Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
In Kubernetes it's pretty common that somehow you manage to get inside a namespace (by stealing some user credentials or by compromising a pod). However, usually you will be interested in escalating to a different namespace as more interesting things can be found there.
Here are some techniques you can try to escape to a different namespace:
Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like creating pods with service accounts in the NS, executing a shell in an already existent pod inside of the ns, or read the secret SA tokens.
For more info about which privileges you can abuse read:
Abusing Roles/ClusterRoles in KubernetesIf you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
Check for SAs tokens mounted in other docker containers running in the node
Check for new kubeconfig files in the node with extra permissions given to the node
If enabled (or enable it yourself) try to create mirrored pods of other namespaces as you might get access to those namespaces default token accounts (I haven't tested this yet)
All these techniques are explained in:
Attacking Kubernetes from inside a PodLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
