Botb – Container Analysis, Exploitation And CICD Tool For Pentesters And Engineers

Break out the Box (BOtB) is one of tool that presented in Black Hat USA 2019. BOtB is the first tool aimed at hackers and developers to automate Container exploitation and which can be used to analyze and identify vulnerabilities for Containers such as LXC and Docker.

Break out the Box (BOtB)

BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.

What does it do?

BOtB is a CLI tool which allows you to:

  • Exploit common container vulnerabilities
  • Perform common container post exploitation actions
  • Provide capability when certain tools or binaries are not available in the Container
  • Use BOtB’s capabilities with CI/CD technologies to test container deployments
  • Perform the above in either a manual or automated approach

Current Capabilities

  • Find and Identify UNIX Domain Sockets
  • Identify UNIX domain sockets which support HTTP
  • Find and identify the Docker Daemon on UNIX domain sockets or on an interface
  • Analyze and identify sensitive strings in ENV and process in the ProcFS i.e /Proc/{pid}/Environ
  • Identify metadata services endpoints i.e http://169.254.169.254
  • Perform a container breakout via exposed Docker daemons
  • Perform a container breakout via CVE-2019-5736
  • Hijack host binaries with a custom payload
  • Perform actions in CI/CD mode and only return exit codes > 0
  • Scrape metadata info from GCP metadata endpoints
  • Push data to an S3 bucket
  • Break out of Privileged Containers
  • Force BOtB to always return a Exit Code of 0 (useful for non-blocking CI/CD)
Break out the Box (Botb) xploitlab

Getting BOtB

BOtB is available as a binary in the Releases Section.

Building BOtB

BOtB is written in GO and can be built using the standard GO tools. The following can be done to get you started:

Getting the Code:

go get github.com/brompwnie/botb
or
git clone [email protected]:brompwnie/botb.git 

Building the Code:

govendor init
govendor add github.com/tv42/httpunix
govendor add github.com/kr/pty
go build -o botbsBinary 

Usage

BOtB can be compiled into a binary for the targeted platform and supports the following usage

Usage of ./botb:
 -aggr string
      Attempt to exploit RuncPWN (default "nil")
  -always-succeed
      Attempt to scrape the GCP metadata service
  -autopwn
      Attempt to autopwn exposed sockets
  -cicd
      Attempt to autopwn but don't drop to TTY,return exit code 1 if successful else 0
  -endpointlist string
      Provide a wordlist (default "nil")
  -find-docker
      Attempt to find Dockerd
  -find-http
      Hunt for Available UNIX Domain Sockets with HTTP
  -hijack string
      Attempt to hijack binaries on host (default "nil")
  -interfaces
      Display available network interfaces
  -metadata
      Attempt to find metadata services
  -path string
      Path to Start Scanning for UNIX Domain Sockets (default "/")
  -pwn-privileged string
      Provide a command payload to try exploit --privilege CGROUP release_agent's (default "nil")
  -recon
      Perform Recon of the Container ENV
  -region string
      Provide a AWS Region e.g eu-west-2 (default "nil")
  -s3bucket string
      Provide a bucket name for S3 Push (default "nil")
  -s3push string
      Push a file to S3 e.g Full command to push to https://YOURBUCKET.s3.eu-west-2.amazonaws.com/FILENAME would be: -region eu-west-2 -s3bucket YOURBUCKET -s3push FILENAME (default "nil")
  -scrape-gcp
      Attempt to scrape the GCP metadata service
  -socket
      Hunt for Available UNIX Domain Sockets
  -verbose
      Verbose output
  -wordlist string
      Provide a wordlist (default "nil") 

The following usage examples will return a Exit Code > 0 by default when an anomaly is detected, this is depicted by “echo $?” which shows the exit code of the last executed command.

Find UNIX Domain Sockets

#./bob_linux_amd64 -socket=true
[+] Break Out The Box
[+] Hunting Down UNIX Domain Sockets from: /
[!] Valid Socket: /var/meh
[+] Finished
 
#echo $?
1 

Find a Docker Daemon

#./bob_linux_amd64 -find-docker=true
[+] Break Out The Box
[+] Looking for Dockerd
[!] Dockerd DOCKER_HOST found: tcp://0.0.0.0:2375
[+] Hunting Docker Socks
[!] Valid Docker Socket: /var/meh
[+] Finished
 
#echo $?
1 

Scan for Metadata Endpoints

BOtB by default scans for two Metadata endpoints.

#  ./bob_linux_amd64 -metadata=true                    
[+] Break Out The Box
[*] Attempting to query metadata endpoint: 'http://169.254.169.254/latest/meta-data/'
[*] Attempting to query metadata endpoint: 'http://kubernetes.default.svc/'
[+] Finished
 
# echo $?
0 

BOtB can also be supplied with a list of endpoints to scan for.

#  cat endpoints.txt 
https://heroku.com
 
#  ./bob_linux_amd64 -metadata=true -endpointlist=endpoints.txt
[+] Break Out The Box
[*] Loading entries from: endpoints.txt
[*] Attempting to query metadata endpoint: 'https://heroku.com'
[!] Reponse from 'https://heroku.com' -> 200
[+] Finished
 
# echo $?
1 

NB: Read all BOtB features command here

Issues, Bugs and Improvements

For any bugs, please submit an issue. There is a long list of improvements but please submit an Issue if there is something you want to see added to BOtB.


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 16 =