Skip to content

Writeups

General

Article Description
K8s/GKE Attack Tech Notes How GitLab's Red Team has thought about attacking their own K8s infrastructure
They told me I could be anything, so I became a Kubernetes node Using K3s for command and control on compromised Linux hosts
Kubernetes Pod Escape Using Log Mounts How a pod running as root and with a mount point to the node's /var/log directory can expose the entire contents of its host filesystem to any user who has access to its logs
Compromising Read-Only Containers with Fileless Malware Mechanics and prevalence of malware fileless execution in attacking read-only containerized environments

Privesc

Article Description
Basic Kubernetes Privilege Escalation
  • Let's say you got a reverse shell from a process running in a Kubernetes environment
  • This guide details the basic steps you can take to escalate your privileges within Kubernetes
Bad Pods: Kubernetes Pod Privilege Escalation
  • What are the risks associated with overly permissive pod creation in Kubernetes?
  • 8 insecure pod configurations and the corresponding methods to perform privilege escalation
  • See also the companion badPods repository
GKE Kubelet TLS Bootstrap Privilege Escalation
  • Privilege escalation with Kubelet TLS bootstrapping in Google Kubernetes Engine
  • Starting with compromised CGP credentials, then stole TLS Bootstrap credentials by listing Compute Engine instances, generated and submitted CSRs, acted as worker nodes, stole secrets and gained cluster admin access in the GKE cluster
Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC
  • How granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.
Container Breakouts

Kubelet

Article
Attacking Kubernetes through Kubelet
Hacking Kubelet on GKE
Back to top