Same sort of deal as the previous post. Let’s say you are trying to understand why you are getting a 404 when you access a host from within a container, but not from outside. So you help yourself to a little bash-fu:
#!/bin/bash exec 3<>/dev/tcp/91.189.91.23/80 echo -e "GET /ubuntu/dists/bionic-security/InRelease HTTP/1.1\r\nhost: security.ubuntu.com\r\n\r\n" >&3 cat <&3
You run it, and it says:
HTTP/1.1 404 Not Found date: Sun, 30 Sep 2018 21:22:22 GMT server: envoy content-length: 0
hmm. Envoy. I’m missing an egress rule in Istio!
This strategy of using the tools that exist is sometimes called ‘living off the land‘ in the cyber-security space. The anti-virus won’t catch you since you are not installing anything, merely using what is there differently.
Didn’t think someone could exfiltrate data from your system because it doesn’t have perl & curl? Think again bash fans!
Leave a Reply