search

Lab_06 - Hacking From the Outside

hashtag
Lab 6: Hacking From the Outside

hashtag
1. Interesting Ports in Kubernetes

We are interested in scanning common k8s ports in order to see which are remotely exposed and what services are up and running

Interesting Ports:

  • 443, 6443, 8080, 8443 - Kubernetes API port

  • 2379, 6666 - ETCD Port

  • 10250, 10255 - Kubelet API port

  • 44134 - Tiller

  • 4194 - cAdvisor Container Metrics

  • 9099 - Health check for Calico

  • 6782-6784 - Metrics and endpoints

  • 10256 - Kube Proxy health check

  • 30000-32767 - Proxifying traffic into declared Services

  • 40997 - Docker containerd

Hint

The nmap command will help!

Solution

For service scan and fingerprinting use "-A", but it takes longer

hashtag
2. Tiller

We found tiller running on port 44134. Let's try to exploit it

In this case we will weaponize our knowledge of CluserRoles and ClusertRoleBindings to make "system:anonymous" a Cluster Administrator.

We will use kubectl to test that currently "system:anonymous" has no privileges on the Kubernetes API:

Hint

Use the course exploit scripts "helm-tiller-pwn". Also, the helm command will help!

Solution

clusterrole.yaml:

clusterrolebinding.yaml:

Exploit:

hashtag
3. Kubernetes API

Ok, so we are the Cluster Administrator now. How do we create malicious pods in order to exploit the master and/or worker nodes that run our pods?

Let's try a bad pod attack.

Hint

https://bishopfox.com/blog/kubernetes-pod-privilege-escalationarrow-up-right

Solution

Exploit:

hashtag
4. Kubelet API

We also identified the kubelet API on port 10250. Does the service allow unauthenticated access?

Hint

Use curl or get kubeletctl.

Solution

Test with curl:

Install and test with kubeletctl:

If the service allows unauthenticated access what malicious actions can be performed?

  • List Pods

  • Run Commands in Pods

Solution

Example of running commands in all pods:

Some pods have no basic linux binaries (cat, ls, etc.). How do we gat any information from them?

Let's try exploring "etcd-k8s-vuln-0x-01-master" a pod with no binaries.

Solution

hashtag
5. ETCD

We observed based on the initial nmap scan that the ETCD port 2379 is not remotely exposed. Let's ssh into out master node and run nmap again

Solution

For service scan and fingerprinting use "-A", but it takes longer

Now we have access to the TCP port 2379, but authentication is required by ETCD. Let's try to identify files of interest on the master node that will help us in the attack.

Files of interest usually contain the following string in their name:

  • ".conf"

  • "config"

  • ".key"

Hint

The find command will help!

Solution

Find files of interest:

We can see the readable file of interest: "/tmp/apiserver-etcd-client.key"

Ok, we found what seems to be a private key for ETCD client authentication. Does ETCD allow client authentication? Can we use it with to read ETCD data?

Hint

The ps and curl commands will help!

Solution

Use ps to see ETCD flags that allow client authentication:

Use curl with the public and private client keys:

Great, we can read ETCD data ... but everything is base64 and the ETCD endpoints and parameters are hard to remember. Can we make our life easier with a tool?

Hint

The etcdctl tool will help!

Solution

Get etcdctl:

Use etcdctl:

hashtag
6. Automated Tools - kube-hunter

Manual testing is the gold standard, but let's see what could be identified with a automated scanning tool like "kube-hunter".

Hint

https://github.com/aquasecurity/kube-hunterarrow-up-right

Solution

Get and run kube-hunter:

PreviousLab_05 - Hardening K8sNextLab_07 - Hacking From the Inside

Last updated