Added lightweight Dockerfile

[khast3x]

Coucou o/,

Added a Alpine-based Dockerfile. It launches a lightweight golang HTTP server so it's easy to retrieve the generated content.
The Dockerfile fetchs the latest release using a go get.

I wrote a quick article about the Dockerfile.

I hope you find it useful :smile_cat: Best regards,

[lesnuages]

Hey !

Thanks for your input, nice blog post (although there are some typos left), and the Dockerfile is a good idea for people not wanting to deploy the whole Go environment on their machine.

There's still one thing left before I can merge this: the current Makefile generates a random self-signed certificate (with the depends target), but in the end someone could want to use a trusted one (let's say via Let's Encrypt). It would be nice if you could support this somehow.

One way you could do this is to mount a Docker volume with the generated files. Is this something doable from your point of view?

Thanks !

[khast3x]

Hey there,

So after thinking a bit about it, here are my thoughts. I am welcome to any feedback on these thoughts :bulb:

• the official certbot from EFF, to generate Let'sEncrypt certs, is in python. Mixing both language environments (go+py) in the same container would defeat the original purpose and even cramp hershell's elegant approach (IMO)
• There is this golang package, but it would require implementation directly in your code

After looking into devops use-cases, it seems the general consensus is:

• Each task should be an individual container
• When deploying a server that uses Let'sEncrypt, best practice is to use the official certbot docker image, or some kind of companion container

Final thoughts:

The Dockerfile should really be used to build the binary and easily distribute it in an engagement. Since hershell's reverse callback can be caught by external means, the user should have a ncat container or a metasploit container, alongside a certbot container if needed.

I'll do a final cleanup of the file this weekend (comments+ meta-data labels), let me know :)

++

[lesnuages]

Well, I think we both agree on what the Dockerfile should really be used to. And I wasn't saying "the Dockerfile should generate a new certificate", but more something like: "we should let the opportunity to the user to use its own provided certificate".

I took Let's Encrypt as an example, but you could image other scenarios where a user would want to use his own generated certificate (from private CA, or another public CA). As the certificate is currently required at build time (to embed the certificate fingerprint in the agent), you'd need to put it in the docker container somehow.

Don't get me wrong here, this is a cool idea, but we may lose some flexibility by not addressing this.

[khast3x]

Hm I see. That would be pretty neat,

The biggest caveat to implementing this is that Docker needs the expected files to be there, otherwise the build breaks. We can't implement a "if the certs are present use those, else do a make depends " inside a Dockerfile, as far as I know?
Or we could maybe use a entrypoint script, but this would add an additional file to the hershell repo.

Last resort (I have not tried it myself) but it would maybe be possible to add the if statement in the Makefile directly?

Let me know what you think :bird: :bulb:

[lesnuages]

About the "if the certs are present use those, else do a make depends " statement, that's actually what's currently done by all the targets in the make file (execpt depends of course): they assume the certificate file has been created (depends is not run by any other target). So this behavior is already kind of already present in the Makefile.

In a perfect world, where we could mount a volume during a docker build, the only thing to do would be to mount the directory containing the certificate to use in the build folder on the container. But I'm not sure that's something possible to do right now.

I wouldn't mind adding an entrypoint.sh script to the repository, although I'm not sure how it would help here.

[khast3x]

In a perfect world, where we could mount a volume during a docker build, the only thing to do would be to mount the directory containing the certificate to use in the build folder on the container. But I'm not sure that's something possible to do right now.

yep we're on the same page.

For the entrypoint.sh script, we could have it re-run a make if a /cert/server.pem file is present. It's very ugly haha

I'd suggest adding a vanilla Dockerfile first like this one, and maybe play around with the entrypoint in a dev branch?

[khast3x]

Something more like this maybe? Keeps it simple enough I think compared to an entrypoint script

[lesnuages]

Yup, that's good for me. I'll merge this right away.

I've added a Credit section to mention your work on this. Let me know if you'd want me to make any change on this.

Thanks :)

[khast3x]

Awesome, thanks, my pleasure 😊