Checkpoint 10.5.1.
Whatβs for lunch?
Section 10.5 Lab: Malicious Containers
While containers have made it much easier to deploy software, they have also made it easier to deploy malicious software. Imagine that we have an internal company website, written in PHP and deployed in a Docker container. Given the layered nature of the Docker build system, this application is trusting that the images it is building from are secure. Take a look at the following
Dockerfile to see just how easy it is to slip something malicious into the image:
FROM php:apache COPY shell.php /var/www/html/shell.php COPY index.php /var/www/html/index.php
shell.php is a shell written in PHP that will execute with the permissions of the web server. This means it will be able to read and write (but not overwrite) in the /var/www/html directory.
Subsection 10.5.1 Malicious Containers in a Github Codespace
Go github.com/pearcej/security-malicious. Then:
β1β
github.com/pearcej/security-malicious-
Fork this codespace into your own Github repository.
-
Navigate to your repository on GitHub.
-
Click the green Code button and select Codespaces.
-
Click "Create codespace on main".
-
Wait for the codespace to be created.
Be sure to either stop or delete this codespace when you are done by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
Next, jump down to follow the lab directions in SubsectionΒ 6.9.3.
Subsection 10.5.2 Malicious Containers in a Local Docker installation
Letβs download, build, and run this image. Download the malicious.zip file, unzip it in a directory where you have write access, and navigate to that directory in your shell.
β2β
github.com/rxt1077/it230/raw/main/labs/malicious.zipSubsection 10.5.3 Lab Instructions for Malicious Containers
(1) Build the image and tag it
malicious by running docker build -t malicious ., but donβt forget the . at the end!
PS C:\Users\rxt1077\it230\labs\malicious> docker build -t malicious . (1) [+] Building 32.4s (8/8) FINISHED => [internal] load build definition from Dockerfile 0.0s => => transferring dockerfile: 134B 0.0s => [internal] load .dockerignore 0.0s => => transferring context: 2B 0.0s => [internal] load metadata for docker.io/library/php:apache 32.2s => [1/3] FROM docker.io/library/php:apache@sha256:f1c5dba2a2981f91ec31b9596d4165acd0b46e58382e47622487e130a21e420d 0.0s => [internal] load build context 0.0s => => transferring context: 61B 0.0s => CACHED [2/3] COPY shell.php /var/www/html/shell.php 0.0s => CACHED [3/3] COPY index.php /var/www/html/index.php 0.0s => exporting to image 0.1s => => exporting layers 0.0s => => writing image sha256:e1dc75a91b2e269091069b1e3406a496b4bbfd95b066f970062ea8b3a74d8368 0.0s => => naming to docker.io/library/malicious
(2) Run the
malicious image and forward local port 8080 to port 80 in the container by running docker run -p 8080:80 malicious.
0.0s PS C:\Users\rxt1077\it230\labs\malicious> docker run -p 8080:80 malicious (2) AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Wed Jul 13 02:25:57.082000 2022] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.54 (Debian) PHP/8.1.8 configured -- resuming normal operations [Wed Jul 13 02:25:57.082089 2022] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
To see your webpage, do the following:
-
If you are using a Github codespace, you should be able to navigate to the "Ports" tab, change the visibility from private to public, and then under forwarded address, control-click the link, which will look something like
https://silly-name-jjxwj676vgc5j75-8080.app.github.dev/to open a new tab in your browser to see see the default web page. Note that may get a warning from Github that "You are about to access a development port served by someone elseβs codespace." If you do, you will need to click "Continue" to proceed to the page. -
If you are in a local Docker container, you should be able to navigate to open a tab in your browser and go to http://localhost:8080to see the default web page.
β3β
localhost:8080
Now based on the information in the Dockerfile, get a shell on the compromised web server.
Question 10.5.2.
Did you notice that the time-off request on the main page doesnβt work?
From your shell, create a new web page on the server named timeoff.html with the text GRANTED.
Question 10.5.3.
What command did you use to make the new file? What happens now when you click on the time off link?
Note 10.5.4.
If you chose to use a Github codespace, donβt forget to stop or delete the codespace by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
You have attempted of activities on this page.
