:40:32,960 --> 00:40:36,480 api server and make some requests 942 00:40:36,480 --> 00:40:40,319 so base base the the base request here 943 00:40:40,319 --> 00:40:40,880 that i can 944 00:40:40,880 --> 00:40:42,880 make is check the version of the the 945 00:40:42,880 --> 00:40:44,720 kubernetes api server 946 00:40:44,720 --> 00:40:48,000 this is one of the ways to do that right 947 00:40:48,000 --> 00:40:50,200 so i can see that's running our version 948 00:40:50,200 --> 00:40:51,520 119.4 949 00:40:51,520 --> 00:40:54,800 stuff like that right so just to wrap up 950 00:40:54,800 --> 00:40:55,280 here 951 00:40:55,280 --> 00:40:58,240 uh one of the things that i can do is 952 00:40:58,240 --> 00:40:58,640 wha 953 00:40:58,640 --> 00:41:01,680 uh as andy mentioned before uh there is 954 00:41:01,680 --> 00:41:02,160 some 955 00:41:02,160 --> 00:41:05,520 um secrets and tokens inside the pods 956 00:41:05,520 --> 00:41:06,160 right 957 00:41:06,160 --> 00:41:09,359 so i can grab that and and use to 958 00:41:09,359 --> 00:41:12,240 impersonate uh the policy talk to the 959 00:41:12,240 --> 00:41:13,280 api server 960 00:41:13,280 --> 00:41:15,760 right so basically here what i'm gonna 961 00:41:15,760 --> 00:41:16,400 do 962 00:41:16,400 --> 00:41:18,839 is just create two variables the 963 00:41:18,839 --> 00:41:20,240 namespace uh 964 00:41:20,240 --> 00:41:23,040 telling that's uh located at var run 965 00:41:23,040 --> 00:41:25,200 secrets kubernetes.io service account 966 00:41:25,200 --> 00:41:26,400 namespace 967 00:41:26,400 --> 00:41:29,839 and i'll do the same thing for the token 968 00:41:29,839 --> 00:41:35,760 here cubetoken okay almost done 969 00:41:35,760 --> 00:41:38,880 uh and then now i can make uh if i have 970 00:41:38,880 --> 00:41:42,079 uh permissions to do that i can make a 971 00:41:42,079 --> 00:41:43,119 request 972 00:41:43,119 --> 00:41:46,800 to this namespace and uh through 973 00:41:46,800 --> 00:41:48,880 via the api server and ask for the 974 00:41:48,880 --> 00:41:50,240 secrets and since this is a 975 00:41:50,240 --> 00:41:51,760 misconfigured cluster 976 00:41:51,760 --> 00:41:56,400 i have the permissions uh so 977 00:41:56,880 --> 00:42:01,119 here just just making this api let me 978 00:42:01,119 --> 00:42:03,920 show that again right so this is the the 979 00:42:03,920 --> 00:42:05,440 request that i made 980 00:42:05,440 --> 00:42:08,640 and i can see all the secrets and here 981 00:42:08,640 --> 00:42:09,920 is the flag 982 00:42:09,920 --> 00:42:13,359 user creds password and and that's it 983 00:42:13,359 --> 00:42:17,680 for this challenge i'll hand it over to 984 00:42:17,680 --> 00:42:22,160 andrew again so thank you guys bye 985 00:42:23,760 --> 00:42:27,119 awesome thank you very much okay let's 986 00:42:27,119 --> 00:42:30,000 zoom through the ends of the slides 987 00:42:30,000 --> 00:42:32,880 there was one more scenario which people 988 00:42:32,880 --> 00:42:33,760 didn't quite get to 989 00:42:33,760 --> 00:42:36,319 so um if you would like a go at that 990 00:42:36,319 --> 00:42:37,440 then uh 991 00:42:37,440 --> 00:42:40,160 do feel free to dm right let's get 992 00:42:40,160 --> 00:42:40,880 through to the end 993 00:42:40,880 --> 00:42:43,359 so uh this was this was the control 994 00:42:43,359 --> 00:42:44,079 plane team 995 00:42:44,079 --> 00:42:47,359 at uh seven o'clock this morning um 996 00:42:47,359 --> 00:42:48,960 we are just about through the other end 997 00:42:48,960 --> 00:42:51,200 of it so honorable mentions 998 00:42:51,200 --> 00:42:54,319 thank you to these individuals for uh 999 00:42:54,319 --> 00:42:55,440 being with us through most of the 1000 00:42:55,440 --> 00:42:59,680 journey today and um 1001 00:42:59,680 --> 00:43:01,599 we had a great time on dms it's fair to 1002 00:43:01,599 --> 00:43:02,800 say uh 1003 00:43:02,800 --> 00:43:05,119 there's some really uh people show some 1004 00:43:05,119 --> 00:43:06,720 real grit and persistence 1005 00:43:06,720 --> 00:43:08,720 and that's what it's all about so good 1006 00:43:08,720 --> 00:43:10,240 job those people 1007 00:43:10,240 --> 00:43:11,920 um we have some honorable mentions as 1008 00:43:11,920 --> 00:43:14,160 well um 1009 00:43:14,160 --> 00:43:17,760 dilshan mathias michael matthew walid 1010 00:43:17,760 --> 00:43:20,319 steve mohammed and noel were all there 1011 00:43:20,319 --> 00:43:21,680 for the whole journey 1012 00:43:21,680 --> 00:43:24,800 and thank you very much for your efforts 1013 00:43:24,800 --> 00:43:29,200 in parting the container defenses 1014 00:43:29,200 --> 00:43:31,119 um various people enjoyed themselves 1015 00:43:31,119 --> 00:43:32,880 slightly 1016 00:43:32,880 --> 00:43:35,280 and i hope this has been a beneficial 1017 00:43:35,280 --> 00:43:36,800 learning experience i'm sorry there was 1018 00:43:36,800 --> 00:43:38,640 no cake 1019 00:43:38,640 --> 00:43:40,240 and thank you very much to the control 1020 00:43:40,240 --> 00:43:42,000 plane uh people at this end 1021 00:43:42,000 --> 00:43:44,160 for manning everything and to magno for 1022 00:43:44,160 --> 00:43:45,760 all his assistants and helping us out 1023 00:43:45,760 --> 00:43:48,079 and testing etc 1024 00:43:48,079 --> 00:43:50,720 this is a public service announcement we 1025 00:43:50,720 --> 00:43:51,280 don't run 1026 00:43:51,280 --> 00:43:52,880 administrative endpoints on the public 1027 00:43:52,880 --> 00:43:55,520 internet the kubernetes api server is 1028 00:43:55,520 --> 00:43:57,359 one of them 1029 00:43:57,359 --> 00:43:59,280 if you like what you saw today control 1030 00:43:59,280 --> 00:44:00,800 plane do this for a living 1031 00:44:00,800 --> 00:44:04,319 and we'd be happy to stand up a ctf for 1032 00:44:04,319 --> 00:44:05,280 you 1033 00:44:05,280 --> 00:44:06,720 thank you very much for your attention 1034 00:44:06,720 --> 00:44:07,920 and thank you to everybody who 1035 00:44:07,920 --> 00:44:09,119 contributed today 1036 00:44:09,119 --> 00:44:12,880 we had a total of 327 clusters spun up 1037 00:44:12,880 --> 00:44:16,079 uh that is about 15 000 nodes um 1038 00:44:16,079 --> 00:44:19,280 we had a peak of 73 users 1039 00:44:19,280 --> 00:44:21,280 so thank you for everybody who played 1040 00:44:21,280 --> 00:44:23,119 and we 1041 00:44:23,119 --> 00:44:26,560 welcome all and any feedback 1042 00:44:26,560 --> 00:44:30,240 have a wonderful day