Forgotten

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/09/16/htb-forgotten.html
• Blog Title: Forgotten
• Suggested Section: Pentesting Cloud -> Kubernetes Pentesting -> Attacking Kubernetes from inside a Pod (add/expand section on abusing writable hostPath/bind mounts for container->host root via SUID planting). Optionally create a sibling page under Pentesting Cloud: 'Containers/Docker Security -> Container-to-Host Escape via Writable Bind Mounts'.

🎯 Content Summary

Target, surface, and hosting topology
- Full TCP scan found only SSH and HTTP:

22/tcp open  ssh   OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)

80/tcp open  http  Apache/2.4.56 (Debian)

- HTTP returned 403 with Apache banner and typical headers (e.g., Content-Type: text/html; charset=iso-8859-1).
- Layer Four Traceroute (lft) showed an extra hop only for TCP/80, implying...

🔧 Technical Details

Installer takeover on exposed apps. If an app’s installer is reachable and uninitialized, complete it using an attacker-controlled DB endpoint to create a superadmin. This yields full control without exploiting a software flaw.

Abusing LimeSurvey’s plugin system for RCE. Superadmins can upload ZIPed plugins containing PHP. Package a minimal webshell (e.g., <?php system($_REQUEST['cmd']); ?>) with a valid config.xml (e.g., ExampleSettings) and upload via Admin → Configuration → Plugins → Upload & install. The shell is served from /survey/upload/plugins/<PluginName>/<file.php>?cmd=....

Leaked environment secrets for lateral movement. Enumerate container env for credentials (e.g., LIMESURVEY_PASS). Test against sudo in-container and SSH on the host (e.g., sshpass -p '...' ssh user@host). Password reuse bridges isolation controls.

C...

🤖 Agent Actions

Summary of actions:

• Explored the repository and reviewed relevant Kubernetes pentesting pages:

  • src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
  • src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
  • src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
  • src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
  • src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
  • src/pentesting-cloud/kubernetes-security/README.md

• Determined the best location for the new content is:

  • Attacking Kubernetes from inside a Pod, since it already references hostPath and privileged pod techniques but lacked a concrete section on abusing existing writable hostPath/bind mounts for container-to-host root via SUID planting.

What I added:

• New section in Attacking Kubernetes from inside a Pod:
  • Title: “Abusing writable hostPath/bind mounts (container -> host root via SUID planting)”
  • Content covers:
    • Preconditions and threat model (writable mount, nosuid, host-execution path).
    • How to identify writable hostPath/bind mounts from kubectl and from inside the container (mount, /proc/self/mountinfo, findmnt).
    • Practical SUID planting steps from inside the container (cp /bin/bash, chmod 6777).
    • Execution on the host with bash -p to preserve euid 0.
    • Notes (nosuid issues, alternate persistence/priv-esc via writable mounts if mapped into sensitive host directories).
    • Mitigations (avoid hostPath, enforce readOnly/nosuid/noexec/nodev, run as non-root, controls and monitoring).
• References section added to the end of the file (before the banner, as is standard in this repo) including:
  • 0xdf’s Forgotten HTB writeup (source of the technique demonstration)
  • Kubernetes hostPath documentation
  • Docker bind mounts documentation
  • Bash -p manual reference
  • mount(8) nosuid documentation
  • Peirates repo (as related tooling already referenced in the page)

Files modified:

• src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
  • Inserted the new technique section before “Abusing Kubernetes Privileges.”
  • Appended a “## References” section with relevant links and kept the training banner include at the end.

Rationale:

• The repository already discusses hostPath-based escapes conceptually, but did not provide concrete container-to-host exploitation guidance via writable bind mounts/SUID planting. This is a common and high-impact pathway that directly aligns with the blog’s technique and provides practical, copy/pasteable commands and mitigations.
• Other elements of the blog (uninitialized installer takeover and LimeSurvey plugin upload RCE) are broader web attack patterns and not Kubernetes/containers specific; the repo doesn’t currently have a LimeSurvey-specific page and the main value add here is the container->host escalation technique. Therefore, I focused updates on Kubernetes post-exploitation where they best fit.

No further modifications were made because:

• The Kubernetes pages already cover other related techniques (privileged pods, hostPID, node post-exploitation).
• Creating a new “Containers/Docker Security” area would require broader structuring, and the requested addition fits cleanly into the existing Kubernetes page without adding a new section hierarchy.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/09/16/htb-forgotten.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Cloud -> Kubernetes Pentesting -> Attacking Kubernetes from inside a Pod (add/expand section on abusing writable hostPath/bind mounts for container->host root via SUID planting). Optionally create a sibling page under Pentesting Cloud: 'Containers/Docker Security -> Container-to-Host Escape via Writable Bind Mounts'.".

Repository Maintenance:

• MD Files Formatting: 523 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0