Skip to content
Snippets Groups Projects
Commit b913a77f authored by Martinz, David's avatar Martinz, David
Browse files

added other files

parent aaa012c0
No related branches found
No related tags found
No related merge requests found
virt/
.vscode/
\ No newline at end of file
Setup.md 0 → 100644
create virtual env:
python3 -m venv <name>
activate virt enviroment:
source <name>/bin/activate
start app: docker-compose up --build
remove image: docker-compose down
remove all content: docker-compose down --volumes --remove-orphans
\ No newline at end of file
hack1.md 0 → 100644
## 📄 **Hacklet 1: Privilege Escalation via File Upload**
### 🖥️ **Overview**
This hacklet demonstrates a **file upload vulnerability** in a containerized environment that can be exploited to achieve **remote code execution (RCE)**. If the container runs as **root**, attackers can escalate their privileges and gain unauthorized access to the host system.
---
### 🔴 **Vulnerability: Privilege Escalation via File Upload**
The vulnerability arises from the following issues:
1. **Insecure File Upload Implementation:** The app allows users to upload files without any file type validation.
2. **Root User Execution:** The Docker container runs as **root**, allowing uploaded scripts to be executed with elevated privileges.
---
### ⚔️ **Exploit Steps**
1. **Create a malicious script** named `malicious.sh` with the following content:
```bash
#!/bin/bash
echo "You've been hacked!"
whoami
```
2. **Upload the script** via the Flask app's file upload page at **http://localhost:5000**.
3. **Execute the uploaded script** by visiting the following URL:
```
http://localhost:5000/execute/malicious.sh
```
4. **Expected Output:**
```text
You've been hacked!
root
```
---
### 🔍 **Root Cause Analysis**
The vulnerability exists because:
- The app does not validate the type of uploaded files.
- The Docker container is running as **root**, allowing uploaded files to be executed with **root privileges**.
---
### 🛡️ **Fixes Applied**
1. **Run the Container as a Non-Root User:**
- Updated the **Dockerfile** to create a non-root user and run the app under that user.
**Updated Dockerfile:**
```Dockerfile
# Use a minimal Python image
FROM python:3.9-slim
# Create a non-root user
RUN useradd -m appuser
# Set the working directory
WORKDIR /app
# Copy the necessary files
COPY ./app /app
COPY requirements.txt /app
# Install dependencies
RUN pip install -r requirements.txt
# Change ownership of the working directory
RUN chown -R appuser /app
# Switch to the non-root user
USER appuser
# Expose the port the app runs on
EXPOSE 5000
# Start the Flask app
CMD ["python", "app.py"]
```
2. **Restrict File Types for Upload:**
- Updated the **`upload_file()`** function to allow only specific file types (e.g., images).
**Updated `upload_file()` in `app.py`:**
```python
# Allowed file extensions
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@app.route('/upload', methods=['POST'])
def upload_file():
if 'file' not in request.files:
return 'No file part'
file = request.files['file']
if file.filename == '':
return 'No selected file'
if not allowed_file(file.filename):
return 'File type not allowed'
file_path = os.path.join(app.config['UPLOAD_FOLDER'], file.filename)
file.save(file_path)
return f'File {file.filename} uploaded successfully!'
```
---
### ✅ **Verification After Fix**
1. Rebuild and run the app:
```bash
docker compose build
docker compose up
```
2. **Check that the container is running as a non-root user:**
```bash
docker exec -it messaging-app-web-1 whoami
```
**Expected Output:**
```text
appuser
```
3. **Try uploading and executing the malicious script again.**
- The execution should fail or return a limited output.
---
### 📊 **Summary Table**
| **Vulnerability** | **Description** | **Fix Applied** |
|----------------------------------|------------------------------------------------------------------|----------------------------------------|
| Privilege Escalation via File Upload | Users can upload and execute malicious scripts with root privileges | Run container as non-root user, restrict file types |
---
Would you like me to generate the `.md` file now? 😊
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment