Below the solution on how to capture the flag, you can find some valuable hints on how to mitigate each flaw. Breaking things makes fun - but being prepared and stopping such attacks is awesome. So let's make you awesome :)
Simply run file:///etc/flag.txt
in the WebHook Form:
How to mitigate: Don't store your confidential files unencrypted and only decrypt them for accessing those data once. Stick on tools like HashiCorp Vault to have your back and don't event think about create something on your own (unless you have a PhD in Crypto-KungFu)
Run file:///var/run/secrets/kubernetes.io/serviceaccount/token
in the WebHook Form:
How to mitigate: If your App or Pod dosn't need to talk with the k8s management API (which is to be honest a design flaw which needs to be solved in a different way) you can simply turn this feature off. To turn it off you have to place automountServiceAccountToken: false
to your ServiceAccount, Pod or Deployment. If possible make this setting a clusterwide default and monitor the Pods which have this feature enabled. You can find more details in the official k8s Documentation or use one of these snippets:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
...
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
Run localhost:1338/latest/meta-data/iam/security-credentials/fulladministrator-role
How to mitigate: First take a look at one of my Memories in my Pensive there you can find more info. Now to the mitgation:
- If possible turn off IMDSv1 or restrict the privilege of the role
- Use ONLY IMDSv2 if possible. The Security benefits you gain especially in the case of SSRF are awesome
- If you use IMDSv2 set the Hop Limit to 1 (which is the default at the moment) to prevent the docker container from telling to much