search

quarkslab / kdigger

Kubernetes focused container assessment and context discovery tool for penetration testing
Apache License 2.0
429 stars 21 forks source link

feat: flag for read-write mounts #12

Open kranurag7 opened 1 year ago

kranurag7 commented 1 year ago

While invoking the command kdigger dig mount we get all the mounted file systems. I tried looking for mounts with read and write permissions. 

bash-5.1# kdigger dig mount | grep rw
| overlay    | /                               | overlay    | rw,relatime,lowerdir=/var/lib/c |
| proc       | /proc                           | proc       | rw,nosuid,nodev,noexec,relatime |
| tmpfs      | /dev                            | tmpfs      | rw,nosuid,size=65536k,mode=755  |
| devpts     | /dev/pts                        | devpts     | rw,nosuid,noexec,relatime,gid=5 |
| mqueue     | /dev/mqueue                     | mqueue     | rw,nosuid,nodev,noexec,relatime |
| shm        | /dev/shm                        | tmpfs      | rw,nosuid,nodev,noexec,relatime |
| /dev/sda1  | /dev/termination-log            | ext4       | rw,relatime,commit=30           |
| /dev/sda1  | /etc/hosts                      | ext4       | rw,relatime,commit=30           |
| /dev/sda1  | /etc/hostname                   | ext4       | rw,nosuid,nodev,relatime,commit |
| /dev/sda1  | /etc/resolv.conf                | ext4       | rw,nosuid,nodev,relatime,commit |
| shm        | /run/containerd/io.containerd.g | tmpfs      | rw,nosuid,nodev,noexec,relatime |
| overlay    | /run/containerd/io.containerd.r | overlay    | rw,relatime,lowerdir=/var/lib/c |
| overlay    | /run/containerd/io.containerd.r | overlay    | rw,relatime,lowerdir=/var/lib/c |
| shm        | /run/containerd/io.containerd.g | tmpfs      | rw,nosuid,nodev,noexec,relatime |

You can notice that some of the longer paths in the second column are getting squeezed. It will be great to have a flag that will only print the rw mounts.

Another similar flag can be developed for socks as well. 

bash-5.1# kdigger dig mount | grep sock 
| tmpfs      | /run/containerd/containerd.sock | tmpfs      | ro,size=804600k,nr_inodes=81920 |

cc @mtardy

mtardy commented 5 months ago

Hey I'm very happy to see that you used kdigger, sorry for the very late reply: as I said in another issue, it's been 2 years since kdigger received any support since I left Quarkslab almost a couple of years ago now.

However, there is a --width option if I recall correctly or you can use the JSON output to get the full information if you need to pipe this into something else, it might be simpler than using the human output.