Bonus Walkthroughs¶

Challenge 2¶

Was this cluster compromised via another mechanism and Blue didn't know about it? (Yes!) Find the IP address of the attacker's system where the reverse shell was being sent. Hint: Tiller was removed with helm reset --force and so it left some things behind in the kube-system namespace.

Search for leftover configmaps
```
kubectl get configmap --all-namespaces
```

Dig into the Helm Chart configmap

kubectl get configmap -n kube-system toned-elk.v1 -o json

kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.'

kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release'

kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release' | base64 -d

kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release' | base64 -d | file -

kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release' | base64 -d | gunzip -

Examine the image without running it

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker.io/wagoodman/dive:latest docker.io/bradgeesaman/bd:latest

Make a tmp space to save the image
```
mkdir ~/bdtmp && cd ~/bdtmp
```

Save the image as a tarball

docker save docker.io/bradgeesaman/bd:latest -o bd.tar

ls -alh

View the image tarball contents
```
tar tvf bd.tar 
```
```
tar xvf bd.tar
```

Examine the manifest.json to find the layers

cat manifest.json | jq -r '.'

jq -r '.[].Config' manifest.json

cat $(jq -r '.[].Config' manifest.json) | jq -r '.'

cat $(jq -r '.[].Config' manifest.json) | jq -r '.history[] | select(."empty_layer"!=true)'

ls -alh

Obtain the last layer file name

cat manifest.json | jq -r '.'

jq -r '.[].Layers[]' manifest.json | tail -1

To get the answer, view the contents of the last image layer

tar xvf $(jq -r '.[].Layers[]' manifest.json | tail -1) -O

Cleanup
```
cd ..
```
```
rm -rf ~/bdtmp
```