GCP - Containers & GKE Enum

Houers

In GCP houers kan jy die meeste van die houer-gebaseerde dienste wat GCP bied, vind. Hier kan jy sien hoe om die mees algemene eenhede te enumereer:

gcloud container images list
gcloud container images list --repository us.gcr.io/<project-name> #Search in other subdomains repositories
gcloud container images describe <name>
gcloud container subnets list-usable
gcloud container clusters list
gcloud container clusters describe <name>
gcloud container clusters get-credentials [NAME]

# Run a container locally
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh

# Login & Download
sudo docker login -u oauth2accesstoken -p $(gcloud auth print-access-token) https://HOSTNAME
## where HOSTNAME is gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
sudo docker pull HOSTNAME/<project-name>/<image-name>

Privesc

In die volgende bladsy kan jy kyk hoe om houer toestemmings te misbruik om voorregte te verhoog:

Node Pools

Dit is die poel van masjiene (nodes) wat die kubernetes klusters vorm.

# Pool of machines used by the cluster
gcloud container node-pools list --zone <zone> --cluster <cluster>
gcloud container node-pools describe --cluster <cluster> --zone <zone> <node-pool>

Kubernetes

Vir inligting oor wat Kubernetes is, kyk na hierdie bladsy:

Eerstens, kan jy kyk of daar enige Kubernetes-klusters in jou projek bestaan.

gcloud container clusters list

As jy 'n kluster het, kan jy gcloud jou ~/.kube/config lêer outomaties konfigureer. Hierdie lêer word gebruik om jou te verifieer wanneer jy kubectl gebruik, die inheemse CLI om met K8s-klusters te kommunikeer. Probeer hierdie opdrag.

gcloud container clusters get-credentials [CLUSTER NAME] --region [REGION]

Kyk dan na die ~/.kube/config lêer om die gegenereerde geloofsbriewe te sien. Hierdie lêer sal gebruik word om toegangstokens outomaties te verfris op grond van dieselfde identiteit wat jou aktiewe gcloud sessie gebruik. Dit vereis natuurlik die korrekte toestemmings.

Sodra dit opgestel is, kan jy die volgende opdrag probeer om die klusterkonfigurasie te verkry.

kubectl cluster-info

You can read more about gcloud for containers here.

This is a simple script to enumerate kubernetes in GCP: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_k8s_enum

TLS Boostrap Privilege Escalation

Initially this privilege escalation technique allowed to privesc inside the GKE cluster effectively allowing an attacker to fully compromise it.

This is because GKE provides TLS Bootstrap credentials in the metadata, which is accessible by anyone by just compromising a pod.

The technique used is explained in the following posts:

• https://www.4armed.com/blog/hacking-kubelet-on-gke/

• https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/

• https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/

Ans this tool was created to automate the process: https://github.com/4ARMED/kubeletmein

However, the technique abused the fact that with the metadata credentials it was possible to generate a CSR (Certificate Signing Request) for a new node, which was automatically approved. In my test I checked that daardie versoeke word nie meer outomaties goedgekeur nie, so I'm not sure if this technique is still valid.

Secrets in Kubelet API

In this post it was discovered it was discovered a Kubelet API address accesible from inside a pod in GKE giving the details of the pods running:

curl -v -k http://10.124.200.1:10255/pods

Selfs al die API toelaat nie om hulpbronne te wysig nie, kan dit moontlik wees om sensitiewe inligting in die antwoord te vind. Die eindpunt /pods is gevind met behulp van Kiterunner.