Skip to main content

Section 10.5 Lab: Malicious Containers

While containers have made it much easier to deploy software, they have also made it easier to deploy malicious software. Imagine that we have an internal company website, written in PHP and deployed in a Docker container. Given the layered nature of the Docker build system, this application is trusting that the images it is building from are secure. Take a look at the following Dockerfile to see just how easy it is to slip something malicious into the image:
FROM php:apache
COPY shell.php /var/www/html/shell.php
COPY index.php /var/www/html/index.php
shell.php is a shell written in PHP that will execute with the permissions of the web server. This means it will be able to read and write (but not overwrite) in the /var/www/html directory.

Subsection 10.5.1 Malicious Containers in a Github Codespace

Go github.com/pearcej/security-malicious
 1 
github.com/pearcej/security-malicious
. Then:
  1. Fork this codespace into your own Github repository.
  2. Navigate to your repository on GitHub.
  3. Click the green Code button and select Codespaces.
  4. Click "Create codespace on main".
  5. Wait for the codespace to be created.
Be sure to either stop or delete this codespace when you are done by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
Next, jump down to follow the lab directions in Subsection 6.9.3.

Subsection 10.5.2 Malicious Containers in a Local Docker installation

Let’s download, build, and run this image. Download the malicious.zip file
 2 
github.com/rxt1077/it230/raw/main/labs/malicious.zip
, unzip it in a directory where you have write access, and navigate to that directory in your shell.

Subsection 10.5.3 Lab Instructions for Malicious Containers

(1) Build the image and tag it malicious by running docker build -t malicious ., but don’t forget the . at the end!
PS C:\Users\rxt1077\it230\labs\malicious> docker build -t malicious . (1)
[+] Building 32.4s (8/8) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                        0.0s
 => => transferring dockerfile: 134B                                                                                                                                                                        0.0s
 => [internal] load .dockerignore                                                                                                                                                                           0.0s
 => => transferring context: 2B                                                                                                                                                                             0.0s
 => [internal] load metadata for docker.io/library/php:apache                                                                                                                                              32.2s
 => [1/3] FROM docker.io/library/php:apache@sha256:f1c5dba2a2981f91ec31b9596d4165acd0b46e58382e47622487e130a21e420d                                                                                         0.0s
 => [internal] load build context                                                                                                                                                                           0.0s
 => => transferring context: 61B                                                                                                                                                                            0.0s
 => CACHED [2/3] COPY shell.php /var/www/html/shell.php                                                                                                                                                     0.0s
 => CACHED [3/3] COPY index.php /var/www/html/index.php                                                                                                                                                     0.0s
 => exporting to image                                                                                                                                                                                      0.1s
 => => exporting layers                                                                                                                                                                                     0.0s
 => => writing image sha256:e1dc75a91b2e269091069b1e3406a496b4bbfd95b066f970062ea8b3a74d8368                                                                                                                0.0s
 => => naming to docker.io/library/malicious
(2) Run the malicious image and forward local port 8080 to port 80 in the container by running docker run -p 8080:80 malicious.
                                                                                                                                                           0.0s
PS C:\Users\rxt1077\it230\labs\malicious> docker run -p 8080:80 malicious (2)
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Wed Jul 13 02:25:57.082000 2022] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.54 (Debian) PHP/8.1.8 configured -- resuming normal operations
[Wed Jul 13 02:25:57.082089 2022] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
To see your webpage, do the following:
  • If you are using a Github codespace, you should be able to navigate to the "Ports" tab, change the visibility from private to public, and then under forwarded address, control-click the link, which will look something like https://silly-name-jjxwj676vgc5j75-8080.app.github.dev/ to open a new tab in your browser to see see the default web page. Note that may get a warning from Github that "You are about to access a development port served by someone else’s codespace." If you do, you will need to click "Continue" to proceed to the page.
  • If you are in a local Docker container, you should be able to navigate to open a tab in your browser and go to http://localhost:8080
     3 
    localhost:8080
    to see the default web page.

Checkpoint 10.5.1.

What’s for lunch?
Now based on the information in the Dockerfile, get a shell on the compromised web server.
Hint 1.
Add /shell.php to access the web shell.

Question 10.5.2.

Did you notice that the time-off request on the main page doesn’t work?
From your shell, create a new web page on the server named timeoff.html with the text GRANTED.
Hint 2.
To create a new file, you can use the echo command to write text to a file.

Question 10.5.3.

What command did you use to make the new file? What happens now when you click on the time off link?

Note 10.5.4.

If you chose to use a Github codespace, don’t forget to stop or delete the codespace by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
You have attempted 1 of 2 activities on this page.