mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [#2912] No subject
This commit is contained in:
parent
8a0c6374c5
commit
637a8f10aa
1 changed files with 66 additions and 4 deletions
|
@ -83,10 +83,6 @@ Check out the following page to learn how you could **attack Kubernetes specific
|
||||||
|
|
||||||
In case the **compromised pod is running some sensitive service** where other pods need to authenticate you might be able to obtain the credentials send from the other pods.
|
In case the **compromised pod is running some sensitive service** where other pods need to authenticate you might be able to obtain the credentials send from the other pods.
|
||||||
|
|
||||||
## Automatic Tools
|
|
||||||
|
|
||||||
* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
|
|
||||||
|
|
||||||
## Node Post-Exploitation
|
## Node Post-Exploitation
|
||||||
|
|
||||||
If you managed to **escape from the container** there are some interesting things you will find in the node:
|
If you managed to **escape from the container** there are some interesting things you will find in the node:
|
||||||
|
@ -117,3 +113,69 @@ for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Automatic Tools
|
||||||
|
|
||||||
|
* [**https://github.com/inguardians/peirates**](https://github.com/inguardians/peirates)****
|
||||||
|
|
||||||
|
```
|
||||||
|
Peirates v1.1.8-beta by InGuardians
|
||||||
|
https://www.inguardians.com/peirates
|
||||||
|
----------------------------------------------------------------
|
||||||
|
[+] Service Account Loaded: Pod ns::dashboard-56755cd6c9-n8zt9
|
||||||
|
[+] Certificate Authority Certificate: true
|
||||||
|
[+] Kubernetes API Server: https://10.116.0.1:443
|
||||||
|
[+] Current hostname/pod name: dashboard-56755cd6c9-n8zt9
|
||||||
|
[+] Current namespace: prd
|
||||||
|
----------------------------------------------------------------
|
||||||
|
Namespaces, Service Accounts and Roles |
|
||||||
|
---------------------------------------+
|
||||||
|
[1] List, maintain, or switch service account contexts [sa-menu] (try: listsa *, switchsa)
|
||||||
|
[2] List and/or change namespaces [ns-menu] (try: listns, switchns)
|
||||||
|
[3] Get list of pods in current namespace [list-pods]
|
||||||
|
[4] Get complete info on all pods (json) [dump-pod-info]
|
||||||
|
[5] Check all pods for volume mounts [find-volume-mounts]
|
||||||
|
[6] Enter AWS IAM credentials manually [enter-aws-credentials]
|
||||||
|
[7] Attempt to Assume a Different AWS Role [aws-assume-role]
|
||||||
|
[8] Deactivate assumed AWS role [aws-empty-assumed-role]
|
||||||
|
[9] Switch authentication contexts: certificate-based authentication (kubelet, kubeproxy, manually-entered) [cert-menu]
|
||||||
|
-------------------------+
|
||||||
|
Steal Service Accounts |
|
||||||
|
-------------------------+
|
||||||
|
[10] List secrets in this namespace from API server [list-secrets]
|
||||||
|
[11] Get a service account token from a secret [secret-to-sa]
|
||||||
|
[12] Request IAM credentials from AWS Metadata API [get-aws-token] *
|
||||||
|
[13] Request IAM credentials from GCP Metadata API [get-gcp-token] *
|
||||||
|
[14] Request kube-env from GCP Metadata API [attack-kube-env-gcp]
|
||||||
|
[15] Pull Kubernetes service account tokens from kops' GCS bucket (Google Cloudonly) [attack-kops-gcs-1] *
|
||||||
|
[16] Pull Kubernetes service account tokens from kops' S3 bucket (AWS only) [attack-kops-aws-1]
|
||||||
|
--------------------------------+
|
||||||
|
Interrogate/Abuse Cloud API's |
|
||||||
|
--------------------------------+
|
||||||
|
[17] List AWS S3 Buckets accessible (Make sure to get credentials via get-aws-token or enter manually) [aws-s3-ls]
|
||||||
|
[18] List contents of an AWS S3 Bucket (Make sure to get credentials via get-aws-token or enter manually) [aws-s3-ls-objects]
|
||||||
|
-----------+
|
||||||
|
Compromise |
|
||||||
|
-----------+
|
||||||
|
[20] Gain a reverse rootshell on a node by launching a hostPath-mounting pod [attack-pod-hostpath-mount]
|
||||||
|
[21] Run command in one or all pods in this namespace via the API Server [exec-via-api]
|
||||||
|
[22] Run a token-dumping command in all pods via Kubelets (authorization permitting) [exec-via-kubelet]
|
||||||
|
-------------+
|
||||||
|
Node Attacks |
|
||||||
|
-------------+
|
||||||
|
[30] Steal secrets from the node filesystem [nodefs-steal-secrets]
|
||||||
|
-----------------+
|
||||||
|
Off-Menu +
|
||||||
|
-----------------+
|
||||||
|
[90] Run a kubectl command using the current authorization context [kubectl [arguments]]
|
||||||
|
[] Run a kubectl command using EVERY authorization context until one works [kubectl-try-all [arguments]]
|
||||||
|
[91] Make an HTTP request (GET or POST) to a user-specified URL [curl]
|
||||||
|
[92] Deactivate "auth can-i" checking before attempting actions [set-auth-can-i]
|
||||||
|
[93] Run a simple all-ports TCP port scan against an IP address [tcpscan]
|
||||||
|
[94] Enumerate services via DNS [enumerate-dns] *
|
||||||
|
[] Run a shell command [shell <command and arguments>]
|
||||||
|
|
||||||
|
[exit] Exit Peirates
|
||||||
|
```
|
||||||
|
|
||||||
|
##
|
||||||
|
|
Loading…
Reference in a new issue