Welcome to this Dojo ! Your goal is to exploit this kubernetes cluster to understand the risks linked to a non secure cluster implementation, and learn the maximum during this session.
That's why it is essential that:
- You experiment and try things that may break. Don't simply copy paste everything from StackOverflow until it passes the test !
- To keep moving or learn more, please andon! It means then whenever you have a question, a doubt, a feedback, call someone from the staff, we'll love to help you.
To work efficiently, you will work on a distant VM on which all the following tools are already installed.
git: Version your code and collaborateaws CLI: The CLI to interact with AWS.kubectl: The CLI to interact with AWS.
To connect to the VM:
-
Install VSCode
-
Add the following Remote SSH extension to VSCode
-
Create a github account
-
Create a SSH key on your Github account: Add a ssh key documentation
-
Share your handle Github with Padok's team member
-
Launch a "Remote SSH Session" with VSCode extension via the command
ssh eleve@<Handle>.aws.padok.cloud
Connect on your ssh machine : ssh eleve@<Handle>.aws.padok.cloud
Ready? Set. Go!
Connect to the following address : http://imagetragick.cs.padok.school/
Check what the app contains and search how you can exploit the vulnerability it contains.
Hint 1
How can you interact with the server ? Observe the name of the app (check the url).
Hint 2
Try searching for ways to trigger a reverse shell with an image uploader on imagetragick apps.
Hint 3
Have you heard of imagemagick ? Check for CVEs. Use a file .mvg to inject whatever payload you want.
Hint 4
Do you know how to trigger a reverse shell ?Listen to the port 443 on your lab machine. Kubernetes pods are not allowed to communicate with the outside on another port than 443.
sudo nc -n -l -vvv -p 443Spawn an interactive shell. Check how you can spawn a better shell than your current dummy shell.
Bonus Hint 1
Check out this :Solutions Step 1
Use the CVE-2016-3714. Listen to incoming connections by performing a :sudo nc -n -l -vvv -p 443Perform a reverse shell by uploading the file :
The goal of this step is to perform a container escape to obtain a shell on the node the pod is implemented on
Hint 1
What rights do you have on the pod ? Check with what user you are connected : whoami. Check the capabilities of the pod with capsh --print.
Hint 2
Have you heard of container escape ?
Hint 3
Check how you can use the command nsenter to escape a container.Hint 4
Check out this :Solutions Step 2
Check the capabilities of the container. Use nsenter to perform the container escape.The goal of this step is to retrieve a flag located in a secret in kubernetes.
Hint 1
What is hosted on a kubernetes node ? What could you possibly list from the node ?
Hint 2
Use the mount command to list what is mounted on the node. Do you observe potentially sensitive things ?
Hint 3
You need a token and the right API url to interact with the cluster
Hint 4
Try to grep the mount command with "api".
Hint 5
Check in the environment variables if you can possibly find an interesting ip.
Hint 6
How can you use the token and the ip to connect to the kubernetes API ? Try to check the manual of kubectl.
Solutions Step 3
Try each token to get the secrets on the cluster. You can use a for loop to iterate on each token to check which one has the rights to display the secrets.The goal of this step is to retrieve the aws credentials associated to the IAM role of the node.
Hint 1
Check how you can retrieve the metadata of an instance in AWS.
Hint 2
Check the metadata you obtain using the command in the following file. Maybe take a look at superior level metadata documentation-metadata.
Hint 3
What we want at this point is to get the AWS credentials to get the rights of the iam node-group role. You can retrieve the aws credentials from the json generated by the curl command. Be careful because the aws credentials syntax is different than the response obtained from the command
Hint 4
You can use the python script located in the solutions/step4 folder. Do not cheat by checking the solution ;).
Hint 5
Export the values from the script output. You should be able now to use ./kubectl get pods
Solutions Step 4
Slowly retrieve the metadata starting with the lowest level provided in the documentation on Hint 2. Iterate slowly on higher level :
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/<aks_node_group_name>Extract the result of the last command to a json file and use the python script to obtain the export command to implement the aws credentials on your machine.
Now try a kubectl get pods command to be sure you have now the aws access.
Your goal is to get the flag contained on a bucket using the aws credentials of the IAM role of the node.
Hint 1
You are using the role policy of a node group. This role has several policies.
Hint 2
Check the documentation of the s3api aws cli reference.Hint 3
The policies allowed for the role are "s3:ListBucket" and "s3:GetObject". It allows you to list the buckets and get the objects they contains.Solutions Step 5
You must list the buckets existing with the command. There is just one bucket existing. You can then list the files contained on the s3 bucket. Get the flag in the bucket solution/step5/solution.sh
© 2023 Padok.
Licensed under the Apache License, Version 2.0 (LICENSE)