DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide...
Transcript of DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide...
![Page 1: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/1.jpg)
DevOoopsLasCon
October 2014
![Page 2: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/2.jpg)
Who KenKen Johnson (@cktricky)
● CTO (@nVisium)
● Railsgoat Co-Author
● (One) of the voices of SecCasts
![Page 3: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/3.jpg)
Who ChrisChris Gates (CG) @carnal0wnage
● Security Engineer (Facebook)
● NoVA Hackers Co-Founder
● http://carnal0wnage.attackresearch.com
![Page 4: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/4.jpg)
Why This TalkIncrease awareness around DevOps infra security
Provide solutions
Demonstrate impact, regardless of where the infrastructure is deployed (internal, external, cloud)
![Page 5: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/5.jpg)
Agenda● GitHub● Revision Control Tools● Continuous Integration Tools● AWS Config Files● Client Provisioning Tools● Elasticsearch● In-Memory Databases
![Page 6: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/6.jpg)
GitHub
![Page 7: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/7.jpg)
GitHub SearchGitHub Advanced Search● GitHub supports advanced search operators● Google hacking for GitHub
○ http://seclists.org/fulldisclosure/2013/Jun/15
○ http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html
GitHub OSINT● Check $company employee repos for uh ohs
○ internal project commits, passwords, etc
![Page 8: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/8.jpg)
Git Fun
Can we impersonate other GitHub users?
Sort of.
![Page 9: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/9.jpg)
Git Fun
Let’s be Linus...
![Page 10: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/10.jpg)
Git Fun
![Page 11: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/11.jpg)
Git FunResult: It appears Linus committed to our repo
![Page 12: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/12.jpg)
Git Fun (Review)
● Audit who has access to your repos○ Have a process to remove ex-employees○ Consider auditing their personal repos for leaks
● Be suspicious of Pull Requests○ From “trusted” authors (they can be spoofed) ○ With massive code changes within the PR (can
potentially introduce vulns)
![Page 13: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/13.jpg)
GitHub Org “To Do’s”Forks need be deleted if a member leaves your org● https://help.github.com/articles/deleting-a-private-fork-of-a-
private-organization-repository/
Audit organization members for 2 factor authentication● https://developer.github.com/changes/2014-01-29-audit-org-
members-for-2fa/
![Page 14: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/14.jpg)
Revision Control
![Page 15: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/15.jpg)
.Git ExposedDo you have your .git folder exposed on a webserver outside?● Or inside?● Access to .git content can allow for full source
download.● Use wget, DVCS-Pillage, or dvcs-ripper to archive and
recreate the repo locally.
https://github.com/evilpacket/DVCS-Pillage https://github.com/kost/dvcs-ripper
![Page 16: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/16.jpg)
.Git ExposedIf directory listings are enabled, it’s simple to get source
$ mkdir git-test$ cd git-test$ wget --mirror --include-directories=/.git http://www.example.com/.git
Then$ cd www.example.com$ git reset --hardHEAD is now at [...]
You now have the source of the site
![Page 17: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/17.jpg)
.Git Exposed
![Page 18: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/18.jpg)
.Git Exposed
If directory listings are NOT enabled● Test by checking for .git/config● Use DVCS-Pillage or dvcs-ripper to
download the source.
DVCS-Pillage also supports Mercurial (HG) and Bazaar (BZR).
![Page 19: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/19.jpg)
.Git ExposedWhat can you get?● Creds, config files, source code, dev names, public
keys, email addresses, etc● repo history: vulns fixed, passwords/keys checked in but
removed later :-)● wordpress config files common● site/database backups in .git● session generation keys
![Page 20: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/20.jpg)
.Git Exposed
Internal GitHub Enterprise ties into organization’s LDAP or Active Directory.● Find devops/devpassword equivalent● Download source code● Log in and search for interesting things
![Page 21: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/21.jpg)
Subversion
Subversion 1.6 (and earlier) ● Check for .entries files● Walk svn chain to retrieve source● Example:
○ http://somedomain.com/.svn/text-base/index.php.svn-base● Metasploit Auxiliary Module:
○ auxiliary/scanner/http/svn_scanner
Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
![Page 22: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/22.jpg)
Subversion
Subversion 1.7 and later● Working copy and changes stored in a sqlite database● Example:
○ http://www.somedomain.com/.svn/wc.db● Metasploit Auxiliary Module:
○ auxiliary/scanner/http/svn_wcdb_scanner
Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
![Page 23: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/23.jpg)
GitList
![Page 24: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/24.jpg)
GitList
![Page 25: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/25.jpg)
GitListRCE: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/Affects: version 0.4.0 and below
![Page 26: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/26.jpg)
![Page 27: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/27.jpg)
Continuous Integration
![Page 28: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/28.jpg)
Hudson/Jenkins“Hudson is a continuous integration (CI) tool written in Java, which runs in a servlet container, such as Apache Tomcat or the GlassFish application server”
Very popular
If you can’t pwn Jenkins then tryGlassFish or Tomcat :-)
![Page 29: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/29.jpg)
Shodan search for X-HudsonHudson/Jenkins
![Page 30: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/30.jpg)
Shodan search for X-Hudson with HTTP 200Hudson/Jenkins
![Page 31: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/31.jpg)
Hudson/Jenkins
Metasploit Aux Module
![Page 32: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/32.jpg)
Hudson/JenkinsIf no authentication required
● Trivial to gain remote code execution via script console
● Metasploit Module○ exploit/multi/http/jenkins_script_console
https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/
http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html
http://zeroknock.blogspot.com/search/label/Hacking%20Jenkins
![Page 33: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/33.jpg)
Hudson/JenkinsScript Console
![Page 34: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/34.jpg)
Hudson/Jenkins
![Page 35: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/35.jpg)
Hudson/Jenkins
Metasploit exploit module for script console
![Page 36: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/36.jpg)
Hudson/Jenkins
You can lock down script console access by turning on authentication
● However, if it’s set to local auth, you can register as a regular user :-)
● ...then get access to the /script
![Page 37: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/37.jpg)
Hudson/JenkinsIf you have access to /view/All/newJob,create a new build and run commands
![Page 38: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/38.jpg)
Hudson/Jenkins
![Page 39: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/39.jpg)
Hudson/JenkinsCan you browse a workspace?
![Page 40: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/40.jpg)
Hudson/Jenkins
![Page 41: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/41.jpg)
Hudson/Jenkins
![Page 42: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/42.jpg)
AWS Config Files
![Page 43: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/43.jpg)
AWS - CLI Dev Tools
AWS stores creds in plaintext in **hidden files**
Typically privileged access
![Page 44: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/44.jpg)
AWS - CLI Dev Tools
![Page 45: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/45.jpg)
AWS - CLI Dev Tools + EB
![Page 46: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/46.jpg)
AWS - Pivoting
Once credentials are obtained, leverage nimbostratus to pivot
http://andresriancho.github.io/nimbostratus/
or… just leverage any of the open source libraries available to interact with AWS
![Page 47: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/47.jpg)
Client Provisioning
![Page 48: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/48.jpg)
Chef
Chef allows you to define the state your servers (local or cloud) should be in and enforces it.
![Page 49: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/49.jpg)
Chef (Web Interface)Default/Weak Creds
![Page 50: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/50.jpg)
Chef (Web Interface)Environment Leakage
![Page 51: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/51.jpg)
Chef (Web Interface)Databags
![Page 52: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/52.jpg)
Chef/knifeknife is a Chef command line utility● Credentials stored in data bags● Can be encrypted● Example:
$ knife data bag list
![Page 53: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/53.jpg)
Chef/knife
![Page 54: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/54.jpg)
Chef/knife (encrypted data bag)
![Page 55: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/55.jpg)
Chef/knife
![Page 56: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/56.jpg)
VagrantDid you change your SSH keys?
![Page 57: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/57.jpg)
Vagrant● Default Credentials
○ root/vagrant vagrant/vagrant○ No pass to sudo :-)
![Page 58: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/58.jpg)
VagrantScan using the default private key
![Page 59: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/59.jpg)
VagrantScan using the default private key
![Page 60: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/60.jpg)
VagrantIdentify real from fake by ssh version scan
![Page 61: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/61.jpg)
VagrantBreaking into host from guesthttp://finite.state.io/blog/2012/10/30/breaking-in-and-out-of-vagrant/
“Put evil things in /vagrant/.git/hooks/post-commit and wait for the user to commit some code. Since the /vagrant/ directory is mounted from the host, my hook will persist even if the user destroys the VM.”
![Page 62: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/62.jpg)
Kickstart Files
3 ways to set root password
1. Enter during installation2. Crypted hash in the kickstart file
“rootpw --iscrypted”3. Clear text in the kickstart file
“rootpw --plaintext”
![Page 63: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/63.jpg)
Kickstart Files
Examples
![Page 64: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/64.jpg)
Kickstart FilesExamples
![Page 65: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/65.jpg)
ElasticSearch
![Page 66: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/66.jpg)
elasticsearchProvides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents.
● GET request to port 9200 will show version "version" : {"number" : "1.2.4",
![Page 67: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/67.jpg)
elasticsearch● No Authentication● Can search stored data via HTTP API● Update data with PUT request● Join an open cluster and receive all data
● RCE prior to 1.2.0
![Page 68: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/68.jpg)
elasticsearchexploit/multi/elasticsearch/script_mvel_rce
![Page 69: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/69.jpg)
elasticsearch
Searching via curl/browser is cumbersome● Kibana FTW
○ http://www.elasticsearch.org/overview/kibana/● Edit config.js to point to open Elasticsearch● Open index.html in local browser or host on
a server
![Page 70: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/70.jpg)
elasticsearch (Kibana)
![Page 71: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/71.jpg)
elasticsearch (Kibana)
![Page 72: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/72.jpg)
elasticsearch (Kibana)Viewing the content of the document
![Page 73: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/73.jpg)
In-Memory Databases
![Page 74: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/74.jpg)
Redis
Defaults:● No encrypted communication● No credentials● Port 6379 (TCP)● Binds to all interfaces
○ Moral of the story? Keep off the interwebs!
![Page 75: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/75.jpg)
RedisHow prevalent is this?
![Page 76: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/76.jpg)
RedisYou can navigate the DB with the redis-cli
![Page 77: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/77.jpg)
RedisOr use the Redis Desktop Manager
![Page 78: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/78.jpg)
RedisFeel lucky?
![Page 79: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/79.jpg)
Redis - Fun Commands
FLUSHALL
SCRIPT LOAD
EVAL / EVALSHA○ Also - Thanks Adam Baldwin: ○ https://github.com/evilpacket/redis-sha-crack
![Page 80: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/80.jpg)
memcache
Free & open source, high-performance, distributed memory object caching system
No code exec, but fun things get put into memcache
Examples
![Page 81: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/81.jpg)
memcache
![Page 82: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/82.jpg)
memcache
![Page 83: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/83.jpg)
memcache
![Page 84: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/84.jpg)
What can we do about this?
![Page 85: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/85.jpg)
Actions you can take tomorrow
● If you have Jenkins, make sure it requires authentication
● Ensure access to tools/systems are only available to hosts that need it
● Change default vagrant private key● Update to latest versions of your devops
tools
![Page 86: DevOoops - Carnal0wnage · Why This Talk Increase awareness around DevOps infra security Provide solutions Demonstrate impact, regardless of where the infrastructure is deployed (internal,](https://reader034.fdocuments.in/reader034/viewer/2022042318/5f0725d67e708231d41b8b29/html5/thumbnails/86.jpg)
Thanks!Ken Johnson ken.johnson [at] nvisium.com
Chris Gates chris [at] carnal0wnage.com