2021-04-27 23:18:16 +00:00
# Enumeration from a Pod
In a situation where you have managed to break into a Kubernetes Pod you could start enumerating the kubernetes environment from within.
2021-04-28 12:08:08 +00:00
## Service Account Tokens
2021-04-28 14:34:35 +00:00
Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture** ](./#architecture )**.**
2021-04-28 12:08:08 +00:00
**ServiceAccount** is an object managed by Kubernetes and used to provide an identity for processes that run in a pod.
Every service account has a secret related to it and this secret contains a bearer token. This is a JSON Web Token \(JWT\), a method for representing claims securely between two parties.
2021-04-27 23:18:16 +00:00
Usually in the directory `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount` you can find the files:
* **ca.crt**: It's the ca certificate to check kubernetes communications
* **namespace**: It indicates the current namespace
2021-04-28 12:08:08 +00:00
* **token**: It contains the **service token** of the current pod.
The service account token is being signed by the key residing in the file **sa.key** and validated by **sa.pub** .
Default location on **Kubernetes** :
* /etc/kubernetes/pki
Default location on **Minikube** :
* /var/lib/localkube/certs
Taken from the Kubernetes [documentation ](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ):
_“When you create a pod, if you do not specify a service account, it is automatically assigned the_ default _service account in the same namespace.”_
### Hot Pods
_**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
## RBAC
2021-04-28 16:27:24 +00:00
If you don't know what is **RBAC** , [**read this section** ](./#cluster-hardening-rbac ).
2021-04-28 12:08:08 +00:00
## Enumeration CheatSheet
To enumerate the environment you can upload the [**kubectl** ](https://kubernetes.io/es/docs/tasks/tools/install-kubectl/ ) binary and use it. Also, using the **service** **token** obtained before you can manually access some endpoints of the **API Server** .
2021-04-27 23:18:16 +00:00
In order to find the the IP of the API service check the environment for a variable called `KUBERNETES_SERVICE_HOST` .
2021-04-28 17:37:48 +00:00
### Differences between `list` and `get` verbs
With ** `get` ** permissions you can access the API:
```text
GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
```
If you have the ** `list` ** permission, you are allowed to execute these API requests:
```bash
#In a namespace
GET /apis/apps/v1/namespaces/{namespace}/deployments
#In all namespaces
GET /apis/apps/v1/deployments
```
If you have the ** `watch` ** permission, you are allowed to execute these API requests:
```text
GET /apis/apps/v1/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name} [DEPRECATED]
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments [DEPRECATED]
GET /apis/apps/v1/watch/deployments [DEPRECATED]
```
They open a streaming connection that returns you the full manifest of a Deployment whenever it changes \(or when a new one is created\).
2021-04-27 23:18:16 +00:00
### Get namespaces
{% tabs %}
{% tab title="kubectl" %}
```bash
./kubectl get namespaces
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/
```
{% endtab %}
{% endtabs %}
### Get Current Privileges
{% tabs %}
{% tab title="kubectl" %}
```bash
./kubectl auth can-i --list #Get privileges in current namespace
./kubectl auth can-i --list -n custnamespace #Get privileves in custnamespace
```
{% endtab %}
{% endtabs %}
2021-04-28 16:27:24 +00:00
**Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
{% page-ref page="hardening-roles-clusterroles.md" %}
2021-04-28 12:08:08 +00:00
### Get Current Context
{% tabs %}
{% tab title="Kubectl" %}
```text
kubectl config current-context
```
{% endtab %}
{% endtabs %}
2021-04-28 16:27:24 +00:00
### Get/List secrets
2021-04-27 23:18:16 +00:00
{% tabs %}
{% tab title="kubectl" %}
```text
2021-04-28 12:08:08 +00:00
./kubectl get secrets -o yaml
./kubectl get secrets -o yaml -n custnamespace
2021-04-28 16:27:24 +00:00
./kubectl list secrets -o yaml
./kubectl list secrets -o yaml -n custnamespace
2021-04-27 23:18:16 +00:00
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/default/secrets/
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/custnamespace/secrets/
```
{% endtab %}
{% endtabs %}
### Get deployments
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get deployments
./kubectl get deployments -n custnamespace
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/default/deployments/
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/custnamespace/deployments/
```
{% endtab %}
{% endtabs %}
2021-04-28 16:27:24 +00:00
### Get pods
2021-04-27 23:18:16 +00:00
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get pods
./kubectl get pods -n custnamespace
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/default/pods/
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/namespaces/custnamespace/pods/
```
{% endtab %}
{% endtabs %}
2021-04-28 16:27:24 +00:00
### Get nodes
2021-04-27 23:18:16 +00:00
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get nodes
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /api/v1/nodes/
```
{% endtab %}
{% endtabs %}
2021-04-28 17:15:53 +00:00
### Get daemonsets
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get daemonsets
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer < jwt_token > " \
https://< Kubernetes_API_IP > :< port > /apis/extensions/v1beta1/namespaces/default/daemonsets
```
{% endtab %}
{% endtabs %}
2021-04-28 16:27:24 +00:00
### Get "all"
2021-04-28 12:08:08 +00:00
2021-04-28 16:27:24 +00:00
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get all
```
{% endtab %}
{% endtabs %}
2021-04-27 23:18:16 +00:00
2021-04-28 17:14:31 +00:00
## **Pod Breakout**
**If you are lucky enough you may be able to escape from it to the node:**
{% page-ref page="../../linux-unix/privilege-escalation/docker-breakout.md" %}
2021-04-27 23:18:16 +00:00
