interactsh
interactsh copied to clipboard
projectdiscovery
Unable to run interactsh-server either as a docker container or as a k8s pod.
I am able to run the interactsh-server on a local ubuntu machine using the domain as mentioned below. But when I try to run the same as docker container or a kubernetes pod I am hitting an issue.
Need instructions to run the interactsh-server as a pod on a k8s env.
On a local machine:
root@gateway-01:~# /root/go/bin/interactsh-server -domain oast.hackwithautomation.co.in
_ __ __ __
(_)___ / /____ _________ ______/ /______/ /_
/ / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
/ / / / / /_/ __/ / / /_/ / /__/ /_(__ ) / / /
/_/_/ /_/\__/\___/_/ \__,_/\___/\__/____/_/ /_/ 1.0.6
projectdiscovery.io
[INF] Public IP: 20.231.41.169
[INF] Outbound IP: 10.4.0.4
[INF] Loading existing SSL Certificate for: [*.oast.hackwithautomation.co.in, oast.hackwithautomation.co.in]
[INF] Listening with the following services:
[SMTP] Listening on TCP 10.4.0.4:25
[LDAP] Listening on TCP 10.4.0.4:389
[DNS] Listening on TCP 10.4.0.4:53
[DNS] Listening on UDP 10.4.0.4:53
[SMTPS] Listening on TCP 10.4.0.4:587
[HTTP] Listening on TCP 10.4.0.4:80
[HTTPS] Listening on TCP 10.4.0.4:443
On a docker container
root@gateway-01:~# docker run -t projectdiscovery/interactsh-server -domain oast.hackwithautomation.co.in
_ __ __ __
(_)___ / /____ _________ ______/ /______/ /_
/ / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
/ / / / / /_/ __/ / / /_/ / /__/ /_(__ ) / / /
/_/_/ /_/\__/\___/_/ \__,_/\___/\__/____/_/ /_/ 1.0.6
projectdiscovery.io
[INF] Public IP: 20.231.41.169
[INF] Outbound IP: 172.17.0.5
[INF] Requesting SSL Certificate for: [*.oast.hackwithautomation.co.in, oast.hackwithautomation.co.in]
[ERR] An error occurred while applying for a certificate, error: [*.oast.hackwithautomation.co.in] Obtain: [*.oast.hackwithautomation.co.in] solving challenges: presenting for challenge: could not determine zone for domain "_acme-challenge.oast.hackwithautomation.co.in": unexpected response code 'SERVFAIL' for _acme-challenge.oast.hackwithautomation.co.in. (order=https://acme-v02.api.letsencrypt.org/acme/order/691679747/118774696467) (ca=https://acme-v02.api.letsencrypt.org/directory)
[ERR] Could not generate certs for auto TLS, https will be disabled
[INF] Listening with the following services:
[HTTP] Listening on TCP 172.17.0.5:80
[LDAP] Listening on TCP 172.17.0.5:389
[SMTP] Listening on TCP 172.17.0.5:25
[DNS] Listening on UDP 172.17.0.5:53
[DNS] Listening on TCP 172.17.0.5:53
[HTTPS] Listening on TCP 172.17.0.5:443
[SMTPS] Listening on TCP 172.17.0.5:587
[ERR] Could not serve http on tls: open : no such file or directory
On a Kubernetes pod
root@gateway-01:~# kubectl exec -it interactshserver-56989bd69f-2cm9t bash
root@interactshserver-56989bd69f-2cm9t:/go# cd bin/
root@interactshserver-56989bd69f-2cm9t:/go/bin# ./interactsh-server -domain oast.hackwithautomation.co.in
_ __ __ __
(_)___ / /____ _________ ______/ /______/ /_
/ / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
/ / / / / /_/ __/ / / /_/ / /__/ /_(__ ) / / /
/_/_/ /_/\__/\___/_/ \__,_/\___/\__/____/_/ /_/ 1.0.6
projectdiscovery.io
[INF] Public IP:
[INF] Outbound IP: 10.240.0.97
[INF] Requesting SSL Certificate for: [*.oast.hackwithautomation.co.in, oast.hackwithautomation.co.in]
[ERR] An error occurred while applying for a certificate, error: [*.oast.hackwithautomation.co.in] Obtain: registering account [mailto:[email protected]] with server: provisioning client: performing request: Get "https://acme-v02.api.letsencrypt.org/directory": EOF
[ERR] Could not generate certs for auto TLS, https will be disabled
[INF] Listening with the following services:
[HTTP] Listening on TCP 10.240.0.97:80
[HTTPS] Listening on TCP 10.240.0.97:443
[DNS] Listening on TCP 10.240.0.97:53
[SMTP] Listening on TCP 10.240.0.97:25
[DNS] Listening on UDP 10.240.0.97:53
[SMTPS] Listening on TCP 10.240.0.97:587
[LDAP] Listening on TCP 10.240.0.97:389
[ERR] Could not serve http on tls: open : no such file or directory
Do we have to do some any other additional configurations for running interactsh-server on a kubernetes? Is there is any instructions for that? If so Could you please share those
Looks like the problem is related to generation certificates via letsencrypt. You can provide private key and certificate via CLI option after mounting them into the Container
@raghumannn is it the same issue as https://github.com/projectdiscovery/interactsh/issues/346?
@raghumannn make sure you expose ports in the container. I ended up using --network host to allow the container to have access to all the ports. I'm not sure what is default in the Dockerfile, but I noticed I needed this for interactions to register; otherwise I would get a connection refused. You could also try more specific ports with -p 80:80 -p 389:389.
For certs, I am using certbot for the container and map a volume to my host with -v /etc/letsencrypt/live/<domain>:/root. I then have a cronjob to check for updates with certbot renew daily. Here are some examples from my Ansible playbook:
This will provide a statement that you use to create a new TXT record for your DNS. Certbot will verity your domain via DNS essentially. I then create an A record to wildcard all subdomains *.mydomain.com.
certbot --manual -d '*.mydomain.com' --agree-tos certonly --register-unsafely-without-email
Another option is to use the standalone feature. Certbot will bring up a standalone web server for domain verification. This is probably better for quick deployments and could be built into the Dockerfile, but you would still need the wildcard A record.
certbot --standalone -d '*.mydomain.com' --agree-tos certonly --register-unsafely-without-email
I prefer to map a path on my host to share certs, payloads, and a custom index file with the container. In the example below, {{ tool_directory }} is the path you want to share with the container. All files will be available to the container in the root directory. The other important thing here was the --network host flag to expose all host ports.
docker run --network host -v {{ tool_directory }}:/root projectdiscovery/interactsh-server:latest -d {{ interactsh_domain }} -sa -cert /root/fullchain.pem -privkey /root/privkey.pem -http-index /root/index.html -http-directory /root/payloads --wildcard
Hope this helps someone!
