Reminds me of a Discord bot that was in a server for pentesters called "Hack Me If You Can"...

Sohcahtoa82 • yesterday at 6:02 PM • 3 replies • view on HN

Reminds me of a Discord bot that was in a server for pentesters called "Hack Me If You Can".

It would respond to messages that began with "!shell" and would run whatever shell command you gave it. What I found quickly was that it was running inside a container that was extremely bare-bones and did not have egress to the Internet. It did have curl and Python, but not much else.

The containers were ephemeral as well. When you ran !shell, it would start a container that would just run whatever shell commands you gave it, the bot would tell you the output, and then the container was deleted.

I don't think anyone ever actually achieved persistence or a container escape.

Replies

e12e • yesterday at 8:35 PM

> did not have egress to the Internet. It did have curl and Python, but not much else.

So trade exfiltration via curl with exfiltration via DNS lookup?

➕ show 1 reply

turnsout • yesterday at 8:13 PM

At that point, you'd be relying on a bug in curl / Python / sh, not the bot!

alfiedotwtf • yesterday at 7:51 PM

You do everything in a one-liner :)

alt Hacker News

Replies