Hi Everyone,
Kubernetes is built on containers and to try something new I decided to setup a security playground leveraging two different container environments.
IMPORTANT! Only run these tests and tools on your own test environments. If you run them anywhere else you must get permission for testing purposes. Security software will detect attacks and can get you in trouble so learn at home in the privacy of your own testing environment!
Today will will setup a test vulnerable application called juice-shop from Owasp in a podman container. We will then setup in Proxmox a LXC Kali Linux container which going forward we will use to test the application juice-shop for vulnerabilities.
Kali Linux is a fantastic security distribution that can be used to test and probe all sort of IT components.
Today we will have some fun with the juice-shop but going forward you just know that we will attack a Kubernetes cluster!
First we will go get the Kali Linux LXC containter: https://www.kali.org/get-kali/#kali-platforms
Kali has every type of flavour available but in this case will we head to containers:
I will be choosing the ubuntu noble version amd64:
Download the rootfs.tar.xz file and upload it into Proxmox (we will add the packages that we need keeping the install lean and mean).
After uploading it into Proxmox, create a container leveraging that template:
If you did not set the container to start right away upon creation, then start it up now:
We will come back to Kali in a bit but right now lets get juice-shop going. I will pull it down first although I could have just run it but I like to see if there are any issues with getting the container first.
podman pull docker.io/bkimminich/juice-shop
podman run --rm -p 3000:3000 bkimminich/juice-shop
Check out the juice-shop:
Back in Kali let’s install some scanning and penetration testing apps:
sudo apt install nmap -y
sudo apt install dirb -y
sudo apt install gobuster -y
sudo apt install nikto -y
First run a port scan:
nmap -oN nmapscan.txt -v -A podman01PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 15:89:f3:07:f8:41:9d:48:62:4b:be:bc:5e:81:26:9c (ECDSA)
|_ 256 50:8e:4c:9f:f6:81:86:e5:87:f2:8a:f5:66:74:b3:d7 (ED25519)
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| X-Request-Id: 85865920-aa90-4050-b24b-2d6b697c1316
| Date: Mon, 24 Mar 2025 00:24:52 GMT
| Content-Length: 19
| page not found
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| X-Request-Id: ba55f83e-a1f6-42f4-bae3-5db87a0be136
| Date: Mon, 24 Mar 2025 00:24:52 GMT
| Content-Length: 19
| page not found
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| X-Request-Id: dddba4c5-3077-4b1f-9a89-e2dcd510a393
| Date: Mon, 24 Mar 2025 00:24:52 GMT
| Content-Length: 19
|_ page not found
| ssl-cert: Subject: commonName=Step Online CA
| Subject Alternative Name: DNS:podman01.lab1.local
| Issuer: commonName=smallstep Intermediate CA/organizationName=smallstep
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2025-03-23T14:17:59
| Not valid after: 2025-03-24T14:18:59
| MD5: d5c3:3bc9:38be:8c53:c236:b71b:f114:ed19
|_SHA-1: 9796:ceb3:9712:0d82:8061:9f28:2077:b5ec:824a:e98c
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=3/24%Time=67E0A654%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,E4,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Options:\x20nosniff\
SF:r\nX-Request-Id:\x20ba55f83e-a1f6-42f4-bae3-5db87a0be136\r\nDate:\x20Mo
SF:n,\x2024\x20Mar\x202025\x2000:24:52\x20GMT\r\nContent-Length:\x2019\r\n
SF:\r\n404\x20page\x20not\x20found\n")%r(HTTPOptions,E4,"HTTP/1\.0\x20404\
SF:x20Not\x20Found\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-C
SF:ontent-Type-Options:\x20nosniff\r\nX-Request-Id:\x20dddba4c5-3077-4b1f-
SF:9a89-e2dcd510a393\r\nDate:\x20Mon,\x2024\x20Mar\x202025\x2000:24:52\x20
SF:GMT\r\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(F
SF:ourOhFourRequest,E4,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\
SF:x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Options:\x20nosniff\r
SF:\nX-Request-Id:\x2085865920-aa90-4050-b24b-2d6b697c1316\r\nDate:\x20Mon
SF:,\x2024\x20Mar\x202025\x2000:24:52\x20GMT\r\nContent-Length:\x2019\r\n\
SF:r\n404\x20page\x20not\x20found\n")%r(GenericLines,67,"HTTP/1\.1\x20400\
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest,67,"HT
SF:TP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20cha
SF:rset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Hel
SF:p,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain
SF:;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request
SF:")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnecti
SF:on:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=
SF:utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:);
MAC Address: BC:24:11:A1:28:B8 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Uptime guess: 40.683 days (since Tue Feb 11 08:02:43 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.15 ms 192.168.0.159
NSE: Script Post-scanning.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.76 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.286KB)
Next let use dirb to see if we can find hidden directories and files:
dirb http://podman01:3000
How about looking for some vulnerabilities?
nikto -h http://podman01:3000
That’s it for today. Next time we will try some other tools in Kali and move on to some other applications.