GitBook: [master] one page and one asset modified

This commit is contained in:
CPol 2021-04-28 17:45:30 +00:00 committed by gitbook-bot
parent 458bc4a407
commit 89dbdd726a
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 40 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 74 KiB

View file

@ -229,3 +229,43 @@ https://<Kubernetes_API_IP>:<port>/apis/extensions/v1beta1/namespaces/default/da
{% page-ref page="../../linux-unix/privilege-escalation/docker-breakout.md" %} {% page-ref page="../../linux-unix/privilege-escalation/docker-breakout.md" %}
## Search vulnerable network services
As you are inside the Kubernetes environment, if you cannot escalate privileges abusing the current pods privileges and you cannot escape from the container, you should **search potential vulnerable services.**
### Services
**For this purpose, you can try to get all the services of the kubernetes environment:**
```text
kubectl get svc all-namespaces
```
![](../../.gitbook/assets/image%20%28471%29.png)
### Scanning
The following Bash script \(taken from a [Kubernetes workshop](https://github.com/calinah/learn-by-hacking-kccn/blob/master/k8s_cheatsheet.md)\) will install and scan the IP ranges of the kubernetes cluster:
```bash
sudo apt-get update
sudo apt-get install nmap
nmap-kube ()
{
nmap --open -T4 -A -v -Pn -p 443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"
}
nmap-kube-discover () {
local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');
local SERVER_RANGES=" ";
SERVER_RANGES+="10.0.0.1 ";
SERVER_RANGES+="10.0.1.* ";
SERVER_RANGES+="10.*.0-1.* ";
nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
}
nmap-kube-discover
```
## References
{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}