OWNerchestration - Initial Access

By default, DC/OS does not expose any easily exploited services to the Internet so initial access will commonly occur from services running within containers being exposed to the Internet. If an attacker can gain access to a service running in a container, they can then leverage that access to communicate with the various components (e.g. Mesos, Marathon, Chronos, etc…) and expand access within the DC/OS cluster.

For example, if we have a web application running in a container exposed to the Internet and an attacker gains Remote Code Execution (RCE) to the web service, they can then use a web shell like weevely to interact with the remote server under the context in which the web service is currently running as (e.g. the www-data user).

For example, let’s say we can access one container via a vulnerable in the service it is currently exposing to the internet…

2.png

You can see a quick overview of DC/OS and how I gained RCE within a container in the following video…

Bryce KunzComment