Bonus Walkthroughs

Challenge 2

Was this cluster compromised via another mechanism and Blue didn't know about it? (Yes!) Find the IP address of the attacker's system where the reverse shell was being sent. Hint: Tiller was removed with helm reset --force and so it left some things behind in the kube-system namespace.

  1. Search for leftover configmaps

    kubectl get configmap --all-namespaces
    
  2. Dig into the Helm Chart configmap

    kubectl get configmap -n kube-system toned-elk.v1 -o json
    
    kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.'
    
    kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release'
    
    kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release' | base64 -d
    
    kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release' | base64 -d | file -
    
    kubectl get configmap -n kube-system toned-elk.v1 -o json | jq -r '.data.release' | base64 -d | gunzip -
    
  3. Examine the image without running it

    docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker.io/wagoodman/dive:latest docker.io/bradgeesaman/bd:latest
    
  4. Make a tmp space to save the image

    mkdir ~/bdtmp && cd ~/bdtmp
    
  5. Save the image as a tarball

    docker save docker.io/bradgeesaman/bd:latest -o bd.tar
    
    ls -alh
    
  6. View the image tarball contents

    tar tvf bd.tar 
    
    tar xvf bd.tar
    
  7. Examine the manifest.json to find the layers

    cat manifest.json | jq -r '.'
    
    jq -r '.[].Config' manifest.json
    
    cat $(jq -r '.[].Config' manifest.json) | jq -r '.'
    
    cat $(jq -r '.[].Config' manifest.json) | jq -r '.history[] | select(."empty_layer"!=true)'
    
    ls -alh
    
  8. Obtain the last layer file name

    cat manifest.json | jq -r '.'
    
    jq -r '.[].Layers[]' manifest.json | tail -1
    
  9. To get the answer, view the contents of the last image layer

    tar xvf $(jq -r '.[].Layers[]' manifest.json | tail -1) -O
    
  10. Cleanup

    cd ..
    
    rm -rf ~/bdtmp