Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to run interactsh-server either as a docker container or as a k8s pod. #365

Open
raghumannn opened this issue Aug 23, 2022 · 3 comments
Open

Unable to run interactsh-server either as a docker container or as a k8s pod. #365

raghumannn opened this issue Aug 23, 2022 · 3 comments
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@raghumannn
Copy link

raghumannn commented Aug 23, 2022
edited

I am able to run the interactsh-server on a local ubuntu machine using the domain as mentioned below. But when I try to run the same as docker container or a kubernetes pod I am hitting an issue.
Need instructions to run the interactsh-server as a pod on a k8s env.

On a local machine:

root@gateway-01:~# /root/go/bin/interactsh-server -domain oast.hackwithautomation.co.in

    _       __                       __       __
   (_)___  / /____  _________ ______/ /______/ /_
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/ 1.0.6

                projectdiscovery.io

[INF] Public IP: 20.231.41.169
[INF] Outbound IP: 10.4.0.4
[INF] Loading existing SSL Certificate for:  [*.oast.hackwithautomation.co.in, oast.hackwithautomation.co.in]
[INF] Listening with the following services:
[SMTP] Listening on TCP 10.4.0.4:25
[LDAP] Listening on TCP 10.4.0.4:389
[DNS] Listening on TCP 10.4.0.4:53
[DNS] Listening on UDP 10.4.0.4:53
[SMTPS] Listening on TCP 10.4.0.4:587
[HTTP] Listening on TCP 10.4.0.4:80
[HTTPS] Listening on TCP 10.4.0.4:443

On a docker container

root@gateway-01:~# docker run -t projectdiscovery/interactsh-server -domain oast.hackwithautomation.co.in

    _       __                       __       __
   (_)___  / /____  _________ ______/ /______/ /_
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/ 1.0.6

                projectdiscovery.io

[INF] Public IP: 20.231.41.169
[INF] Outbound IP: 172.17.0.5
[INF] Requesting SSL Certificate for:  [*.oast.hackwithautomation.co.in, oast.hackwithautomation.co.in]
[ERR] An error occurred while applying for a certificate, error: [*.oast.hackwithautomation.co.in] Obtain: [*.oast.hackwithautomation.co.in] solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.oast.hackwithautomation.co.in": unexpected response code 'SERVFAIL' for _acme-challenge.oast.hackwithautomation.co.in. (order=https://acme-v02.api.letsencrypt.org/acme/order/691679747/118774696467) (ca=https://acme-v02.api.letsencrypt.org/directory)
[ERR] Could not generate certs for auto TLS, https will be disabled
[INF] Listening with the following services:
[HTTP] Listening on TCP 172.17.0.5:80
[LDAP] Listening on TCP 172.17.0.5:389
[SMTP] Listening on TCP 172.17.0.5:25
[DNS] Listening on UDP 172.17.0.5:53
[DNS] Listening on TCP 172.17.0.5:53
[HTTPS] Listening on TCP 172.17.0.5:443
[SMTPS] Listening on TCP 172.17.0.5:587
[ERR] Could not serve http on tls: open : no such file or directory

On a Kubernetes pod

root@gateway-01:~# kubectl exec -it interactshserver-56989bd69f-2cm9t bash
root@interactshserver-56989bd69f-2cm9t:/go# cd bin/
root@interactshserver-56989bd69f-2cm9t:/go/bin# ./interactsh-server -domain oast.hackwithautomation.co.in

    _       __                       __       __
   (_)___  / /____  _________ ______/ /______/ /_
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/ 1.0.6

                projectdiscovery.io

[INF] Public IP:
[INF] Outbound IP: 10.240.0.97
[INF] Requesting SSL Certificate for:  [*.oast.hackwithautomation.co.in, oast.hackwithautomation.co.in]
[ERR] An error occurred while applying for a certificate, error: [*.oast.hackwithautomation.co.in] Obtain: registering account [mailto:[email protected]] with server: provisioning client: performing request: Get "https://acme-v02.api.letsencrypt.org/directory": EOF
[ERR] Could not generate certs for auto TLS, https will be disabled
[INF] Listening with the following services:
[HTTP] Listening on TCP 10.240.0.97:80
[HTTPS] Listening on TCP 10.240.0.97:443
[DNS] Listening on TCP 10.240.0.97:53
[SMTP] Listening on TCP 10.240.0.97:25
[DNS] Listening on UDP 10.240.0.97:53
[SMTPS] Listening on TCP 10.240.0.97:587
[LDAP] Listening on TCP 10.240.0.97:389
[ERR] Could not serve http on tls: open : no such file or directory

Do we have to do some any other additional configurations for running interactsh-server on a kubernetes?
Is there is any instructions for that? If so Could you please share those
@raghumannn raghumannn added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Aug 23, 2022
@nekator
Copy link

nekator commented Sep 23, 2022

Looks like the problem is related to generation certificates via letsencrypt. You can provide private key and certificate via CLI option after mounting them into the Container

@ehsandeep
Copy link
Member

@raghumannn is it the same issue as #346?

@af001
Copy link

af001 commented Nov 7, 2022
edited

@raghumannn make sure you expose ports in the container. I ended up using --network host to allow the container to have access to all the ports. I'm not sure what is default in the Dockerfile, but I noticed I needed this for interactions to register; otherwise I would get a connection refused. You could also try more specific ports with -p 80:80 -p 389:389.

For certs, I am using certbot for the container and map a volume to my host with -v /etc/letsencrypt/live/<domain>:/root. I then have a cronjob to check for updates with certbot renew daily. Here are some examples from my Ansible playbook:

This will provide a statement that you use to create a new TXT record for your DNS. Certbot will verity your domain via DNS essentially. I then create an A record to wildcard all subdomains *.mydomain.com.

certbot --manual -d '*.mydomain.com' --agree-tos certonly --register-unsafely-without-email

Another option is to use the standalone feature. Certbot will bring up a standalone web server for domain verification. This is probably better for quick deployments and could be built into the Dockerfile, but you would still need the wildcard A record.

certbot --standalone -d '*.mydomain.com' --agree-tos certonly --register-unsafely-without-email

I prefer to map a path on my host to share certs, payloads, and a custom index file with the container. In the example below, {{ tool_directory }} is the path you want to share with the container. All files will be available to the container in the root directory. The other important thing here was the --network host flag to expose all host ports.

docker run --network host -v {{ tool_directory }}:/root projectdiscovery/interactsh-server:latest -d {{ interactsh_domain }} -sa -cert /root/fullchain.pem -privkey /root/privkey.pem -http-index /root/index.html -http-directory /root/payloads --wildcard

Hope this helps someone!

@ehsandeep ehsandeep reopened this Feb 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nekator @ehsandeep @af001 @raghumannn