Active Risk Assessment

Ever dreamed to have an automated security checker for all the containers on your Kubernetes cluster? Something that will catch those pesky sleepy Monday morning-made errors? Then we have what u want!

Comment

It all started with something seemingly simple, innocent and comfy, the flag hunt. We were presented with a virtual machine we could connect to to interact with a running Kubernetes cluster. Simple, right? WRONG!

The info provided allowed us to use the Kubernetes dashboard, in which we managed to find a lot of very obvious flags, most of which were hidden directly in the config dashboard accessible via two clicks. But that's where the fun really begins, most of the flags could be found by getting access to the OCI registry and dumping all layers we could access as well as scan everything for flags, alternatively one could use the exposed heapdump endpoint and arrive at the same thing. One of the two flags was called "token forgery", so based on that, we took the jwt-keys secret we had access to on the dashboard and forged a jwt token with it, then trying to authenticate using that said token. But as it later turned out, the code for checking jwt token received was broken so this challenge was impossible to do the intended way. But not for us! We continued scanning the files we could dump from OCI-registry and voila, we found a .jar file which had this said code implemented to give back the flag, so, since we couldn't access the flag the intended way, we just stole it from the if clause in the code directly :D

And now it is, the last flag, the one we wasted most of our time on, later turned out you could only find it by coming across a somewhat hidden away Docker image.

NOW THAT WAS JUST THE FIRST PART, the second part asks us to implement some kind of security layer to check the containers withing the cluster for security issues and similar.

THE BEGIN OF THE SECOND ROUND

So what do we do? How do we do it? What? - those are just a few of the questions we were faced with when trying to approach this task, since none of us ever properly worked with Kubernetes nor most of the things that are usually used in combination with it. So this is it, its time to learn NEW THINGS, and very fast.

The first move was to run a basic Kubernetes cluster locally, which we successfully did after following some docs. Then we learned how to deploy pods to Kubernetes. And one of the ideas was to integrate the so-called Kopf, basically a python integration into the Kubernetes cluster.

After all this happiness we split the work as follows: one would create examples of servers with vulnerabilities, the other would write the python code to catch those vulnerabilities and the third one would organize the infrastructure in general. But of course as with any good plan, we had to adapt and switch roles around. And it took way longer than expected.

Share this project:

Updates