This post is part of the “.htaccess redirection fun with mod_rewrite” series. The most useful feature of .htaccess and mod_rewrite, in the opinion of this author, is redirection. Redirection is identified to a browser by response code 308. By redirection we mean mapping any URI into any other URI.
Response code 308 is the redirection response, meaning:
The 308 (Permanent Redirect) status code indicates that the target resource has been assigned a new permanent URI and any future references to this resource ought to use one of the enclosed URIs. Clients with link editing capabilities ought to automatically re-link references to the effective request URI (Section 5.5 of [RFC7230]) to one or more of the new references sent by the server, where possible.
Internet Engineering Task Force (IETF) RFC 7538
The fun occurs with the highlighted section above. Re-linking is a powerful and fun tool when the threat actor client is a browser. That is because a 308 response from the server should be like magic. It’s not as effective when it is scripts or a library, as the surprise factor isn’t there.
A while ago, early 2023, threat actors were mass scanning Kubernetes clusters. They were looking for misconfigurations or authentication vulnerabilities. The goal of such scans is for an unauthorized user to gain access to the attacked endpoint. With access hackers can view or modify the DaemonSets running in the kube-system namespace. (Credit to Valton Tahiri at Medium)
So you like to play with daemons, eh? One way to summon a demon on this website is to recite the following spell on a browser:
https://happycattech.com/apis/apps/v1/namespaces/kube-system/daemonsets
The key to effective 308 redirection is creating the regular expression for the request you wish to trap for, then leveraging it to send the bunny down your chosen rabbit hole…
# BEGIN summondaemons
#--If on a browser somebody gets a pentagram, since they want daemons... :-D--#
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(.*)?daemonsets?/?(.*)?$
RewriteRule ^(.*)$ "https://happycattech.com/demonsets" [R=308,L,NE]
# END summondaemonsAs always, BEGIN and END define the rule block. We must turn on the rewrite engine. Remember we have to enable mod_rewrite on Apache for any of this to work.
RewriteCond %{REQUEST_URI} ^/(.*)?daemonsets?/?(.*)?$
Here we configure the condition to test for. We’re trapping on any request whose URI contains the word “daemonsets”. Because the functional statement is lowercase, we won’t test for any other cases. Sometimes the request is for “daemonset”, hence the last ‘s’ is optional. This test covers pretty much every possibility in this kind of scan request.
RewriteRule ^(.*)$ “https://happycattech.com/demonsets” [R=308,L,NE]
Anything a client asks for is redirected to return “daemonsets”. Note that this line returns response code 308, which when implemented correctly by the browser is a transparent redirection to the user. “L” indicates this is the last rule to process. Finally, “NE” indicates do not escape special URL characters in the output.
Don’t worry, it won’t hurt and your soul is safe. Holy water is optional… Happy Easter!