GCP - Containers & GKE Enum

Containers

Katika GCP containers unaweza kupata huduma nyingi zinazotegemea kontena ambazo GCP inatoa, hapa unaweza kuona jinsi ya kuhesabu zile za kawaida zaidi:

gcloud container images list
gcloud container images list --repository us.gcr.io/<project-name> #Search in other subdomains repositories
gcloud container images describe <name>
gcloud container subnets list-usable
gcloud container clusters list
gcloud container clusters describe <name>
gcloud container clusters get-credentials [NAME]

# Run a container locally
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh

# Login & Download
sudo docker login -u oauth2accesstoken -p $(gcloud auth print-access-token) https://HOSTNAME
## where HOSTNAME is gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
sudo docker pull HOSTNAME/<project-name>/<image-name>

Privesc

Katika ukurasa ufuatao unaweza kuangalia jinsi ya kudhulumu ruhusa za kontena ili kupandisha mamlaka:

Node Pools

Hizi ni kundi la mashine (nodes) zinazounda vikundi vya kubernetes.

# Pool of machines used by the cluster
gcloud container node-pools list --zone <zone> --cluster <cluster>
gcloud container node-pools describe --cluster <cluster> --zone <zone> <node-pool>

Kubernetes

Kwa maelezo kuhusu nini Kubernetes angalia ukurasa huu:

Kwanza, unaweza kuangalia kama kuna vikundi vyovyote vya Kubernetes vinavyokuwepo katika mradi wako.

gcloud container clusters list

Ikiwa una klasta, unaweza kufanya gcloud ikae kiotomatiki kuunda faili yako ya ~/.kube/config. Faili hii inatumika kukuthibitisha unapoitumia kubectl, CLI asilia ya kuingiliana na klasta za K8s. Jaribu amri hii.

gcloud container clusters get-credentials [CLUSTER NAME] --region [REGION]

Kisha, angalia faili ~/.kube/config kuona akreditivu zilizozalishwa. Faili hii itatumika kuimarisha tokeni za ufikiaji kiotomatiki kulingana na kitambulisho sawa ambacho kikao chako cha gcloud kinatumia. Hii kwa hakika inahitaji ruhusa sahihi kuwepo.

Mara hii imewekwa, unaweza kujaribu amri ifuatayo kupata usanidi wa klasta.

kubectl cluster-info

You can read more about gcloud for containers here.

This is a simple script to enumerate kubernetes in GCP: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_k8s_enum

TLS Boostrap Privilege Escalation

Initially this privilege escalation technique allowed to privesc inside the GKE cluster effectively allowing an attacker to fully compromise it.

This is because GKE provides TLS Bootstrap credentials in the metadata, which is accessible by anyone by just compromising a pod.

The technique used is explained in the following posts:

• https://www.4armed.com/blog/hacking-kubelet-on-gke/

• https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/

• https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/

Ans this tool was created to automate the process: https://github.com/4ARMED/kubeletmein

However, the technique abused the fact that with the metadata credentials it was possible to generate a CSR (Certificate Signing Request) for a new node, which was automatically approved. In my test I checked that those requests aren't automatically approved anymore, so I'm not sure if this technique is still valid.

Secrets in Kubelet API

In this post iligundulika kuwa kuna anwani ya Kubelet API inayopatikana kutoka ndani ya pod katika GKE ikitoa maelezo ya pods zinazotembea:

curl -v -k http://10.124.200.1:10255/pods

Hata kama API haiwezeshi kubadilisha rasilimali, inaweza kuwa inawezekana kupata taarifa nyeti katika jibu. Kituo /pods kilipatikana kwa kutumia Kiterunner.