2022-02-23 23:55:12 +01:00
|
|
|
# Kubectl
|
|
|
|
|
|
2022-05-10 00:08:57 +02:00
|
|
|
* Get pods, `-A` for all namespaces
|
2022-02-23 23:55:12 +01:00
|
|
|
```sh
|
2022-05-10 00:08:57 +02:00
|
|
|
kubectl get pods -A
|
2022-02-23 23:55:12 +01:00
|
|
|
```
|
|
|
|
|
* Check mounted secret
|
|
|
|
|
```sh
|
|
|
|
|
kubectl auth can-i --list
|
|
|
|
|
kubectl get secrets
|
|
|
|
|
kubectl get nodes
|
|
|
|
|
kubectl get deployments
|
|
|
|
|
kubectl get services
|
|
|
|
|
kubectl get ingress
|
|
|
|
|
kubectl get jobs
|
|
|
|
|
```
|
|
|
|
|
* Intel about a secret, and output
|
|
|
|
|
```sh
|
|
|
|
|
kubectl describe secrets <secret>
|
2022-05-10 00:08:57 +02:00
|
|
|
kubectl get secret <secret> -o json
|
2022-02-23 23:55:12 +01:00
|
|
|
kubectl describe secrets <secret> -o 'json'
|
|
|
|
|
```
|
|
|
|
|
## Abuse Token
|
|
|
|
|
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
|
|
|
|
|
* By change of an LFI extract the token and
|
|
|
|
|
```sh
|
|
|
|
|
kubectl auth can-i --list --token=$TOKEN
|
|
|
|
|
kubectl get pods --token=$TOKEN
|
|
|
|
|
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create Pods
|
|
|
|
|
|
|
|
|
|
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
|
|
|
|
|
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
|
|
|
|
|
```sh
|
|
|
|
|
kubectl apply -f pod.yml --token=$TOKEN
|
2022-05-10 00:08:57 +02:00
|
|
|
```
|
|
|
|
|
* Start Pod
|
|
|
|
|
```sh
|
2022-02-23 23:55:12 +01:00
|
|
|
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
|
|
|
|
|
```
|
2022-05-10 00:08:57 +02:00
|
|
|
|
|
|
|
|
## Start Pods
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
kubectl exec -it <podname> -n <namespace> -- /bin/bash
|
|
|
|
|
```
|
