Hack The Box 初次使用
登陆后, 点击右侧的 Lab --> STARTING POINT 点击第一个 使用openvpn配置文件进行连接 下载配置文件 使用配置文件下载openvpn 客户端 https://openvpn.net/ Linux参考 : https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux 使用: openvpn xxx.ovpn Windowshttps://openvpn.net/downloads/openvpn-connect-v3-windows.msi 使用: 安装以后导入下载的配置文件,然后点击连接 开启靶场虚拟机 左上角点击 Start point 可以查看当前连接情况, 当连接以后,就可以开启靶场了 点击 spawn machine 开机 稍等片刻出现IP地址就可以了进行测试了, 后面分别时重启和关机
CKS 模拟真题 Killer.sh | Preview Question 3
Use context: kubectl config use-context workload-stage A security scan result shows that there is an unknown miner process running on one of the Nodes in cluster3. The report states that the process is listening on port 6666. Kill the process and delete the binary. 译文使用上下文: kubectl config use-context workload-stage 安全扫描结果显示,集群3中的一个节点上有一个未知的挖矿进程在运行。报告指出,该进程正在监听6666端口。杀死该进程并删除二进制文件。 解答检查node k get node 检查master节点 ssh cluster3-controlplane1netstat -plnt | grep 6666 检查 node节点 ssh cluste...
CKS 模拟真题 Killer.sh | Preview Question 2
Use context: kubectl config use-context infra-prod There is an existing Open Policy Agent + Gatekeeper policy to enforce that all Namespaces need to have label security-level set. Extend the policy constraint and template so that all Namespaces also need to set label management-team . Any new Namespace creation without these two labels should be prevented. Write the names of all existing Namespaces which violate the updated policy into /opt/course/p2/fix-namespaces . 译文使用上下文: kubectl confi...
CKS 模拟真题 Killer.sh | Preview Question 1
Use context: kubectl config use-context infra-prod You have admin access to cluster2. There is also context gianna@infra-prod which authenticates as user gianna with the same cluster. There are existing cluster-level RBAC resources in place to, among other things, ensure that user gianna can never read Secret contents cluster-wide. Confirm this is correct or restrict the existing RBAC resources to ensure this. I addition, create more RBAC resources to allow user gianna to create Pods and Depl...
CKS 模拟真题 Killer.sh | Question 22 | Manual Static Security Analysis
(can be solved in any kubectl context) The Release Engineering Team has shared some YAML manifests and Dockerfiles with you to review. The files are located under /opt/course/22/files . As a container security expert, you are asked to perform a manual static analysis and find out possible security issues with respect to unwanted credential exposure. Running processes as root is of no concern in this task. Write the filenames which have issues into /opt/course/22/security-issues . NOTE: In ...
CKS 模拟真题 Killer.sh | Question 21 | Image Vulnerability Scanning
Task weight: 2% (can be solved in any kubectl context) The Vulnerability Scanner trivy is installed on your main terminal. Use it to scan the following images for known CVEs: nginx:1.16.1-alpine k8s.gcr.io/kube-apiserver:v1.18.0 k8s.gcr.io/kube-controller-manager:v1.18.0 docker.io/weaveworks/weave-kube:2.7.0 Write all images that don’t contain the vulnerabilities CVE-2020-10878 or CVE-2020-1967 into /opt/course/21/good-images . 译文任务权重:2 (可以在任何kubectl环境下解决) 漏洞扫描器 trivy 被安装在你的主终端上。用它来扫描以下镜像...
CKS 模拟真题 Killer.sh | Question 20 | Update Kubernetes 升级k8s集群
Task weight: 8% Use context: kubectl config use-context workload-stage The cluster is running Kubernetes 1.25.5 , update it to 1.26.0 . Use apt package manager and kubeadm for this. Use ssh cluster3-controlplane1 and ssh cluster3-node1 to connect to the instances. 译文任务权重:8%。 使用环境: kubectl config use-context workload-stage 该集群正在运行Kubernetes 1.25.5 ,请将其更新为 1.26.0 。 为此使用 apt 软件包管理器和 kubeadm 。 使用 ssh cluster3-controlplane1 和 ssh cluster3-node1 来连接到实例。 解答检查版本 kubectl get node 首先 需要更新控制平面节...
CKS 模拟真题 Killer.sh | Question 19 | Immutable Root FileSystem
Task weight: 2% Use context: kubectl config use-context workload-prod The Deployment immutable-deployment in Namespace team-purple should run immutable, it’s created from file /opt/course/19/immutable-deployment.yaml . Even after a successful break-in, it shouldn’t be possible for an attacker to modify the filesystem of the running container. Modify the Deployment in a way that no processes inside the container can modify the local filesystem, only /tmp directory should be writeable. Don’t m...
CKS 模拟真题 Killer.sh | Question 18 | Investigate Break-in via Audit Log
Task weight: 4% Use context: kubectl config use-context infra-prod Namespace security contains five Secrets of type Opaque which can be considered highly confidential. The latest Incident-Prevention-Investigation revealed that ServiceAccount p.auster had too broad access to the cluster for some time. This SA should’ve never had access to any Secrets in that Namespace. Find out which Secrets in Namespace security this SA did access by looking at the Audit Logs under /opt/course/18/audit.log ....
CKS 模拟真题 Killer.sh | Question 17 | Audit Log Policy
Task weight: 7% Use context: kubectl config use-context infra-prod Audit Logging has been enabled in the cluster with an Audit Policy located at /etc/kubernetes/audit/policy.yaml on cluster2-controlplane1 . Change the configuration so that only one backup of the logs is stored. Alter the Policy in a way that it only stores logs: From Secret resources, level Metadata From “system:nodes” userGroups, level RequestResponse After you altered the Policy make sure to empty the log file so it only...
