Skip to content
/ command-injection Public

An educational resource demonstrating a web server running in a Kubernetes cluster that has a command injection vulnerability.

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kube-hack/command-injection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
chart
chart
 
 
solution
solution
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 

Repository files navigation

Overview

This is an educational resource demonstrating a web server running in a Kubernetes cluster that has a command injection vulnerability. Here are a few suggestions for how you might use this repository:

  1. Practice your hacking skills by getting the contents of the flag_to_capture file, which is stored somewhere on the web server.

  2. Read the source code found in main.go and the solution guide found in solution/README.md to better-understand what command injection vulnerabilities look like, how to exploit them, and how to prevent them.

  3. Use this as a guide/inspiration for building your own applications with vulnerabilities.

The instructions and solutions were written assuming you are using some kind of Linux distribution (sorry Windows 😬), whether Ubuntu, MacOS, or another Debian-based OS.

*****DISCLAIMER*****

This is an application with a built-in security vulnerability. Please don't deploy the Helm chart into a production environment. There are also instructions showing how to exploit command injection vulnerabilities, so please don't use this to break any laws 😁.

Usage

Requirements

  • Latest version of Helm
  • Latest version of kubectl
  • A fully-compliant Kubernetes distribution (i.e. microk8s, k3s, k3d) that is running on Linux/amd64, and is using containerd or Docker as the runtime.

Deploying to Kubernetes

Add the Helm chart repository:

helm repo add kube-hack https://kube-hack.github.io/charts

Update the charts in your Helm repository:

helm repo update

Deploy the chart to your Kubernetes cluster:

helm install command-injection kube-hack/command-injection

Interacting with the application

Port-forward the application

kubectl port-forward svc/web-server-command-injection 3000:3000

After the application is port-forwarded (accessible via localhost), you can open your browser and enter localhost:3000 to access the web application.

Using the application

This is a web application that sends a ping request to a url on the internet, and prints the response on the page. Enter a website (i.e. google.com) into the field next to the Enter a URL or Domain: label and click the Ping button to see the response.

Validating the value of the flag

If you have found the flag_to_capture file, send a curl request to localhost:3000/validate with the contents of the file as a string in the request payload:

curl --data-binary "your-string-here" localhost:3000/validate

About

An educational resource demonstrating a web server running in a Kubernetes cluster that has a command injection vulnerability.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Packages

 
 
 

Languages