GitBook: [master] one page and one asset modified

2023-12-14 19:12:55 +01:00 · 2021-04-28 17:45:30 +00:00 · 2021-04-28 17:45:30 +00:00 · 89dbdd726a
parent 458bc4a407
commit 89dbdd726a
2 changed files with 40 additions and 0 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
+++ b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
@ -229,3 +229,43 @@ https://<Kubernetes_API_IP>:<port>/apis/extensions/v1beta1/namespaces/default/da

 {% page-ref page="../../linux-unix/privilege-escalation/docker-breakout.md" %}

+## Search vulnerable network services
+
+As you are inside the Kubernetes environment, if you cannot escalate privileges abusing the current pods privileges and you cannot escape from the container, you should **search potential vulnerable services.**
+
+### Services
+
+**For this purpose, you can try to get all the services of the kubernetes environment:**
+
+```text
+kubectl get svc –all-namespaces
+```
+
+![](../../.gitbook/assets/image%20%28471%29.png)
+
+### Scanning
+
+The following Bash script \(taken from a [Kubernetes workshop](https://github.com/calinah/learn-by-hacking-kccn/blob/master/k8s_cheatsheet.md)\) will install and scan the IP ranges of the kubernetes cluster:
+
+```bash
+sudo apt-get update
+sudo apt-get install nmap
+nmap-kube () 
+{ 
+nmap --open -T4 -A -v -Pn -p 443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"
+}
+nmap-kube-discover () {
+local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');                                                                  
+local SERVER_RANGES=" ";
+SERVER_RANGES+="10.0.0.1 ";
+SERVER_RANGES+="10.0.1.* ";
+SERVER_RANGES+="10.*.0-1.* ";
+nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
+}
+nmap-kube-discover
+```
+
+## References
+
+{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
+